WO2013071836A1 - Method and apparatus for processing client application access authentication - Google Patents

Method and apparatus for processing client application access authentication Download PDF

Info

Publication number
WO2013071836A1
WO2013071836A1 PCT/CN2012/084290 CN2012084290W WO2013071836A1 WO 2013071836 A1 WO2013071836 A1 WO 2013071836A1 CN 2012084290 W CN2012084290 W CN 2012084290W WO 2013071836 A1 WO2013071836 A1 WO 2013071836A1
Authority
WO
WIPO (PCT)
Prior art keywords
client application
specific user
access
service
authorization
Prior art date
Application number
PCT/CN2012/084290
Other languages
French (fr)
Chinese (zh)
Inventor
陈耿华
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2013071836A1 publication Critical patent/WO2013071836A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the embodiments of the present invention relate to the field of communications technologies, and in particular, to a client application access authentication processing method and apparatus. Background technique
  • the opening of the operator's telecommunication network capability is mainly for a service application server of a trusted service provider (Service Provider, hereinafter referred to as SP), and various Internet applications and terminal applications of the SP provide services for users.
  • the ability to access the carrier network mainly includes the following processes:
  • the service application server of the SP sends an access request to the operator's network operation platform, requesting to invoke the operator's telecommunication network capability, for example, the SP web application server may request to invoke the telecommunication network capability.
  • the access request sent by the service application server of the SP carries the identity and password of the SP and the mobile phone number of the target user.
  • After the operator's network operation platform authenticates the SP it will be based on the requirements of the SP service application server.
  • the telecommunications network capability is utilized to provide the target user with the service required by the SP, and further to charge the service provided to the target user.
  • the SP uses the operator's telecommunication network capability to provide services to the target user with poor security, and is easily used by the SP to provide some illegal services.
  • Summary of the invention The embodiment of the invention provides a client application access authentication processing method and device, and a client application service processing device and a client application device, which are used to improve the scheme security of the SP using the operator's telecommunication network capability to provide services to the target user. Sex.
  • the embodiment of the present invention provides a client application access authentication processing method, including: receiving a first authorization request message sent by a client application device for requesting a specific user or a third party to authorize the use of the client application service;
  • Receiving an authorization result returned by the user equipment or the third party device of the specific user determining, according to the authorization result, whether the client application device is allowed to provide the client application service to the specific user.
  • the embodiment of the present invention further provides a client application access authentication processing device, including: a first receiving module, configured to receive, by a client application device, a request for requesting a specific user or a third party to authorize the use of the client application service An authorization request message;
  • a first sending module configured to send a second authorization request message to the user equipment or the third-party device of the specific user, where the second authorization request message is used to request the specific user or a third party to authorize use of the client application Business
  • a service authorization module configured to receive an authorization result returned by the user equipment or the third-party device of the specific user, and determine, according to the authorization result, whether the client application device is allowed to provide the client application service to the specific user.
  • the embodiment of the present invention further provides a client application service processing apparatus, including the client application access authentication processing device and the telecommunication network open gateway module, where the telecommunication network open gateway module is configured to receive the client application device. After sending the call request message carrying the access password, sending an authentication authentication request message requesting authentication to the access password to the client application access authentication processing device, and calling the telecommunication network capability for the client application device after the authentication is passed .
  • the embodiment of the present invention further provides a client application device, including a telecommunication network access authentication processing module and a telecommunication network service calling module, where the telecommunication network access authentication processing module is configured to send to a telecommunication operator's network system for Request a specific user authorization or a third party to use the client application a first authorization request message of the service, when the specific user accepts the client application service, acquiring an access password that allows the calling telecommunication network to provide the client application service to the specific user; the telecommunication network service calling module is used to And sending, by the network system of the telecommunication operator, an invocation request message carrying the access password, where the invocation request message is used to request to invoke the telecommunication network capability to provide the client application service for the specific user.
  • a client application device including a telecommunication network access authentication processing module and a telecommunication network service calling module, where the telecommunication network access authentication processing module is configured to send to a telecommunication operator's network system for Request a specific user authorization or a third party to
  • the first authorization request message is first sent, and then the client application set in the network system of the telecommunication operator accesses the authentication.
  • Processing device processing by sending a second authorization request message to a user equipment or a third party device of a specific user, asking whether the specific user or the third party authorizes use of the client application service, and then according to the user equipment or the third party device of the specific user
  • the returned authorization result determines whether the client application device is allowed to provide the client application service to the specific user, so that the client application service provided by the client application device for the specific user is authorized by the specific user or a third party. , improve the SP to provide users with the security of the client application business.
  • FIG. 1 is a schematic flowchart of Embodiment 1 of a client application access authentication processing method according to the present invention
  • FIG. 2 is a schematic flowchart of a second embodiment of a client application access authentication processing method according to the present invention
  • FIG. 4 is a schematic structural diagram of Embodiment 1 of a client application access authentication processing apparatus according to the present invention
  • FIG. 5 is a schematic structural diagram of Embodiment 2 of a client application access authentication processing apparatus according to the present invention
  • FIG. 6 is a schematic structural diagram of an embodiment of a client application service processing apparatus according to the present invention
  • FIG. 7 is a schematic structural diagram of an embodiment of a client application apparatus according to the present invention.
  • FIG. 1 is a schematic flowchart of Embodiment 1 of a client application access authentication processing method, and as shown in FIG. 1 , the following steps are included:
  • Step 101 Receive a first authorization request message sent by the client application device for requesting a specific user or a third party to authorize the use of the client application service.
  • Step 102 Send a second authorization request message to the user equipment or the third-party device of the specific user, where the second authorization request message is used to request the specific user or a third party to authorize use of the client application service.
  • Step 103 Receive an authorization result returned by the user equipment or the third-party device of the specific user, and determine, according to the authorization result, whether the client application device is allowed to provide the client application service to the specific user.
  • the first authorization request message is first sent, and then accessed by the client application set in the network system of the service provider.
  • the authentication processing device processes, by sending a second authorization request message to the user equipment or the third party device of the specific user, asking whether the specific user or the third party authorizes the use of the client application service, and then according to the user equipment or the specific user of the specific user.
  • the authorization result returned by the three-party device determines whether the client application device is allowed to provide the client application service to the specific user, so that the client application service provided by the client application device for the specific user is the specific user or the third party.
  • Authorized improve the SP to provide users with the security of the client application business.
  • the second authorization request message in the foregoing embodiment of the present invention may be sent to the user equipment held by the specific user, to confirm whether the client application service is accepted by the specific user, or may be sent to the third party device by the third party. It is confirmed that, for example, the third-party device mentioned above may be a device held by a manager of a specific user, and the manager of the specific user confirms whether the specific user accepts the client.
  • the application service is used, or the server of the operator is used as a third-party device, and the operator determines whether the specific user accepts the client application service.
  • the operator can determine whether to provide the client application service according to the will of the specific user or the third party, that is, whether to allow the client application device to access the telecommunication network capability, and the corresponding application can be set in the client application device.
  • the telecommunication network access authentication processing device performs corresponding processing.
  • the client application device can be controlled to access the telecommunication network by assigning an access password to the client application device, which may specifically include two types. Implementation.
  • One is to send the first to the client application access authentication processing device in the network system of the telecommunication operator before the first authorization request message sent by the client application device for requesting the specific user to authorize the use of the client application service.
  • the password application message after receiving the first password application message sent by the client application device, the client application access authentication processing device returns the first access password assigned to the client application device.
  • the first access password described above can be regarded as a temporary password, which does not take effect.
  • the client application device cannot access the operator's telecommunications network capability according to the temporary password.
  • the nature of the first access password described above may be changed in the local system only when the user equipment or the third party device of the specific user returns the authorization result, and the authorization result accepts the client application service for the specific user.
  • the client application device can perform the client application service by using the first access password.
  • the client application device sends a service request message carrying the first access password to the first service processing module in the network system of the telecommunication operator.
  • the first service processing module receives the service request message, and when the first access password is confirmed to be available, allows the client application device to access the telecommunication network capability, and provides the client application service to the specific user, where the specific service can be sent to the telecommunication.
  • the client application access authentication processing device in the operator's network system confirms whether the first access password is available.
  • the difference from the foregoing embodiment is that the client application access authentication processing device of the operator does not change the first access when the authorization result is that the specific user accepts the client application service. a nature of the password, but generating a verification code corresponding to the first access password, and transmitting the verification code to the client application device, receiving the client And sending, by the application device, the second password request message carrying the first access password and the verification code, returning a second access password to the client application device, where the second access password is an official password, to authorize the client
  • the application device accesses the telecommunications network capability by using the second access password to provide the client application service to the specific user.
  • the client application device when the second access password is used, sends a service request message carrying the second access password to the second service processing module in the network system of the telecommunication operator, where the second service process receives the service request message, And when the second access password is confirmed to be available, the client application device is allowed to access the telecommunication network capability, and the client application service is provided to the specific user, and the client application in the network system of the telecommunication operator can be specifically
  • the access authentication processing device confirms whether the second access password is available.
  • the method may further The specific user performs identity authentication, and returns an authorization result to the client application device after the authentication is passed.
  • the embodiment that uses the second access password may be a verification code corresponding to the first access password. And sending the verification code to the client application device in the authorization result.
  • Embodiment 2 is a schematic flowchart of Embodiment 2 of a method for processing access authentication of a client application according to the present invention. As shown in FIG. 2, the method includes the following steps:
  • Step 201 The telecommunication network access authentication processing device of the client application device applies for a temporary password to the client application access authentication processing device in the network system of the telecommunication operator before accessing the telecommunication network capability of the operator, that is, sends the first
  • the client application device in the embodiment of the present invention may be classified into a mobile terminal client, such as a mobile phone, a PDA, or a computer client, according to the terminal type; according to the client application development language, Widge application client, JAVA application client, Brew application client, Web client, etc.
  • the telecommunication network access authentication processing device is a function module specially set for the authentication of the telecommunication network, which is set internally by the client application device;
  • Step 202 The client application access authentication processing device of the operator network system returns the first access password assigned to the telecommunication network access authentication processing device after the authentication of the client application device is passed, the first access password.
  • a temporary password it does not take effect, that is, the client application The device cannot directly access the telecommunications network using the first access password;
  • Step 203 The telecommunication network access authentication processing device sends a first authorization request message to the client application access authentication processing device, requesting a specific user or a third party to authorize the use of the client application service.
