WO2015039502A1

WO2015039502A1 - Communication authentication method and apparatus, and terminal device

Info

Publication number: WO2015039502A1
Application number: PCT/CN2014/083640
Authority: WO
Inventors: 李靖; 简海燕; 叶婉玲
Original assignee: 华为技术有限公司
Priority date: 2013-09-23
Filing date: 2014-08-04
Publication date: 2015-03-26
Also published as: CN104468487A; CN104468487B

Abstract

The present invention relates to a communication authentication method and apparatus, and a terminal device. The communication authentication method comprises: in the case where verification of an account number provided by a third-party authentication system on a terminal device is passed, receiving an access authentication request sent by the terminal device; sending a third-party authentication request to the third-party authentication system corresponding to a third-party application identifier; and receiving an account number corresponding to a first token sent by the third-party authentication system, acquiring a user identifier bound to the account number, and allocating a second token and an IP address of a gateway according to the user identifier, so that the terminal device uses a service provided by an operator after the second token is authenticated by the gateway. In the embodiments of the present invention, a user only needs to provide an account number once on a terminal device log in once, and after a third-party authentication system verifies the account number, the user can obtain an authorization of a service registered by a user identifier which is bound to the account number through an operator authentication system, so that the service is used, the process is simple, and the user experience is good.

Description

Communication authentication method and device, terminal device

The present application claims the priority of the Chinese application filed on Sep. 23, 2013, the disclosure of which is incorporated herein by reference. Technical field

The present invention relates to the field of communications technologies, and in particular, to a communication authentication method and apparatus, and a terminal device. Background technique

Real-time communication (English: Web Real-Time Communications, abbreviation: WebRTC) The service enables the IP Multimedia Subsystem (English: Internet Protocol Multimedia Subsystem, abbreviation: IMS) user to access the operator's IMS core network through a third-party application website ( English: IMS core) to enable interoperability between third-party application websites and terminals.

The authentication method of the real-time communication service of the webpage provided by the operator, the user needs to use the third-party application server (English: 3 ^M Party WEB server) account and password to log in to the third-party application website. If the user needs to use the WebRTC service, for example, the user uses Taobao. When shopping online, if you use the phone function on the webpage (via IMS) to contact the seller, you need to use the carrier username (English: webID) and password (English: Password) to log in to the carrier authentication system and authenticate the carrier's webID such as mobile phone. Whether the number is valid.

In summary, when a user uses a WebRTC service provided by an operator through a third-party application website, the user needs to log in to the third-party application website to use the WebRTC service provided by the operator, and also needs to log in to different operator authentication systems. Therefore, users need to use multiple sets of usernames and passwords to log in multiple times, which is complicated and affects the user experience. Summary of the invention In view of the above, the technical problem to be solved by the present invention is that when a user uses a service provided by an operator through a third-party application website, multiple logins are required, and the process is complicated.

In order to solve the above technical problem, in a first aspect, the present invention provides a communication authentication method, including:

And receiving, by the third-party authentication system, the access authentication request sent by the terminal device, where the access authentication request carries the third-party application identifier and the first token, where the a token is a token allocated by the third-party authentication system according to the account, and the account is an account allocated by the third-party authentication system for the terminal device;

Sending, by the third-party authentication system, the third-party authentication request to the third-party authentication system, where the third-party authentication request carries the first token;

Receiving the account corresponding to the first token sent by the third-party authentication system, acquiring a user identifier bound to the account, and assigning a second token and an IP address of the gateway according to the user identifier, so as to The terminal device uses the service provided by the operator after the gateway authenticates the second token, and the user identifier is an identifier that the operator authentication system allocates for the user.

With reference to the first aspect, in a first possible implementation, the first token sent by the third-party authentication system is received in a case where the user identifier bound to the account is not present Before the corresponding account, the obtaining the user identifier bound to the account, the method further includes: sending a user identifier input request to the terminal device;

After receiving the user identifier sent by the terminal device, the binding relationship between the account and the user identifier is recorded.

With reference to the first aspect or the first possible implementation manner of the first aspect, in a second possible implementation manner, the assigning the second token and the IP address of the gateway according to the user identifier, so that the terminal After the device authenticates the second token, the device uses the service provided by the operator, including:

Allocating the second token and the IP address according to the user identifier; Sending, by the terminal device, the second token and the IP address, so that the terminal device sends an authentication request of the second token to the gateway according to the IP address;

And sending, by the gateway, the user identifier to the gateway, so that the gateway initiates to the core network of the operator according to the user identifier, where the second token is authenticated and passed in the carrier authentication system. User registration, after the registration is completed, causes the user to use the service provided by the operator through the terminal device.