  • Step 204 The client application access authentication processing device Sending a second authorization request message to the user equipment or the third-party device of the specific user, where the second authorization request message is used to request the specific user or the third-party device to authorize the use of the client application service.
  • the request mode may be According to the Web method, the Wireless Application Protocol (hereinafter referred to as WAP), the Unstructured Supplementary Service Data (hereinafter referred to as USSD), and the Interactive Voice Response (hereinafter) Abbreviation: IVR) or short message mode sends a second authorization request message to the user equipment of the specific user.
  • the second authorization request message may include telecommunication network capability information corresponding to the client application service, tariff information using the telecommunication network capability, and a term type authorized to use the client application service, for example, authorizing a single use.
  • the client application service authorizing the use of the client application service multiple times, authorizing the use of the client application service or authorizing the client application service within a set time period before a set period;
  • Step 205 A specific user or a third party performs an authorization operation, and returns an authorization result to the client application access authentication processing device.
  • the user may submit the identity authentication information and authorize in different manners, for example, for a web or WAP page.
  • the user can submit the personal user name and password on the web or WAP page, and confirm the agreement to use the client application service on the page; for the short message request mode, the user can confirm the reply to the short message to the service provider's network.
  • the client application access authentication processing device in the system returns the authorization result;
  • Step 206 The client application access authentication processing device identifies the authorization result returned by the user equipment of the specific user or the third party device, and performs identity authentication on the specific user when the specific user accepts the client application service;
  • Step 207 After the identity authentication of the specific user is passed, the client application access authentication processing device returns the authorization result to the telecommunication network access authentication processing device, and at the same time, the property of the first access password returned in step 202 is modified to an official password. So that the client application device can access the telecommunications network to provide services for a specific user;
  • Step 208 The client application device initiates a call request message by using the first access password, specifically
  • the telecom network service invoking module of the client application device may send a call request message to the telecommunication network open gateway module in the telecommunication operator's network system, invoke the telecommunication network capability, and access the operator's telecommunication network;
  • Step 209 After receiving the call request message, the telecommunication network open gateway module obtains the first access password carried in the call request message, and sends an authentication authentication request message to the client application access authentication processing device. Further, for the first access password, after receiving the authorization result of the specific user, the property is converted into an official password, and each of the first access passwords corresponds to a specific user, and therefore, the first access password is only allowed.
  • the user identifier may further be carried, for example, the user uses the SIM card number of the mobile phone, and the user identifier is further authenticated in this step to determine whether it is related to the first user.
  • Corresponding to an access password to prevent the client application device from using the first access password to provide services for other users;
  • Step 210 The client application access authentication processing device authenticates the legality and validity period of the user identifier and the first access password.
  • Step 211 The client application access authentication processing device returns an authentication authentication result to the telecommunication network open gateway module.
  • Step 212 After the authentication is passed, the telecommunications network open gateway module invokes the telecommunications network capability, and returns the call result to the client application device to provide services for the specific user.
  • step 206 after the specific user accepts the client application service, the identity of the user of the specific user is authenticated.
  • the step is an optional step, and the foregoing identity may not be performed.
  • the authentication process may be performed before the second authorization request message is sent to the user equipment or the third party device of the specific user in the foregoing step 204, and after the identity authentication is passed, the user equipment or the user is executed to the specific user.
  • the step of the third party device sending the second authorization request message.
  • the client application access authentication processing device may be disposed in each gateway device of the operator network system, and the specific setting position thereof does not affect the implementation of the technical solution of the present invention.
  • the authorization is first requested to a specific user or a third party, and after the authorization is provided, the client application service is provided, which can improve the SP to provide services for the user. safety.
  • FIG. 2 is an embodiment corresponding to only assigning the first access password
  • FIG. 3 is A schematic flowchart of the third embodiment of the client application access authentication processing method of the present invention, in which the client application access authentication processing device further allocates the second access password as an official password, as shown in the figure.
  • Steps 301 to 306 complete substantially the same functions as steps 201 to 206 in the above embodiment.
  • Step 307 After the identity authentication of the specific user is passed, generate a verification code corresponding to the first access password.
  • Step 308 Return an authorization result to the telecommunication network access authentication processing device, where the authorization result carries the verification code
  • Step 309 The telecommunication network access authentication processing device sends a second password application message carrying the first access password and the verification code to the client application access authentication processing device of the operator.
  • Step 310 Client application access authentication The right processing device allocates a second access password, where the second access password is an official password, and is used to authorize the client application device to access the telecommunication network capability by using the second access password, and provide the client application service to the specific user. ;
  • Step 311 The client application access authentication processing device returns a second access password to the telecommunication network access authentication processing device.
  • Steps 312 to 316 perform substantially the same functions as steps 208 to 212 of the above embodiment, except that the telecommunication network access authentication processing device initiates the call request message by using the second access password.
  • the first access password and the second access password are respectively allocated to the client application device, and finally the client application device invokes the power network capability according to the second access password to provide the client application service for the specific user, which can improve
  • the SP provides users with the security of the customer single application service.
  • FIG. 4 is a schematic structural diagram of Embodiment 1 of a client application access authentication processing device according to the present invention.
  • the client application access authentication The right processing device 40 includes a first receiving module 11, a first sending module 12, and a service authorization module 13, wherein the first receiving module 11 is configured to receive, by the client application device, a request for a specific user or a third party to authorize the use of the client application.
  • the first authorization request message of the service; the first sending module 12 is configured to send the second authorization to the user equipment or the third party device of the specific user.
  • the second authorization request message is used to request the specific user or a third party to authorize the use of the client application service;
  • the service authorization module 13 is configured to receive the authorization returned by the user equipment or the third party device of the specific user. As a result, determining, according to the authorization result, whether the client application device is allowed to provide the client application service to the specific user.
  • the client application access authentication processing device set in the network system of the telecommunication operator sends a second authorization request message to the user equipment or the third party device of the specific user. Inquiring whether the specific user or the third party authorizes the use of the client application service, and then determining whether to allow the client application device to provide the client application service to the specific user according to the authorization result returned by the user device or the third party device of the specific user. Therefore, the client application service provided by the client application device for the specific user is authorized by the specific user, and the SP is provided to provide security for the user.
  • the client application device can be controlled by a password to access a telecommunication network to provide services for a specific user, and specifically may include a case where only one access password is assigned and two access passwords are allocated, corresponding to each other.
  • the client application access authentication processing device 50 further includes a first password assigning module 14, the first password.
  • the allocating module 14 is configured to receive the first password request message sent by the client application device, before receiving the first authorization request message sent by the client application device for requesting the specific user or the third party to authorize the use of the client application service, and
  • the client application device returns the first access password assigned to it; and
  • the service authorization module 13 is specifically configured to authorize the client when the authorization result is that the specific user accepts the client application service.
  • the client application device utilizes the first access password to access the telecommunications network capability to provide the client application service to the particular user.
  • the first access password and the second access password need to be allocated, and the first password assigning module 14 is further configured to allocate the first access password to the client application device, and the service therein
  • the authorization module 13 is specifically configured to: when the authorization result is that the specific user accepts the client application service, generate a risk code corresponding to the first access password, and send the verification code to the client application
  • the device after receiving the second password application message sent by the client application device and carrying the first access password and the verification code, applying the device to the client Returning a second access password to authorize the client application device to access the telecommunications network capability by using the second access password to provide the client application service to the specific user.
  • the identity of the specific user may be further authenticated, that is, the user identity authentication module 15 is configured in the client application access authentication processing device, and the user identity authentication module 15 is configured to receive the After the authorization result returned by the user equipment or the third-party device of the specific user, and the authorization result is that the specific user accepts the client application service, the specific user is authenticated and sent to the client after the authentication is passed.
  • the end application device returns an authorization result, and if the verification code corresponding to the first access password is generated, the verification code is carried in the authorization result and sent to the client application device.
  • FIG. 6 is a schematic structural diagram of an embodiment of a client application service processing apparatus according to the present invention.
  • the client application service processing apparatus 60 includes The client application access authentication processing device 21 and the telecommunication network open gateway module 22, wherein the client application access authentication processing device 21 can use the client application provided by any of the above embodiments to access the authentication processing device, and the telecommunication network is open.
  • the gateway module 22 is configured to send, after receiving the call request message carrying the access password sent by the client application device, an authentication authentication request message requesting authentication of the access password to the client application access authentication processing device, and After the authentication is passed, the telecommunications network capability is invoked for the client application device.
  • FIG. 7 is a schematic structural diagram of an embodiment of a client application device according to the present invention.
  • the client application device 70 includes a telecommunication network access authentication processing module 31 and The telecommunication network service invoking module 32 is configured to send, to the network system of the telecommunication operator, a first authorization request message for requesting the specific user to authorize the use of the client application service, where the specific user accepts the
  • the client application service is described, obtaining an access password that allows the telecommunications network to be invoked to provide the client application service to the specific user;
  • the telecommunication network service invoking module 32 is configured to send the access password to the network system of the telecommunication operator.
  • the request message is invoked, and the call request message is used to request to invoke the telecommunication network capability to provide the client application service for the specific user.
  • the client application access authentication processing method and device provided by the foregoing embodiment of the present invention, and the client application service processing device and the client application device, wherein before the calling telecommunication network capability provides the client application service to the user, the user is firstly directed to the specific user. Sended by user device or third party device Authorizing the request message, requesting to authorize the specific user to use the client application service, and after the user accepts the client application service, authorizing the client application device to access the telecommunication network capability, and providing the client with the specific user
  • the SP can provide the security for the client to provide the client application service.
  • the operator may also provide services for the user's consent and perform charging according to the service, which can effectively prevent the third-party application operator's telecommunication network capability from performing charging fraud.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Disclosed are a method and apparatus for processing client application access authentication, an apparatus for processing client application service and a client application device, the method comprising: receiving a first authorization request message transmitted by the client application device for requesting the authorization of a specific user or a third party to use the client application service; transmitting a second authorization request message to the user device of the specific user or the third party device, wherein the second authorization request message is used for requesting the authorization of the specific user or the third party to use the client application service; receiving an authorization result returned by the user device of the specific user or the third party device, and according to the authorization result, determining whether the client application device is permitted to provide the client application service to the specific user. The technical solution of the present invention can improve the safety of providing services for a destination user by SP using the telecommunication network capacity of an operator.