With reference to the first possible implementation manner of the first aspect, in a third possible implementation, the receiving the access authentication request sent by the terminal device includes:

Receiving, by the operator authentication portal, the access authentication request from the terminal device; the sending the user identifier input request to the terminal device, specifically:

Transmitting, by the operator authentication portal, the user identifier input request to the terminal device; after receiving the user identifier sent by the terminal device, recording a binding relationship between the account and the user identifier, specifically Includes:

Receiving, by the operator authentication portal, the user identifier from the terminal device; recording a binding relationship between the account and the user identifier.

In a second aspect, the present invention provides a communication authentication method, including:

Receiving a third-party authentication request sent by the operator authentication system, where the third-party authentication request carries a first token, where the first token is a token that is allocated by the third-party authentication system according to an account provided by the terminal device, and the account is An account that is allocated to the terminal device by the third-party authentication system; in the case that the first token is authenticated, the account corresponding to the first token is sent to the operator authentication system, to And causing the operator authentication system to obtain the user identifier bound to the account.

With reference to the second aspect, in a first possible implementation, before receiving the third-party authentication request sent by the operator authentication system, the method includes:

Verifying the account provided by the terminal device; In case the verification is passed, the first token is returned to the terminal device. In a third aspect, the present invention provides a communication authentication method, including:

After the third-party authentication system passes the authentication of the account provided by the terminal device, the terminal device sends an access authentication request to the operator authentication system, where the access authentication request carries the third-party application identifier and the first token. The first token is a token that is allocated by the third-party authentication system according to the account of the terminal device, so that the operator authentication system requests the third-party authentication system to the first according to the third-party application identifier. The token is authenticated to obtain the user identifier bound to the account;

Receiving the second token and the IP address of the gateway sent by the operator authentication system, where the IP address of the second token and the gateway is a token and an IP address allocated by the operator authentication system according to the user identifier;

After the gateway authenticates the second token, the service provided by the operator is used.

With reference to the third aspect, in a first possible implementation manner, the acquiring the user identifier bound to the account includes:

Receiving a user identity input request from the operator authentication system if the operator authentication system does not have the user identity bound to the account;

Sending the user identifier input by the user to the operator authentication system, so that the operator authentication system records a binding relationship between the account and the user identifier.

In a fourth aspect, the present invention provides a communication authentication apparatus, including:

a first receiving module, configured to receive an access authentication request sent by the terminal device when the third-party authentication system passes the account verification provided by the terminal device, where the access authentication request carries the third-party application identifier and the a token, the first token is a token allocated by the third-party authentication system according to the account, and the account is an account allocated by the third-party authentication system to the terminal device;

a first sending module, connected to the first receiving module, configured to apply the identifier to the third party Corresponding third-party authentication system sends a third-party authentication request, where the third-party authentication request carries the first token;

a second receiving module, configured to receive the account corresponding to the first token sent by the third-party authentication system;

a first processing module, configured to be connected to the second receiving module, configured to acquire a user identifier bound to the account, and allocate an IP address of the second token and the gateway according to the user identifier, so that the terminal device is in the After the gateway authenticates the second token, the service provided by the operator is used, and the user identifier is an identifier that is allocated by the communication authentication device to the user.

With reference to the fourth aspect, in a first possible implementation, in a case where the user identifier that is bound to the account is not present, the communication authentication apparatus further includes:

a second sending module, configured to be connected to the first processing module, configured to send a user identity input request to the terminal device;

The second processing module is configured to be connected to the second receiving module and the first processing module, and configured to record the binding relationship between the account and the user identifier after receiving the user identifier sent by the terminal device.

With reference to the fourth aspect, or the first possible implementation manner of the fourth aspect, in the second possible implementation manner, the first processing module specifically includes:

a distribution submodule, configured to allocate the second token and the IP address according to the user identifier; a first sending submodule, connected to the allocation submodule, configured to send the first to the terminal device a second token and the IP address, so that the terminal device sends an authentication request of the second token to the gateway according to the IP address;

a second sending submodule, configured to send the user identifier to the gateway, where the second token is authenticated in the communication authentication device, so that the gateway is located according to the user identifier The core network of the operator initiates user registration, and after the registration is completed, the user is allowed to use the service provided by the operator through the terminal device. With reference to the first possible implementation manner of the fourth aspect, in a third possible implementation, the first receiving module is further configured to receive the access authentication request from the terminal device by using an operator authentication portal;

The second sending module is further configured to send the user identity input request to the terminal device by using the operator authentication portal;

The second processing module specifically includes:

a first receiving submodule, configured to receive, by the operator authentication portal, the user identifier from the terminal device;

The recording submodule is connected to the first receiving submodule and configured to record a binding relationship between the account and the user identifier.

In a fifth aspect, the present invention provides a communication authentication apparatus, including:

a receiving module, configured to receive a third-party authentication request sent by the operator authentication system, where the third-party authentication request carries a first token, where the first token is allocated by the communication authentication device according to an account provided by the terminal device a token, where the account is an account allocated by the communication authentication device for the terminal device;

a first sending module, configured to be connected to the receiving module, configured to send the account corresponding to the first token to the operator authentication system, if the first token is authenticated, to The carrier authentication system obtains the user identifier bound to the account.

With reference to the fifth aspect, in a first possible implementation, the device further includes: a verification module, configured to verify an account provided by the terminal device;

And a second sending module, configured to be connected to the verification module, configured to return the first token to the terminal device if the verification module passes the verification.

In a sixth aspect, the present invention provides a terminal device, including:

a sending module, configured to send an access authentication request to the operator authentication system, where the third party authentication system passes the account verification provided by the terminal device, where the access authentication request is Carrying a third-party application identifier and a first token, where the first token is a token allocated by the third-party authentication system according to an account of the terminal device, so that the operator authentication system is based on the third-party application. Identifying that the third-party authentication system authenticates the first token to obtain a user identifier bound to the account;

a receiving module, configured to receive an IP address of the second token and the gateway sent by the operator authentication system, where the IP address of the second token and the gateway is an order allocated by the operator authentication system according to the user identifier Card and IP address;

The control module is connected to the receiving module, and is configured to use the service provided by the operator after the gateway authenticates the second token.

With reference to the sixth aspect, in a first possible implementation manner, the receiving module is further configured to: when the carrier authentication system does not have the user identifier bound to the account, The quotient authentication system receives the user identification input request;

The sending module is further configured to send the user identifier input by the user to the operator authentication system, so that the operator authentication system records the binding of the account and the user identifier to the communication authentication of the embodiment. The user only needs to provide an account once to log in once on the terminal device. After the account is verified by the third-party authentication system, the user can obtain the authorization of the service registered by the user identifier bound to the account. Thus using the service, the process is simple and the user experience is good. DRAWINGS

The accompanying drawings, which are incorporated in FIG

1 is a flowchart of a communication authentication method according to Embodiment 1 of the present invention;

2 is a flowchart of a communication authentication method according to Embodiment 2 of the present invention; 3 is a flowchart of a communication authentication method according to Embodiment 3 of the present invention;

4 is a flowchart of a communication authentication method according to Embodiment 4 of the present invention;

5 is a flowchart of a communication authentication method according to Embodiment 5 of the present invention;

6 is a structural block diagram of a communication authentication apparatus according to Embodiment 6 of the present invention;

7 is a structural block diagram of a communication authentication apparatus according to Embodiment 7 of the present invention;

8 is a structural block diagram of a communication authentication apparatus according to Embodiment 8 of the present invention;

9 is a structural block diagram of a terminal device according to Embodiment 9 of the present invention;

Figure 10 is a block diagram showing the structure of a communication authentication apparatus according to Embodiment 10 of the present invention. detailed description

Various exemplary embodiments, features, and aspects of the invention are described in detail below with reference to the drawings. The same reference numerals in the drawings denote the same or similar elements. The various aspects of the embodiments are shown in the drawings, and the drawings are not necessarily drawn to scale unless otherwise indicated.

The word "exemplary" is used exclusively herein to mean "serving as an example, embodiment, or illustrative." Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous.

Further, in order to better illustrate the invention, numerous specific details are set forth in the Detailed Description. Those skilled in the art will appreciate that the present invention may be practiced without these specific details. In other instances, well-known methods, means, components, and circuits have not been described in detail in order to facilitate the invention.