Description

客户端应用访问鉴权处理方法和装置 技术领域  Client application access authentication processing method and device
本发明实施例涉及通信技术领域, 尤其涉及一种客户端应用访问鉴权处 理方法和装置。 背景技术  The embodiments of the present invention relate to the field of communications technologies, and in particular, to a client application access authentication processing method and apparatus. Background technique
随着移动互联网时代的到来, 互联网和电信网络越来越紧密的融合到一 起。 在互联网和用户终端上, 涌现了越来越多丰富多彩的互联网应用和终端 应用, 如 Web应用、 终端 Widget应用、 原生终端应用等。 这些应用通常需要 访问运营商的电信网路能力, 以实现特定的业务功能特性, 例如, 某个交通 信息查询的 Widget应用, 需要能够发送承载交通线路图的彩信消息给某个终 端手机用户。 因此, 运营商需要一种安全、 开放、 可控的手段, 允许客户端 应用访问运营商的电信网络能力。  With the advent of the mobile Internet era, the Internet and telecommunications networks are increasingly integrated. On the Internet and user terminals, more and more colorful Internet applications and terminal applications have emerged, such as Web applications, terminal Widget applications, and native terminal applications. These applications typically require access to the carrier's telecommunications network capabilities to achieve specific business functions. For example, a Widget application for traffic information queries needs to be able to send MMS messages carrying traffic maps to a terminal handset user. Therefore, operators need a secure, open, and controllable means to allow client applications to access the carrier's telecommunications network capabilities.
现有技术中, 运营商电信网络能力的开放, 主要是面向可信任的服务提 供商 ( Service Provider, 以下简称: SP ) 的业务应用服务器, SP的各种互联 网应用和终端应用为用户提供服务, 其访问运营商网络能力主要包括如下的 流程: SP的业务应用服务器向运营商的网络运营平台发送访问请求, 请求调 用运营商的电信网络能力, 例如可以是 SP的 web应用服务器请求调用电信网 络能力发送彩信形式的手机报。 SP的业务应用服务器发送的访问请求中会携 带 SP的身份标识、 密码以及目标用户的手机号码, 运营商的网络运营平台在 对 SP进行鉴权确认后,便会根据 SP业务应用服务器的要求, 利用电信网络能 力向目标用户提供 SP要求的服务,并进一步的对向目标用户提供的服务进行 计费。  In the prior art, the opening of the operator's telecommunication network capability is mainly for a service application server of a trusted service provider (Service Provider, hereinafter referred to as SP), and various Internet applications and terminal applications of the SP provide services for users. The ability to access the carrier network mainly includes the following processes: The service application server of the SP sends an access request to the operator's network operation platform, requesting to invoke the operator's telecommunication network capability, for example, the SP web application server may request to invoke the telecommunication network capability. Send a mobile phone report in the form of a multimedia message. The access request sent by the service application server of the SP carries the identity and password of the SP and the mobile phone number of the target user. After the operator's network operation platform authenticates the SP, it will be based on the requirements of the SP service application server. The telecommunications network capability is utilized to provide the target user with the service required by the SP, and further to charge the service provided to the target user.
现有技术中, SP利用运营商的电信网络能力为目标用户提供服务的方案 安全性差, 容易被 SP利用提供一些非法业务。 发明内容 本发明实施例提供一种客户端应用访问鉴权处理方法和装置, 以及客户 端应用业务处理装置和客户端应用设备, 用以提高 SP利用运营商的电信网 络能力为目标用户提供服务的方案安全性。 In the prior art, the SP uses the operator's telecommunication network capability to provide services to the target user with poor security, and is easily used by the SP to provide some illegal services. Summary of the invention The embodiment of the invention provides a client application access authentication processing method and device, and a client application service processing device and a client application device, which are used to improve the scheme security of the SP using the operator's telecommunication network capability to provide services to the target user. Sex.
本发明实施例提供了一种客户端应用访问鉴权处理方法, 包括: 接收客户端应用设备发送的用于请求特定用户或第三方授权使用客户 端应用业务的第一授权请求消息;  The embodiment of the present invention provides a client application access authentication processing method, including: receiving a first authorization request message sent by a client application device for requesting a specific user or a third party to authorize the use of the client application service;
向所述特定用户的用户设备或第三方设备发送第二授权请求消息, 所述 第二授权请求消息用于请求所述特定用户或第三方授权使用所述客户端应 用业务;  Sending a second authorization request message to the user equipment or the third-party device of the specific user, where the second authorization request message is used to request the specific user or a third party to authorize the use of the client application service;
接收所述特定用户的用户设备或第三方设备返回的授权结果,根据所述 授权结果确定是否允许所述客户端应用设备向所述特定用户提供所述客户 端应用业务。  Receiving an authorization result returned by the user equipment or the third party device of the specific user, determining, according to the authorization result, whether the client application device is allowed to provide the client application service to the specific user.
本发明实施例还提供了一种客户端应用访问鉴权处理装置, 包括: 第一接收模块, 用于接收客户端应用设备发送的用于请求特定用户或第 三方授权使用客户端应用业务的第一授权请求消息;  The embodiment of the present invention further provides a client application access authentication processing device, including: a first receiving module, configured to receive, by a client application device, a request for requesting a specific user or a third party to authorize the use of the client application service An authorization request message;
第一发送模块, 用于向所述特定用户的用户设备或第三方设备发送第二 授权请求消息, 所述第二授权请求消息用于请求所述特定用户或第三方授权 使用所述客户端应用业务;  a first sending module, configured to send a second authorization request message to the user equipment or the third-party device of the specific user, where the second authorization request message is used to request the specific user or a third party to authorize use of the client application Business
业务授权模块, 用于接收所述特定用户的用户设备或第三方设备返回的 授权结果,根据所述授权结果确定是否允许所述客户端应用设备向所述特定 用户提供所述客户端应用业务。  And a service authorization module, configured to receive an authorization result returned by the user equipment or the third-party device of the specific user, and determine, according to the authorization result, whether the client application device is allowed to provide the client application service to the specific user.
本发明实施例还提供了一种客户端应用业务处理装置, 包括上述的客户 端应用访问鉴权处理装置和电信网络开放网关模块, 所述电信网络开放网关 模块用于在接收到客户端应用设备发送的携带访问口令的调用请求消息后, 向客户端应用访问鉴权处理装置发送请求对所述访问口令进行认证的鉴权 认证请求消息, 并在认证通过后为客户端应用设备调用电信网络能力。  The embodiment of the present invention further provides a client application service processing apparatus, including the client application access authentication processing device and the telecommunication network open gateway module, where the telecommunication network open gateway module is configured to receive the client application device. After sending the call request message carrying the access password, sending an authentication authentication request message requesting authentication to the access password to the client application access authentication processing device, and calling the telecommunication network capability for the client application device after the authentication is passed .
本发明实施例还提供了一种客户端应用设备, 包括电信网络接入认证处 理模块和电信网络服务调用模块, 所述电信网络接入认证处理模块用于向电 信运营商的网络系统发送用于请求特定用户授权或第三方使用客户端应用 业务的第一授权请求消息, 在特定用户接受所述客户端应用业务时, 获取允 许调用电信网络能力, 向所述特定用户提供客户端应用业务的访问口令; 所 述电信网络服务调用模块用于向电信运营商的网络系统发送携带所述访问 口令的调用请求消息, 所述调用请求消息用于请求调用电信网络能力为所述 特定用户提供客户端应用业务。 The embodiment of the present invention further provides a client application device, including a telecommunication network access authentication processing module and a telecommunication network service calling module, where the telecommunication network access authentication processing module is configured to send to a telecommunication operator's network system for Request a specific user authorization or a third party to use the client application a first authorization request message of the service, when the specific user accepts the client application service, acquiring an access password that allows the calling telecommunication network to provide the client application service to the specific user; the telecommunication network service calling module is used to And sending, by the network system of the telecommunication operator, an invocation request message carrying the access password, where the invocation request message is used to request to invoke the telecommunication network capability to provide the client application service for the specific user.
本发明上述技术方案, 其中, SP的客户端应用设备如果要向用户提供 客户端应用业务, 首先发送第一授权请求消息, 然后由设置在电信运营商的 网络系统中的客户端应用访问鉴权处理装置处理, 其通过向特定用户的用户 设备或第三方设备发送第二授权请求消息,询问该特定用户或第三方是否授 权使用该客户端应用业务, 然后根据特定用户的用户设备或第三方设备返回 的授权结果确定是否允许客户端应用设备向所述特定用户提供所述客户端 应用业务, 进而使得客户端应用设备为特定用户提供的客户端应用业务都是 经该特定用户或第三方授权的, 提高 SP为用户提供客户端应用业务的安全 性。 附图说明  According to the above technical solution of the present invention, if the client application device of the SP is to provide the client application service to the user, the first authorization request message is first sent, and then the client application set in the network system of the telecommunication operator accesses the authentication. Processing device processing, by sending a second authorization request message to a user equipment or a third party device of a specific user, asking whether the specific user or the third party authorizes use of the client application service, and then according to the user equipment or the third party device of the specific user The returned authorization result determines whether the client application device is allowed to provide the client application service to the specific user, so that the client application service provided by the client application device for the specific user is authorized by the specific user or a third party. , improve the SP to provide users with the security of the client application business. DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对实 施例或现有技术描述中所需要使用的附图作简单地介绍, 显而易见地, 下面 描述中的附图仅仅是本发明的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造性劳动性的前提下, 还可以根据这些附图获得其他的附图。  In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description are only It is a certain embodiment of the present invention, and other drawings can be obtained from those skilled in the art without any inventive labor.
图 1为本发明客户端应用访问鉴权处理方法实施例一的流程示意图; 图 2为本发明客户端应用访问鉴权处理方法实施例二的流程示意图; 图 3为本发明客户端应用访问鉴权处理方法实施例三的流程示意图; 图 4为本发明客户端应用访问鉴权处理装置实施例一的结构示意图; 图 5为本发明客户端应用访问鉴权处理装置实施例二的结构示意图; 图 6为本发明客户端应用业务处理装置实施例的结构示意图; 图 7为本发明客户端应用设备实施例的结构示意图。 具体实施方式  1 is a schematic flowchart of Embodiment 1 of a client application access authentication processing method according to the present invention; FIG. 2 is a schematic flowchart of a second embodiment of a client application access authentication processing method according to the present invention; FIG. 4 is a schematic structural diagram of Embodiment 1 of a client application access authentication processing apparatus according to the present invention; FIG. 5 is a schematic structural diagram of Embodiment 2 of a client application access authentication processing apparatus according to the present invention; FIG. 6 is a schematic structural diagram of an embodiment of a client application service processing apparatus according to the present invention; FIG. 7 is a schematic structural diagram of an embodiment of a client application apparatus according to the present invention. detailed description
为使本发明实施例的目的、 技术方案和优点更加清楚, 下面将结合本发 明实施例中的附图, 对本发明实施例中的技术方案进行清楚、 完整地描述, 显然, 所描述的实施例是本发明一部分实施例, 而不是全部的实施例。 基于 本发明中的实施例, 本领域普通技术人员在没有作出创造性劳动前提下所获 得的所有其他实施例, 都属于本发明保护的范围。 The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is apparent that the described embodiments are a part of the embodiments of the invention, rather than all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
针对现有技术中 SP利用运营商的电信网络能力为用户提供服务时安全 性差的问题, 本发明实施例提供了一种解决方案, 其是通过在电信运营商的 网络系统中增加客户端应用访问鉴权处理装置实现的, 图 1为本发明客户端 应用访问鉴权处理方法实施例一的流程示意图, 如图 1所示, 包括如下的步 骤:  The present invention provides a solution for increasing the client application access in the network system of the telecommunication operator by using the problem that the security of the SP is used to provide services to the user. The implementation of the authentication processing device is as follows: FIG. 1 is a schematic flowchart of Embodiment 1 of a client application access authentication processing method, and as shown in FIG. 1 , the following steps are included:
步骤 101、 接收客户端应用设备发送的用于请求特定用户或第三方授权 使用客户端应用业务的第一授权请求消息;  Step 101: Receive a first authorization request message sent by the client application device for requesting a specific user or a third party to authorize the use of the client application service.
步骤 102、 向所述特定用户的用户设备或第三方设备发送第二授权请求 消息, 所述第二授权请求消息用于请求所述特定用户或第三方授权使用所述 客户端应用业务;  Step 102: Send a second authorization request message to the user equipment or the third-party device of the specific user, where the second authorization request message is used to request the specific user or a third party to authorize use of the client application service.
步骤 103、接收所述特定用户的用户设备或第三方设备返回的授权结果, 根据所述授权结果确定是否允许所述客户端应用设备向所述特定用户提供 所述客户端应用业务。  Step 103: Receive an authorization result returned by the user equipment or the third-party device of the specific user, and determine, according to the authorization result, whether the client application device is allowed to provide the client application service to the specific user.
本发明上述实施例中, SP 的客户端应用设备如果要向该客户端用户提 供客户端应用业务, 首先发送第一授权请求消息, 然后由设置在电信运营商 的网络系统中的客户端应用访问鉴权处理装置处理, 其通过向特定用户的用 户设备或第三方设备发送第二授权请求消息, 询问该特定用户或第三方是否 授权使用该客户端应用业务, 然后根据特定用户的用户设备或第三方设备返 回的授权结果确定是否允许客户端应用设备向所述特定用户提供所述客户 端应用业务, 进而使得客户端应用设备为特定用户提供的客户端应用业务都 是经该特定用户或第三方授权的, 提高 SP为用户提供客户端应用业务的安 全性。  In the foregoing embodiment of the present invention, if the client application device of the SP is to provide the client application service to the client user, the first authorization request message is first sent, and then accessed by the client application set in the network system of the service provider. The authentication processing device processes, by sending a second authorization request message to the user equipment or the third party device of the specific user, asking whether the specific user or the third party authorizes the use of the client application service, and then according to the user equipment or the specific user of the specific user The authorization result returned by the three-party device determines whether the client application device is allowed to provide the client application service to the specific user, so that the client application service provided by the client application device for the specific user is the specific user or the third party. Authorized, improve the SP to provide users with the security of the client application business.
本发明上述实施例中的第二授权请求消息可以是发送给特定用户所持 有的用户设备, 以由特定用户自身确认是否接受客户端应用业务, 也可以是 发送给第三方设备, 由第三方确认, 例如上述的第三方设备可以是特定用户 的管理者所持有的设备, 由该特定用户的管理者确认特定用户是否接受客户 端应用业务, 或者是由运营商的服务器作为第三方设备, 由运营商确定特定 用户是否接受客户端应用业务。 The second authorization request message in the foregoing embodiment of the present invention may be sent to the user equipment held by the specific user, to confirm whether the client application service is accepted by the specific user, or may be sent to the third party device by the third party. It is confirmed that, for example, the third-party device mentioned above may be a device held by a manager of a specific user, and the manager of the specific user confirms whether the specific user accepts the client. The application service is used, or the server of the operator is used as a third-party device, and the operator determines whether the specific user accepts the client application service.
本发明上述实施例中运营商能够根据特定用户或第三方的意愿确定是 否为其提供客户端应用业务,也就是确定是否允许客户端应用设备访问电信 网络能力,在客户端应用设备中可以设置相应的电信网络接入认证处理装置 执行相应的处理, 在具体的实施过程中, 可以通过向客户端应用设备分配访 问口令的方式, 控制客户端应用设备对电信网络的访问, 具体的可以包括两 种实施方式。  In the above embodiment of the present invention, the operator can determine whether to provide the client application service according to the will of the specific user or the third party, that is, whether to allow the client application device to access the telecommunication network capability, and the corresponding application can be set in the client application device. The telecommunication network access authentication processing device performs corresponding processing. In a specific implementation process, the client application device can be controlled to access the telecommunication network by assigning an access password to the client application device, which may specifically include two types. Implementation.
一种是在客户端应用设备发送的用于请求特定用户授权使用客户端应 用业务的第一授权请求消息之前, 首先向电信运营商的网络系统中的客户端 应用访问鉴权处理装置发送第一口令申请消息,客户端应用访问鉴权处理装 置接收到客户端应用设备发送的第一口令申请消息后, 向所述客户端应用设 备返回为其分配的所述第一访问口令。 上述的第一访问口令可以看作是一个 临时口令, 并未生效, 客户端应用设备无法根据该临时口令访问运营商的电 信网络能力。 只有在特定用户的用户设备或第三方设备返回授权结果, 并且 所述授权结果为所述特定用户接受所述客户端应用业务时, 才可以在本地系 统内将上述的第一访问口令的性质改变为正式口令, 以授权所述客户端应用 设备利用所述第一访问口令访问电信网络能力, 向所述特定用户提供所述客 户端应用业务。进而客户端应用设备可以利用该第一访问口令执行客户端应 用业务, 具体的是客户端应用设备向电信运营商的网络系统中的第一业务处 理模块发送携带第一访问口令的业务请求消息, 上述第一业务处理模块在接 收到业务请求消息, 并在确认上述第一访问口令可用时, 允许客户端应用设 备访问电信网络能力, 向所述特定用户提供客户端应用业务, 具体的可以向 电信运营商的网络系统中的客户端应用访问鉴权处理装置确认所述第一访 问口令是否可用。  One is to send the first to the client application access authentication processing device in the network system of the telecommunication operator before the first authorization request message sent by the client application device for requesting the specific user to authorize the use of the client application service. The password application message, after receiving the first password application message sent by the client application device, the client application access authentication processing device returns the first access password assigned to the client application device. The first access password described above can be regarded as a temporary password, which does not take effect. The client application device cannot access the operator's telecommunications network capability according to the temporary password. The nature of the first access password described above may be changed in the local system only when the user equipment or the third party device of the specific user returns the authorization result, and the authorization result accepts the client application service for the specific user. And being an official password, to authorize the client application device to access the telecommunication network capability by using the first access password, and provide the client application service to the specific user. The client application device can perform the client application service by using the first access password. Specifically, the client application device sends a service request message carrying the first access password to the first service processing module in the network system of the telecommunication operator. The first service processing module receives the service request message, and when the first access password is confirmed to be available, allows the client application device to access the telecommunication network capability, and provides the client application service to the specific user, where the specific service can be sent to the telecommunication. The client application access authentication processing device in the operator's network system confirms whether the first access password is available.
另外还有一种实施方式, 与上述实施例不同之处在于, 运营商的客户端 应用访问鉴权处理装置在上述授权结果为所述特定用户接受所述客户端应 用业务时, 不是改变第一访问口令的性质, 而是生成与所述第一访问口令对 应的验证码, 并将所述验证码发送给所述客户端应用设备, 在接收到客户端 应用设备发送的携带所述第一访问口令和所述验证码的第二口令申请消息 后, 向客户端应用设备返回第二访问口令, 该第二访问口令为正式口令, 以 授权所述客户端应用设备利用所述第二访问口令访问电信网络能力, 向所述 特定用户提供所述客户端应用业务。 In another embodiment, the difference from the foregoing embodiment is that the client application access authentication processing device of the operator does not change the first access when the authorization result is that the specific user accepts the client application service. a nature of the password, but generating a verification code corresponding to the first access password, and transmitting the verification code to the client application device, receiving the client And sending, by the application device, the second password request message carrying the first access password and the verification code, returning a second access password to the client application device, where the second access password is an official password, to authorize the client The application device accesses the telecommunications network capability by using the second access password to provide the client application service to the specific user.
具体的, 在使用第二访问口令时, 客户端应用设备向电信运营商的网络 系统中的第二业务处理模块发送携带第二访问口令的业务请求消息, 上述第 二业务处理接收业务请求消息, 并在确认所述第二访问口令可用时, 允许客 户端应用设备访问电信网络能力, 向所述特定用户提供所述客户端应用业 务, 具体的可以向电信运营商的网络系统中的客户端应用访问鉴权处理装置 确认所述第二访问口令是否可用。  Specifically, when the second access password is used, the client application device sends a service request message carrying the second access password to the second service processing module in the network system of the telecommunication operator, where the second service process receives the service request message, And when the second access password is confirmed to be available, the client application device is allowed to access the telecommunication network capability, and the client application service is provided to the specific user, and the client application in the network system of the telecommunication operator can be specifically The access authentication processing device confirms whether the second access password is available.
本发明上述实施例中,在接收到所述特定用户的用户设备或第三方设备 返回的授权结果, 并确认所述授权结果为所述特定用户接受所述客户端应用 业务后, 还可以进一步对所述特定用户进行身份认证, 并在认证通过后向客 户端应用设备返回授权结果,具体的,针对上述使用第二访问口令的实施例, 可以是先生成与第一访问口令对应的验证码, 再将所述验证码携带在授权结 果中发送给所述客户端应用设备。  In the foregoing embodiment of the present invention, after receiving the authorization result returned by the user equipment or the third-party device of the specific user, and confirming that the authorization result is that the specific user accepts the client application service, the method may further The specific user performs identity authentication, and returns an authorization result to the client application device after the authentication is passed. Specifically, the embodiment that uses the second access password may be a verification code corresponding to the first access password. And sending the verification code to the client application device in the authorization result.
图 2为本发明客户端应用访问鉴权处理方法实施例二的流程示意图,如 图 2所示, 包括如下的步骤:  2 is a schematic flowchart of Embodiment 2 of a method for processing access authentication of a client application according to the present invention. As shown in FIG. 2, the method includes the following steps:
步骤 201、 客户端应用设备的电信网络接入认证处理装置在访问运营商 电信网络能力之前, 先到电信运营商的网络系统中的客户端应用访问鉴权处 理装置申请临时口令, 即发送第一口令申请消息, 本发明实施例中的客户端 应用设备,按照终端类型划分, 可以分为移动终端客户端, 例如手机、 PDA, 或者是计算机客户端等; 按照客户端应用开发语言, 可以分为 Widge应用客 户端、 JAVA应用客户端、 Brew应用客户端、 Web客户端等。 其中的电信网 络接入认证处理装置为客户端应用设备内部设置的, 专用于向电信网络进行 认证的功能模块;  Step 201: The telecommunication network access authentication processing device of the client application device applies for a temporary password to the client application access authentication processing device in the network system of the telecommunication operator before accessing the telecommunication network capability of the operator, that is, sends the first The client application device in the embodiment of the present invention may be classified into a mobile terminal client, such as a mobile phone, a PDA, or a computer client, according to the terminal type; according to the client application development language, Widge application client, JAVA application client, Brew application client, Web client, etc. The telecommunication network access authentication processing device is a function module specially set for the authentication of the telecommunication network, which is set internally by the client application device;
步骤 202、 运营商网络系统的客户端应用访问鉴权处理装置在对客户端 应用设备进行认证通过后, 向电信网络接入认证处理装置返回为其分配的第 一访问口令, 该第一访问口令为一临时口令, 并未生效, 也就是客户端应用 设备不能够直接使用该第一访问口令访问电信网络; Step 202: The client application access authentication processing device of the operator network system returns the first access password assigned to the telecommunication network access authentication processing device after the authentication of the client application device is passed, the first access password. As a temporary password, it does not take effect, that is, the client application The device cannot directly access the telecommunications network using the first access password;
步骤 203、 电信网络接入认证处理装置向客户端应用访问鉴权处理装置 发送第一授权请求消息, 请求特定用户或第三方授权使用客户端应用业务; 步骤 204、 客户端应用访问鉴权处理装置向特定用户的用户设备或第三 方设备发送第二授权请求消息, 该第二授权请求消息用于请求所述特定用户 或第三方设备授权使用所述客户端应用业务; 具体的, 该请求方式可以按照 Web方式、 无线应用协议( Wireless Application Protocol , 以下简称: WAP ) 方式、 非结构 ^^卜充数据业务(Unstructured Supplementary Service Data, 以 下简称: USSD )方式、 互动式语音应答 ( Interactive Voice Response, 以下 简称: IVR )或短消息方式向与所述特定用户的用户设备发送第二授权请求 消息。 可选的, 该第二授权请求消息可以包括客户端应用业务对应的电信网 络能力信息、使用所述电信网络能力的资费信息和授权使用所述客户端应用 业务的期限类型, 例如授权单次使用上述客户端应用业务、 授权多次使用上 述客户端应用业务、授权在一设定期限前使用上述客户端应用业务或授权在 一设定时间范围内使用上述客户端应用业务;  Step 203: The telecommunication network access authentication processing device sends a first authorization request message to the client application access authentication processing device, requesting a specific user or a third party to authorize the use of the client application service. Step 204: The client application access authentication processing device Sending a second authorization request message to the user equipment or the third-party device of the specific user, where the second authorization request message is used to request the specific user or the third-party device to authorize the use of the client application service. Specifically, the request mode may be According to the Web method, the Wireless Application Protocol (hereinafter referred to as WAP), the Unstructured Supplementary Service Data (hereinafter referred to as USSD), and the Interactive Voice Response (hereinafter) Abbreviation: IVR) or short message mode sends a second authorization request message to the user equipment of the specific user. Optionally, the second authorization request message may include telecommunication network capability information corresponding to the client application service, tariff information using the telecommunication network capability, and a term type authorized to use the client application service, for example, authorizing a single use. The client application service, authorizing the use of the client application service multiple times, authorizing the use of the client application service or authorizing the client application service within a set time period before a set period;
步骤 205、 特定用户或第三方进行授权操作, 向客户端应用访问鉴权处 理装置返回授权结果, 对于不同的请求方式, 用户可以用不同方式提交身份 认证信息并进行授权,例如对于 Web或 WAP页面,用户可以在 Web或 WAP 页面上提交个人用户名和密码, 并在页面上确认同意使用客户端应用业务; 对于短消息的请求方式, 用户可以通过确认回复短消息的方式, 向电信运营 商的网络系统中的客户端应用访问鉴权处理装置返回授权结果;  Step 205: A specific user or a third party performs an authorization operation, and returns an authorization result to the client application access authentication processing device. For different request methods, the user may submit the identity authentication information and authorize in different manners, for example, for a web or WAP page. The user can submit the personal user name and password on the web or WAP page, and confirm the agreement to use the client application service on the page; for the short message request mode, the user can confirm the reply to the short message to the service provider's network. The client application access authentication processing device in the system returns the authorization result;
步骤 206、 客户端应用访问鉴权处理装置识别特定用户的用户设备或第 三方设备返回的授权结果, 并在特定用户接受上述客户端应用业务时, 对特 定用户进行身份认证;  Step 206: The client application access authentication processing device identifies the authorization result returned by the user equipment of the specific user or the third party device, and performs identity authentication on the specific user when the specific user accepts the client application service;
步骤 207、 在对特定用户的身份认证通过后, 客户端应用访问鉴权处理 装置向电信网络接入认证处理装置返回授权结果, 同时将步骤 202中返回的 第一访问口令的性质修改为正式口令, 以使得客户端应用设备可以访问电信 网络为特定用户提供服务;  Step 207: After the identity authentication of the specific user is passed, the client application access authentication processing device returns the authorization result to the telecommunication network access authentication processing device, and at the same time, the property of the first access password returned in step 202 is modified to an official password. So that the client application device can access the telecommunications network to provide services for a specific user;
步骤 208、 客户端应用设备利用第一访问口令发起调用请求消息, 具体 的,可以是客户端应用设备的电信网络服务调用模块向电信运营商的网络系 统中的电信网络开放网关模块发送调用请求消息, 调用电信网络能力, 访问 运营商的电信网络; Step 208: The client application device initiates a call request message by using the first access password, specifically The telecom network service invoking module of the client application device may send a call request message to the telecommunication network open gateway module in the telecommunication operator's network system, invoke the telecommunication network capability, and access the operator's telecommunication network;
步骤 209、 电信网络开放网关模块在接收到上述的调用请求消息后, 获 取调用请求消息中携带的第一访问口令, 并向客户端应用访问鉴权处理装置 发送鉴权认证请求消息, 进一步的, 对于第一访问口令, 是在接收到特定用 户的授权结果后, 将其性质转变为正式口令的, 每一个该第一访问口令都是 与特定用户对应的, 因此, 该第一访问口令仅允许向特定用户提供服务, 在 步骤 208中的调用请求消息中, 还可以进一步的携带用户标识, 例如用户使 用手机的 SIM卡号,本步骤中会进一步对该用户标识进行认证, 以确定其是 否与第一访问口令对应, 以防止客户端应用设备利用第一访问口令为其他用 户提供服务;  Step 209: After receiving the call request message, the telecommunication network open gateway module obtains the first access password carried in the call request message, and sends an authentication authentication request message to the client application access authentication processing device. Further, For the first access password, after receiving the authorization result of the specific user, the property is converted into an official password, and each of the first access passwords corresponds to a specific user, and therefore, the first access password is only allowed. Providing a service to a specific user, in the call request message in step 208, the user identifier may further be carried, for example, the user uses the SIM card number of the mobile phone, and the user identifier is further authenticated in this step to determine whether it is related to the first user. Corresponding to an access password, to prevent the client application device from using the first access password to provide services for other users;
步骤 210、 客户端应用访问鉴权处理装置对用户标识和第一访问口令的 合法性、 有效期进行认证;  Step 210: The client application access authentication processing device authenticates the legality and validity period of the user identifier and the first access password.
步骤 211、 客户端应用访问鉴权处理装置向电信网络开放网关模块返回 鉴权认证结果;  Step 211: The client application access authentication processing device returns an authentication authentication result to the telecommunication network open gateway module.
步骤 212、 电信网络开放网关模块在认证通过后, 调用电信网络能力, 并将调用结果返回给客户端应用设备, 为特定用户提供服务。  Step 212: After the authentication is passed, the telecommunications network open gateway module invokes the telecommunications network capability, and returns the call result to the client application device to provide services for the specific user.
本发明上述实施例中, 其中步骤 206中在特定用户接受客户端应用业务 后, 对特定用户的用户身份进行了身份认证, 在实际应用中, 该步骤为可选 步骤, 可以不执行上述的身份认证过程, 或者也可以是在上述步骤 204中向 特定用户的用户设备或第三方设备发送第二授权请求消息之前进行身份认 证, 并在身份认证通过后, 再执行向特定用户的用户设备或第三方设备发送 第二授权请求消息的步骤。 本发明上述实施例中, 其中的客户端应用访问鉴 权处理装置可以设置在在运营商网络系统的各网关设备中, 其具体的设置位 置不影响本发明技术方案的实施。 本实施例中在调用电信网络能力, 为特定 用户提供客户端应用业务之前, 首先向特定用户或第三方去请求授权, 在得 到授权后再提供客户端应用业务, 能够提高 SP为用户提供业务的安全性。  In the foregoing embodiment of the present invention, in step 206, after the specific user accepts the client application service, the identity of the user of the specific user is authenticated. In an actual application, the step is an optional step, and the foregoing identity may not be performed. The authentication process may be performed before the second authorization request message is sent to the user equipment or the third party device of the specific user in the foregoing step 204, and after the identity authentication is passed, the user equipment or the user is executed to the specific user. The step of the third party device sending the second authorization request message. In the foregoing embodiment of the present invention, the client application access authentication processing device may be disposed in each gateway device of the operator network system, and the specific setting position thereof does not affect the implementation of the technical solution of the present invention. In this embodiment, before the telecommunications network capability is invoked, and the client application service is provided for a specific user, the authorization is first requested to a specific user or a third party, and after the authorization is provided, the client application service is provided, which can improve the SP to provide services for the user. safety.
上述图 2所示的实施例是对应只分配第一访问口令的实施方案, 图 3为 本发明客户端应用访问鉴权处理方法实施例三的流程示意图, 该实施例中客 户端应用访问鉴权处理装置会进一步分配第二访问口令作为正式口令,如图The embodiment shown in FIG. 2 above is an embodiment corresponding to only assigning the first access password, and FIG. 3 is A schematic flowchart of the third embodiment of the client application access authentication processing method of the present invention, in which the client application access authentication processing device further allocates the second access password as an official password, as shown in the figure.
3所示, 包括如下的步骤: As shown in 3, it includes the following steps:
步骤 301〜步骤 306与上述实施例中的步骤 201〜步骤 206完成基本相同 的功能。  Steps 301 to 306 complete substantially the same functions as steps 201 to 206 in the above embodiment.
步骤 307、 在对特定用户的身份认证通过后, 生成与所述第一访问口令 对应的验证码;  Step 307: After the identity authentication of the specific user is passed, generate a verification code corresponding to the first access password.
步骤 308、 向电信网络接入认证处理装置返回授权结果, 该授权结果中 携带上述验证码;  Step 308: Return an authorization result to the telecommunication network access authentication processing device, where the authorization result carries the verification code;
步骤 309、 电信网络接入认证处理装置向运营商的客户端应用访问鉴权 处理装置发送携带所述第一访问口令和所述验证码的第二口令申请消息; 步骤 310、 客户端应用访问鉴权处理装置分配第二访问口令, 该第二访 问口令为正式口令, 用于授权所述客户端应用设备利用该第二访问口令访问 电信网络能力, 并向上述特定用户提供所述客户端应用业务;  Step 309: The telecommunication network access authentication processing device sends a second password application message carrying the first access password and the verification code to the client application access authentication processing device of the operator. Step 310: Client application access authentication The right processing device allocates a second access password, where the second access password is an official password, and is used to authorize the client application device to access the telecommunication network capability by using the second access password, and provide the client application service to the specific user. ;
步骤 311、 客户端应用访问鉴权处理装置向电信网络接入认证处理装置 返回第二访问口令;  Step 311: The client application access authentication processing device returns a second access password to the telecommunication network access authentication processing device.
步骤 312〜步骤 316同上述实施例的步骤 208〜步骤 212完成基本相同的 功能, 区别仅在于电信网络接入认证处理装置利用第二访问口令发起调用请 求消息。  Steps 312 to 316 perform substantially the same functions as steps 208 to 212 of the above embodiment, except that the telecommunication network access authentication processing device initiates the call request message by using the second access password.
本实施例中, 通过分别为客户端应用设备分配第一访问口令和第二访问 口令, 最后由客户端应用设备依据第二访问口令调用电能网络能力, 为特定 用户提供客户端应用业务, 能够提高 SP为用户提供客户单应用业务的安全 性。  In this embodiment, the first access password and the second access password are respectively allocated to the client application device, and finally the client application device invokes the power network capability according to the second access password to provide the client application service for the specific user, which can improve The SP provides users with the security of the customer single application service.
本发明实施例还提供了一种客户端应用访问鉴权处理装置, 图 4为本发 明客户端应用访问鉴权处理装置实施例一的结构示意图, 如图 4所示, 该客 户端应用访问鉴权处理装置 40包括第一接收模块 11、第一发送模块 12和业 务授权模块 13 , 其中第一接收模块 11用于接收客户端应用设备发送的用于 请求特定用户或第三方授权使用客户端应用业务的第一授权请求消息; 第一 发送模块 12用于向所述特定用户的用户设备或第三方设备发送第二授权请 求消息, 所述第二授权请求消息用于请求所述特定用户或第三方授权使用所 述客户端应用业务; 业务授权模块 13用于接收所述特定用户的用户设备或 第三方设备返回的授权结果,根据所述授权结果确定是否允许所述客户端应 用设备向所述特定用户提供所述客户端应用业务。 The embodiment of the present invention further provides a client application access authentication processing device, and FIG. 4 is a schematic structural diagram of Embodiment 1 of a client application access authentication processing device according to the present invention. As shown in FIG. 4, the client application access authentication The right processing device 40 includes a first receiving module 11, a first sending module 12, and a service authorization module 13, wherein the first receiving module 11 is configured to receive, by the client application device, a request for a specific user or a third party to authorize the use of the client application. The first authorization request message of the service; the first sending module 12 is configured to send the second authorization to the user equipment or the third party device of the specific user. And the second authorization request message is used to request the specific user or a third party to authorize the use of the client application service; the service authorization module 13 is configured to receive the authorization returned by the user equipment or the third party device of the specific user. As a result, determining, according to the authorization result, whether the client application device is allowed to provide the client application service to the specific user.
本发明实施例中, 由设置在电信运营商的网络系统中的客户端应用访问 鉴权处理装置接收第一授权请求消息后, 向特定用户的用户设备或第三方设 备发送第二授权请求消息, 询问该特定用户或第三方是否授权使用该客户端 应用业务, 然后根据特定用户的用户设备或第三方设备返回的授权结果确定 是否允许客户端应用设备向所述特定用户提供所述客户端应用业务, 进而使 得客户端应用设备为特定用户提供的客户单应用业务都是经该特定用户授 权的, 提高 SP为用户提供业务的安全性。  In the embodiment of the present invention, after receiving the first authorization request message, the client application access authentication processing device set in the network system of the telecommunication operator sends a second authorization request message to the user equipment or the third party device of the specific user. Inquiring whether the specific user or the third party authorizes the use of the client application service, and then determining whether to allow the client application device to provide the client application service to the specific user according to the authorization result returned by the user device or the third party device of the specific user. Therefore, the client application service provided by the client application device for the specific user is authorized by the specific user, and the SP is provided to provide security for the user.
在上述的方法实施例中已经介绍了, 可以通过口令的方式控制客户端应 用设备访问电信网络为特定用户提供服务, 具体的可以包括仅分配一次访问 口令和分配两次访问口令的情形, 分别对应图 2和图 3所示的方法实施例。  It has been described in the foregoing method embodiments that the client application device can be controlled by a password to access a telecommunication network to provide services for a specific user, and specifically may include a case where only one access password is assigned and two access passwords are allocated, corresponding to each other. The method embodiments shown in Figures 2 and 3.
针对上述图 2所示的实施例, 对于只需分配第一访问口令的情形, 可以 如图 5所示, 客户端应用访问鉴权处理装置 50进一步包括第一口令分配模 块 14, 该第一口令分配模块 14用于在接收客户端应用设备发送的用于请求 特定用户或第三方授权使用客户端应用业务的第一授权请求消息之前,接收 客户端应用设备发送的第一口令申请消息, 并向所述客户端应用设备返回为 其分配的所述第一访问口令; 而上述的业务授权模块 13具体用于在所述授 权结果为所述特定用户接受所述客户端应用业务时,授权所述客户端应用设 备利用所述第一访问口令访问电信网络能力, 向所述特定用户提供所述客户 端应用业务。  For the embodiment shown in FIG. 2 above, for the case where only the first access password needs to be assigned, as shown in FIG. 5, the client application access authentication processing device 50 further includes a first password assigning module 14, the first password. The allocating module 14 is configured to receive the first password request message sent by the client application device, before receiving the first authorization request message sent by the client application device for requesting the specific user or the third party to authorize the use of the client application service, and The client application device returns the first access password assigned to it; and the service authorization module 13 is specifically configured to authorize the client when the authorization result is that the specific user accepts the client application service. The client application device utilizes the first access password to access the telecommunications network capability to provide the client application service to the particular user.
针对上述图 3所示的实施例, 需要分配第一访问口令和第二访问口令的 情形,也包括上述的第一口令分配模块 14,为客户端应用设备分配第一访问 口令, 而其中的业务授权模块 13具体用于在授权结果为所述特定用户接受 所述客户端应用业务时, 生成与所述第一访问口令对应的险证码, 并将所述 验证码发送给所述客户端应用设备, 并在接收到客户端应用设备发送的携带 所述第一访问口令和所述验证码的第二口令申请消息后, 向客户端应用设备 返回第二访问口令, 以授权所述客户端应用设备利用所述第二访问口令访问 电信网络能力, 向所述特定用户提供所述客户端应用业务。 For the embodiment shown in FIG. 3, the first access password and the second access password need to be allocated, and the first password assigning module 14 is further configured to allocate the first access password to the client application device, and the service therein The authorization module 13 is specifically configured to: when the authorization result is that the specific user accepts the client application service, generate a risk code corresponding to the first access password, and send the verification code to the client application The device, after receiving the second password application message sent by the client application device and carrying the first access password and the verification code, applying the device to the client Returning a second access password to authorize the client application device to access the telecommunications network capability by using the second access password to provide the client application service to the specific user.
另外, 本发明实施例中还可以进一步的对特定用户的身份进行认证, 即 在客户端应用访问鉴权处理装置中设置用户身份认证模块 15 ,该用户身份认 证模块 15用于在接收到所述特定用户的用户设备或第三方设备返回的授权 结果后, 且所述授权结果为所述特定用户接受所述客户端应用业务时, 对所 述特定用户进行身份认证, 并在认证通过后向客户端应用设备返回授权结 果, 若生成了与所述第一访问口令对应的验证码, 并将所述验证码携带在所 述授权结果中发送给所述客户端应用设备。  In addition, in the embodiment of the present invention, the identity of the specific user may be further authenticated, that is, the user identity authentication module 15 is configured in the client application access authentication processing device, and the user identity authentication module 15 is configured to receive the After the authorization result returned by the user equipment or the third-party device of the specific user, and the authorization result is that the specific user accepts the client application service, the specific user is authenticated and sent to the client after the authentication is passed. The end application device returns an authorization result, and if the verification code corresponding to the first access password is generated, the verification code is carried in the authorization result and sent to the client application device.
进一步的, 本发明实施例还提供了一种客户端应用业务处理装置, 图 6 为本发明客户端应用业务处理装置实施例的结构示意图, 如图 6所示, 客户 端应用业务处理装置 60包括客户端应用访问鉴权处理装置 21和电信网络开 放网关模块 22, 其中客户端应用访问鉴权处理装置 21可以釆用上述任一实 施例提供的客户端应用访问鉴权处理装置, 而电信网络开放网关模块 22用 于在接收到客户端应用设备发送的携带访问口令的调用请求消息后, 向客户 端应用访问鉴权处理装置发送请求对所述访问口令进行认证的鉴权认证请 求消息, 并在认证通过后为客户端应用设备调用电信网络能力。  Further, the embodiment of the present invention further provides a client application service processing apparatus, and FIG. 6 is a schematic structural diagram of an embodiment of a client application service processing apparatus according to the present invention. As shown in FIG. 6, the client application service processing apparatus 60 includes The client application access authentication processing device 21 and the telecommunication network open gateway module 22, wherein the client application access authentication processing device 21 can use the client application provided by any of the above embodiments to access the authentication processing device, and the telecommunication network is open. The gateway module 22 is configured to send, after receiving the call request message carrying the access password sent by the client application device, an authentication authentication request message requesting authentication of the access password to the client application access authentication processing device, and After the authentication is passed, the telecommunications network capability is invoked for the client application device.
本发明实施例还提供了一种客户端应用设备, 图 7为本发明客户端应用 设备实施例的结构示意图, 如图 7所示, 客户端应用设备 70包括电信网络 接入认证处理模块 31和电信网络服务调用模块 32 , 所述电信网络接入认证 处理模块 31 用于向电信运营商的网络系统发送用于请求特定用户授权使用 客户端应用业务的第一授权请求消息, 在特定用户接受所述客户端应用业务 时, 获取允许调用电信网络能力, 向所述特定用户提供客户端应用业务的访 问口令; 电信网络服务调用模块 32用于向电信运营商的网络系统发送携带 所述访问口令的调用请求消息, 所述调用请求消息用于请求调用电信网络能 力为所述特定用户提供客户端应用业务。  The embodiment of the present invention further provides a client application device, and FIG. 7 is a schematic structural diagram of an embodiment of a client application device according to the present invention. As shown in FIG. 7, the client application device 70 includes a telecommunication network access authentication processing module 31 and The telecommunication network service invoking module 32 is configured to send, to the network system of the telecommunication operator, a first authorization request message for requesting the specific user to authorize the use of the client application service, where the specific user accepts the When the client application service is described, obtaining an access password that allows the telecommunications network to be invoked to provide the client application service to the specific user; the telecommunication network service invoking module 32 is configured to send the access password to the network system of the telecommunication operator. The request message is invoked, and the call request message is used to request to invoke the telecommunication network capability to provide the client application service for the specific user.
本发明上述实施例提供的客户端应用访问鉴权处理方法、 装置, 以及客 户端应用业务处理装置、 客户端应用设备, 其中在调用电信网络能力为用户 提供客户端应用业务前, 首先向特定用户使用的用户设备或第三方设备发送 授权请求消息, 以请求授权该特定用户使用上述的客户端应用业务, 在用户 接受上述客户端应用业务后, 再授权所述客户端应用设备访问电信网络能 力, 向所述特定用户提供所述客户端应用业务, 通过上述技术方案, 能够提 高 SP为用户提供客户端应用业务的安全性。 另外, 运营商也可以是在获得 用户同意的情况下为其提供服务, 并根据服务进行计费, 能够有效防止第三 方应用运营商的电信网络能力进行计费欺诈。 The client application access authentication processing method and device provided by the foregoing embodiment of the present invention, and the client application service processing device and the client application device, wherein before the calling telecommunication network capability provides the client application service to the user, the user is firstly directed to the specific user. Sended by user device or third party device Authorizing the request message, requesting to authorize the specific user to use the client application service, and after the user accepts the client application service, authorizing the client application device to access the telecommunication network capability, and providing the client with the specific user Through the above-mentioned technical solutions, the SP can provide the security for the client to provide the client application service. In addition, the operator may also provide services for the user's consent and perform charging according to the service, which can effectively prevent the third-party application operator's telecommunication network capability from performing charging fraud.
本领域普通技术人员可以理解: 实现上述方法实施例的全部或部分步骤 可以通过程序指令相关的硬件来完成, 前述的程序可以存储于一计算机可读 取存储介质中, 该程序在执行时, 执行包括上述方法实施例的步骤; 而前述 的存储介质包括: ROM、 RAM, 磁碟或者光盘等各种可以存储程序代码的 介质。  A person skilled in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by using hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed. The foregoing steps include the steps of the foregoing method embodiments; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.
最后应说明的是: 以上实施例仅用以说明本发明的技术方案, 而非对其 限制; 尽管参照前述实施例对本发明进行了详细的说明, 本领域的普通技术 人员应当理解: 其依然可以对前述各实施例所记载的技术方案进行修改, 或 者对其中部分技术特征进行等同替换; 而这些修改或者替换, 并不使相应技 术方案的本质脱离本发明各实施例技术方案的精神和范围。  It should be noted that the above embodiments are only for explaining the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those skilled in the art that: The technical solutions described in the foregoing embodiments are modified, or some of the technical features are equivalently replaced. The modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

权 利 要 求 Rights request
1、 一种客户端应用访问鉴权处理方法, 其特征在于, 包括:  A client application access authentication processing method, comprising:
接收客户端应用设备发送的用于请求特定用户或第三方授权使用客户 端应用业务的第一授权请求消息;  Receiving a first authorization request message sent by the client application device for requesting a specific user or a third party to authorize the use of the client application service;
向所述特定用户的用户设备或第三方设备发送第二授权请求消息, 所述 第二授权请求消息用于请求所述特定用户或第三方授权使用所述客户端应 用业务;  Sending a second authorization request message to the user equipment or the third-party device of the specific user, where the second authorization request message is used to request the specific user or a third party to authorize the use of the client application service;
接收所述特定用户的用户设备或第三方设备返回的授权结果,根据所述 授权结果确定是否允许所述客户端应用设备向所述特定用户提供所述客户 端应用业务。  Receiving an authorization result returned by the user equipment or the third party device of the specific user, determining, according to the authorization result, whether the client application device is allowed to provide the client application service to the specific user.
2、 根据权利要求 1所述的客户端应用访问鉴权处理方法, 其特征在于, 所述接收客户端应用设备发送的用于请求特定用户或第三方授权使用客户 端应用业务的第一授权请求消息之前还包括:  The client application access authentication processing method according to claim 1, wherein the receiving, by the client application device, a first authorization request for requesting a specific user or a third party to authorize the use of the client application service The message also includes:
接收客户端应用设备发送的第一口令申请消息, 向所述客户端应用设备 返回为其分配的所述第一访问口令;  Receiving a first password request message sent by the client application device, and returning, to the client application device, the first access password assigned to the client application device;
所述根据授权结果确定是否允许所述客户端应用设备向所述特定用户 提供所述客户端应用业务包括:  Determining whether to allow the client application device to provide the client application service to the specific user according to the authorization result includes:
在所述授权结果为所述特定用户接受所述客户端应用业务时,授权所述 客户端应用设备利用所述第一访问口令访问电信网络能力, 向所述特定用户 提供所述客户端应用业务。  When the authorization result is that the specific user accepts the client application service, authorizing the client application device to access the telecommunication network capability by using the first access password, and providing the client application service to the specific user. .
3、 根据权利要求 1所述的客户端应用访问鉴权处理方法, 其特征在于, 所述接收客户端应用设备发送的用于请求特定用户或第三方授权使用客户 端应用业务的第一授权请求消息之前还包括:  The client application access authentication processing method according to claim 1, wherein the receiving, by the client application device, a first authorization request for requesting a specific user or a third party to authorize the use of the client application service The message also includes:
接收客户端应用设备发送的第一口令申请消息, 向所述客户端应用设备 返回所述第一访问口令;  Receiving a first password request message sent by the client application device, and returning the first access password to the client application device;
所述根据授权结果确定是否允许所述客户端应用设备向所述特定用户 提供所述客户端应用业务包括:  Determining whether to allow the client application device to provide the client application service to the specific user according to the authorization result includes:
在所述授权结果为所述特定用户接受所述客户端应用业务时, 生成与所 述第一访问口令对应的验证码, 并将所述验证码发送给所述客户端应用设 备, 并在接收到客户端应用设备发送的携带所述第一访问口令和所述验证码 的第二口令申请消息后, 向客户端应用设备返回第二访问口令, 以授权所述 客户端应用设备利用所述第二访问口令访问电信网络能力, 向所述特定用户 提供所述客户端应用业务。 And when the authorization result is that the specific user accepts the client application service, generating a verification code corresponding to the first access password, and sending the verification code to the client application setting After receiving the second password request message that is sent by the client application device and carrying the first access password and the verification code, returning a second access password to the client application device to authorize the client application. The device accesses the telecommunications network capability by using the second access password to provide the client application service to the specific user.
4、 根据权利要求 1、 2或 3所述的客户端应用访问鉴权处理方法, 其特 征在于, 在接收到所述特定用户的用户设备或第三方设备返回的授权结果 后, 且所述授权结果为所述特定用户接受所述客户端应用业务时, 所述方法 还包括:  The client application access authentication processing method according to claim 1, 2 or 3, wherein after receiving the authorization result returned by the user equipment or the third party device of the specific user, and the authorization As a result, when the specific user accepts the client application service, the method further includes:
对所述特定用户进行身份认证, 并在认证通过后向客户端应用设备返回 授权结果。  The specific user is authenticated, and the authorization result is returned to the client application device after the authentication is passed.
5、 根据权利要求 2所述的客户端应用访问鉴权处理方法, 其特征在于, 还包括:  The client application access authentication processing method according to claim 2, further comprising:
接收客户端应用设备发送的携带第一访问口令的调用请求消息, 并在确 认所述第一访问口令可用时, 允许客户端应用设备调用电信网络能力, 向所 述特定用户提供所述客户端应用业务。  Receiving a call request message that is sent by the client application device and carrying the first access password, and when confirming that the first access password is available, allowing the client application device to invoke the telecommunication network capability, and providing the client application to the specific user business.
6、 根据权利要求 3所述的客户端应用访问鉴权处理方法, 其特征在于, 还包括:  The client application access authentication processing method according to claim 3, further comprising:
接收客户端应用设备发送的携带第二访问口令的业务请求消息, 并在确 认所述第二访问口令可用时, 允许客户端应用设备访问电信网络能力, 向所 述特定用户提供所述客户端应用业务。  Receiving a service request message that is sent by the client application device and carrying the second access password, and when confirming that the second access password is available, allowing the client application device to access the telecommunication network capability, and providing the client application to the specific user business.
7、 根据权利要求 1、 2或 3所述的客户端应用访问鉴权处理方法, 其特 征在于, 所述向特定用户的用户设备或第三方设备发送第二授权请求消息包 括:  The client application access authentication processing method according to claim 1, 2 or 3, wherein the sending the second authorization request message to the user equipment or the third party device of the specific user includes:
按照 Web方式、无线应用协议方式、 非结构化补充数据业务方式、 互动 式语音应答或短消息方式向与所述特定用户的用户设备或第三方设备发送 第二授权请求消息。  The second authorization request message is sent to the user equipment or the third party device of the specific user according to the web mode, the wireless application protocol mode, the unstructured supplementary data service mode, the interactive voice response, or the short message mode.
8、 根据权利要求 1、 2或 3所述的客户端应用访问鉴权处理方法, 其特 征在于, 所述第二授权请求消息包括所述客户端应用业务对应的电信网络能 力信息、使用所述网络能力的资费信息和授权使用所述客户端应用业务的期 限类型。 The client application access authentication processing method according to claim 1, 2 or 3, wherein the second authorization request message includes telecommunication network capability information corresponding to the client application service, and the using the The tariff information of the network capability and the period of authorization to use the client application service Limit type.
9、 根据权利要求 8所述的客户端应用访问鉴权处理方法, 其特征在于, 所述授权使用所述客户端应用业务的期限类型包括:  The client application access authentication processing method according to claim 8, wherein the term type of the authorization to use the client application service includes:
授权单次使用所述客户端应用业务、 授权多次使用所述客户端应用业 务、授权在一设定期限前使用所述客户端应用业务或授权在一设定时间范围 内使用所述客户端应用业务。  Authorizing the client application service for a single use, authorizing the client application service to be used multiple times, authorizing the client application service to be used before a set deadline, or authorizing the client to use within a set time range Application business.
10、 一种客户端应用访问鉴权处理装置, 其特征在于, 包括:  A client application access authentication processing device, comprising:
第一接收模块, 用于接收客户端应用设备发送的用于请求特定用户或第 三方授权使用客户端应用业务的第一授权请求消息;  a first receiving module, configured to receive a first authorization request message sent by the client application device for requesting a specific user or a third party to authorize the use of the client application service;
第一发送模块, 用于向所述特定用户的用户设备或第三方设备发送第二 授权请求消息, 所述第二授权请求消息用于请求所述特定用户或第三方授权 使用所述客户端应用业务;  a first sending module, configured to send a second authorization request message to the user equipment or the third-party device of the specific user, where the second authorization request message is used to request the specific user or a third party to authorize use of the client application Business
业务授权模块, 用于接收所述特定用户的用户设备或第三方设备返回的 授权结果,根据所述授权结果确定是否允许所述客户端应用设备向所述特定 用户提供所述客户端应用业务。  And a service authorization module, configured to receive an authorization result returned by the user equipment or the third-party device of the specific user, and determine, according to the authorization result, whether the client application device is allowed to provide the client application service to the specific user.
11、 根据权利要求 10所述的客户端应用访问鉴权处理装置, 其特征在 于, 还包括:  The client application access authentication processing device according to claim 10, further comprising:
第一口令分配模块, 用于在接收客户端应用设备发送的用于请求特定用 户或第三方授权使用客户端应用业务的第一授权请求消息之前,接收客户端 应用设备发送的第一口令申请消息, 并向所述客户端应用设备返回为其分配 的所述第一访问口令;  a first password allocation module, configured to receive a first password request message sent by the client application device before receiving the first authorization request message sent by the client application device for requesting the specific user or the third party to authorize the use of the client application service Returning to the client application device the first access password assigned thereto;
所述业务授权模块具体用于在所述授权结果为所述特定用户接受所述 客户端应用业务时,授权所述客户端应用设备利用所述第一访问口令访问电 信网络能力, 向所述特定用户提供所述客户端应用业务。  The service authorization module is specifically configured to: when the authorization result is that the specific user accepts the client application service, authorize the client application device to access the telecommunication network capability by using the first access password, to the specific The user provides the client application service.
12、 根据权利要求 10所述的客户端应用访问鉴权处理装置, 其特征在 于, 还包括:  The client application access authentication processing device according to claim 10, further comprising:
第一口令分配模块, 用于在接收到客户端应用设备发送的用于请求特定 用户或第三方授权使用客户端应用业务的第一授权请求消息之前,接收客户 端应用设备发送的第一口令申请消息, 并向所述客户端应用设备返回为其分 配的所述第一访问口令; The first password distribution module is configured to receive the first password request sent by the client application device before receiving the first authorization request message sent by the client application device for requesting the specific user or the third party to authorize the use of the client application service Message, and returning to the client application device The first access password configured;
所述业务授权模块具体用于在所述授权结果为所述特定用户接受所述 客户端应用业务时, 生成与所述第一访问口令对应的验证码, 并将所述验证 码发送给所述客户端应用设备, 并在接收到客户端应用设备发送的携带所述 第一访问口令和所述验证码的第二口令申请消息后, 向客户端应用设备返回 第二访问口令, 以授权所述客户端应用设备利用所述第二访问口令访问电信 网络能力, 向所述特定用户提供所述客户端应用业务。  The service authorization module is specifically configured to: when the authorization result is that the specific user accepts the client application service, generate a verification code corresponding to the first access password, and send the verification code to the And the client application device returns a second access password to the client application device after receiving the second password request message that is sent by the client application device and carries the first access password and the verification code, to authorize the The client application device accesses the telecommunications network capability by using the second access password to provide the client application service to the specific user.
13、 根据权利要求 10、 11或 12所述的客户端应用访问鉴权处理装置, 其特征在于, 还包括:  The client application access authentication processing device according to claim 10, 11 or 12, further comprising:
用户身份认证模块, 用于在接收到所述特定用户的用户设备或第三方设 备返回的授权结果后,且所述授权结果为所述特定用户接受所述客户端应用 业务时, 对所述特定用户进行身份认证, 并在认证通过后向客户端应用设备 返回授权结果, 若生成了与所述第一访问口令对应的验证码, 并将所述验证 码携带在所述授权结果中发送给所述客户端应用设备。  a user identity authentication module, configured to: after receiving the authorization result returned by the user equipment or the third-party device of the specific user, and the authorization result is that the specific user accepts the client application service, The user performs identity authentication, and returns an authorization result to the client application device after the authentication is passed. If the verification code corresponding to the first access password is generated, the verification code is carried in the authorization result and sent to the user. Describe the client application device.
14、 一种客户端应用业务处理装置, 其特征在于, 包括权利要求 10-13 任一所述的客户端应用访问鉴权处理装置和电信网络开放网关模块, 所述电 信网络开放网关模块用于在接收到客户端应用设备发送的携带访问口令的 调用请求消息后, 向客户端应用访问鉴权处理装置发送请求对所述访问口令 进行认证的鉴权认证请求消息, 并在认证通过后为客户端应用设备调用电信 网络能力。  A client application service processing device, comprising the client application access authentication processing device and the telecommunication network open gateway module according to any one of claims 10-13, wherein the telecommunication network open gateway module is used for After receiving the call request message carrying the access password sent by the client application device, sending an authentication authentication request message requesting authentication to the access password to the client application access authentication processing device, and after the authentication is passed, the client is authenticated. The end application device invokes the telecommunications network capability.
15、 一种客户端应用设备, 其特征在于, 包括电信网络接入认证处理模 块和电信网络服务调用模块, 所述电信网络接入认证处理模块用于向电信运 营商的网络系统发送用于请求特定用户或第三方授权使用客户端应用业务 的第一授权请求消息, 在特定用户接受所述客户端应用业务时, 获取允许调 用电信网络能力, 向所述特定用户提供客户端应用业务的访问口令; 所述电 信网络服务调用模块用于向电信运营商的网络系统发送携带所述访问口令 的调用请求消息, 所述调用请求消息用于请求调用电信网络能力为所述特定 用户提供客户端应用业务。  A client application device, comprising: a telecommunication network access authentication processing module and a telecommunication network service invoking module, wherein the telecommunication network access authentication processing module is configured to send a request to a telecommunication operator's network system. The first authorization request message authorized by the specific user or the third party to use the client application service, when the specific user accepts the client application service, acquires an access password that allows the telecommunication network to be invoked, and provides the client application service to the specific user. The telecommunication network service invoking module is configured to send, to the network system of the telecommunication operator, a call request message carrying the access password, where the call request message is used to request to invoke a telecommunication network capability to provide a client application service for the specific user. .
PCT/CN2012/084290 2011-11-18 2012-11-08 Method and apparatus for processing client application access authentication WO2013071836A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201110367609.9A CN103124252B (en) 2011-11-18 2011-11-18 Client application access authentication treating method and apparatus
CN201110367609.9 2011-11-18

Publications (1)

Publication Number Publication Date
WO2013071836A1 true WO2013071836A1 (en) 2013-05-23

Family

ID=48428977

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2012/084290 WO2013071836A1 (en) 2011-11-18 2012-11-08 Method and apparatus for processing client application access authentication

Country Status (2)

Country Link
CN (1) CN103124252B (en)
WO (1) WO2013071836A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104468487B (en) * 2013-09-23 2018-10-19 华为技术有限公司 Communication authentication method and device, terminal device
CN103532982A (en) * 2013-11-04 2014-01-22 祝贺 Wearable device based authorization method, device and system
CN104703162B (en) * 2014-12-27 2018-11-30 华为技术有限公司 A kind of method, apparatus and system by application access third party's resource
CN104715188B (en) * 2015-03-27 2019-10-01 百度在线网络技术(北京)有限公司 A kind of application implementation method and device based on binding terminal
CN107566322A (en) * 2016-06-30 2018-01-09 惠州华阳通用电子有限公司 A kind of onboard system multi-user access method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1466308A (en) * 2002-06-15 2004-01-07 华为技术有限公司 Method for realizing content fee-conunting process
CN101282505A (en) * 2007-04-04 2008-10-08 中国电信股份有限公司 Method for managing service of telecommunication system
WO2010081256A1 (en) * 2009-01-16 2010-07-22 Telefonktiebolaget Lm Ericsson (Publ) Method of and message service gateway for controlling delivery of a message service to an end user
CN102004987A (en) * 2010-10-21 2011-04-06 中国移动通信集团北京有限公司 Method, device and system for realizing application service

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100574195C (en) * 2007-06-08 2009-12-23 中兴通讯股份有限公司 Safety access method and system thereof based on DHCP
CN102202300B (en) * 2011-06-14 2016-01-20 上海众人网络安全技术有限公司 A kind of based on twin-channel dynamic cipher authentication system and method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1466308A (en) * 2002-06-15 2004-01-07 华为技术有限公司 Method for realizing content fee-conunting process
CN101282505A (en) * 2007-04-04 2008-10-08 中国电信股份有限公司 Method for managing service of telecommunication system
WO2010081256A1 (en) * 2009-01-16 2010-07-22 Telefonktiebolaget Lm Ericsson (Publ) Method of and message service gateway for controlling delivery of a message service to an end user
CN102004987A (en) * 2010-10-21 2011-04-06 中国移动通信集团北京有限公司 Method, device and system for realizing application service

Also Published As

Publication number Publication date
CN103124252A (en) 2013-05-29
CN103124252B (en) 2016-08-03

Similar Documents

Publication Publication Date Title
US11956361B2 (en) Network function service invocation method, apparatus, and system
CN102724647B (en) Method and system for access capability authorization
US9124578B2 (en) Service opening method and system, and service opening server
CN111131242B (en) Authority control method, device and system
JP5890013B2 (en) Apparatus and method for managing identification information in a multi-network system
JP5579803B2 (en) System and method for authenticating remote server access
EP2648392A1 (en) Application programming interface routing system and method of operating the same
CN102710640B (en) Authorization requesting method, device and system
US9380038B2 (en) Bootstrap authentication framework
CN110730174B (en) Network access control method, device, equipment and medium
KR102001544B1 (en) Apparatus and method to enable a user authentication in a communication system
WO2017041562A1 (en) Method and device for identifying user identity of terminal device
US11658963B2 (en) Cooperative communication validation
CN111132305B (en) Method for 5G user terminal to access 5G network, user terminal equipment and medium
CN102739664A (en) Method for improving security of network identity authentication and devices
CN105681259A (en) Open authorization method and apparatus and open platform
WO2013071836A1 (en) Method and apparatus for processing client application access authentication
TW201442538A (en) Telecommunication method and telecommunication system
WO2016165443A1 (en) Method for protecting machine type communication device, network entity, and mtc device
GB2524497A (en) User equipment proximity requests
US20230292127A1 (en) Wireless device privacy within wireless mobile
CN114978741B (en) Inter-system authentication method and system
KR20170140751A (en) System and Method for Confirm Transaction by using Dual Channel
KR100620565B1 (en) Method And Apparatus For Simply Registering User Using Mobile Terminal At Wireless Internet
CN115883185A (en) Open bank three-party signing system and method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12849874

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12849874

Country of ref document: EP

Kind code of ref document: A1