Example 1

1 is a flow chart of a communication authentication method according to a first embodiment of the present invention. As shown in FIG. 1, the communication authentication method may include:

Step S100: Receive an access authentication request sent by the terminal device, where the third-party application identifier and the first token are carried in the access authentication request, where the third-party authentication system passes the account verification provided by the terminal device. . The first token is the third party authentication system according to the account An assigned account, where the account is an account allocated by the third-party authentication system for the terminal device. Specifically, the user can use a terminal device (English: terminal equipment, abbreviation: TE), for example: mobile phone, personal computer (English: personal computer, abbreviation: PC), tablet, etc., to log in to a third-party application website (for example: Taobao.com) , Sina.com, Dangdang.com, Mushroom Street, etc.). The third-party application website may include its own authentication system, referred to as a third-party authentication system. After the user is authenticated by the third-party authentication system, the third-party application website can be logged in. The third-party application website can then be used to provide services provided by operators (for example, China Mobile, China Unicom, China Telecom, IMS service providers, etc.). The service may be a real-time communication WebRTC service such as a voice service, a video service, a file transmission service, and the like. For example: If you use your mobile phone to log in to Mushroom Street for shopping, you can click on the video displayed on the mushroom street interface to contact the seller's dialog box and the seller for video communication. However, since the third-party application website and the carrier authentication system are two operating systems, after the user logs in to the third-party application website, the operator authentication system needs to authenticate the user's identity.

In the process of verifying the account provided by the user through the terminal device (for example, the username of a certain Taobao network), the third-party authentication system can verify whether the account is a legal account assigned by the third-party authentication system for the user. Whether the password corresponding to the account is accurate. Therefore, when the user provides an account to the third-party authentication system through the terminal device, the user can provide the password corresponding to the account to the third-party authentication system. In the case that the third-party authentication system passes the verification, the third-party authentication system may assign the first token corresponding to the account to the user according to the account.

In a possible implementation, the receiving the access authentication request sent by the terminal device includes: receiving, by the operator authentication portal, the access authentication request from the terminal device.

Specifically, the operator authentication portal may receive the access authentication request sent by the terminal device, and then the operator authentication system receives the access authentication request sent by the operator authentication portal.

Step S120: Send a third-party authentication request to the third-party authentication system corresponding to the third-party application identifier, where the third-party authentication request carries the first token. An interface device can be set inside or outside the carrier authentication system. In one case, the interface device is configured to be external to the operator authentication system, and the interface device forwards information between the operator authentication system and the third-party authentication system, and the operator authentication system sends a third-party authentication request to the interface device. The third-party authentication request is forwarded by the interface device to the third-party authentication system. In another case, the interface device is set inside the operator authentication system, and the operator authentication system can directly send a third-party authentication request to the third-party authentication system.

Specifically, the operator authentication system can learn, according to the third-party application identifier carried in the access authentication request, which third-party application website is accessed by the third-party application website, and can use the interface device to apply to the third-party application website. The third-party authentication system sends a third-party authentication request that carries the first token, and may also directly send a third-party authentication request that carries the first token to the third-party authentication system of the third-party application website. For example, if the third-party application website is Taobao, the carrier authentication system can learn that the access authentication request is accessed by the Taobao network according to the third-party application identifier, and the third-party authentication request can be sent to the Taobao authentication system through the interface device. The third-party authentication request may be directly sent to the Taobao authentication system, where the third-party authentication request carries the first token corresponding to the user name of the Taobao network allocated by the Taobao authentication system.

Step S140: Receive the account corresponding to the first token sent by the third-party authentication system, obtain a user identifier bound to the account, and allocate a second token and an IP address of the gateway according to the user identifier. So that the terminal device uses the service provided by the operator after the gateway authenticates the second token. The user identifier is an identifier assigned by the operator authentication system to the user.

Specifically, if the third-party authentication system authenticates the first token, the operator authentication system can receive the account sent by the third-party authentication system through the interface device, and the operator authentication system can directly receive the account sent by the third-party authentication system. The account number in the step S140 may include only the account number allocated by the third-party authentication system for the terminal device. The operator authentication system may also receive the first token corresponding to the account through the interface device or directly. Then, the operator authentication system can obtain a user identifier bound to the account according to the account, and the user identifier can include an IP multimedia subsystem. There is a user ID i (English: Internet Protocol Multimedia Subsystem Public User Identity, IMPU), IP Multimedia Subsystem Private User Identity (IMI), and users sign up with operators. Any one or more of the user names. For example, mobile phone number, email address, ID number, etc. Finally, the operator authentication system may allocate the IP address of the second token and the gateway according to the obtained user identifier, and send the IP address of the second token and the gateway to the terminal device, so that the terminal device may be in the After the gateway authenticates the second token, the user can directly use the service provided by the operator. For example: If the third-party application website is Taobao, if the first token of the Taobao authentication system is passed, the operator authentication system can directly receive the user name of the Taobao network sent by the Taobao authentication system through the interface device, and then the operator authentication. The system can obtain a user identifier such as a mobile phone number bound to the user name of Taobao. After the subsequent gateway is replaced by the user registration, the user can directly use the terminal device to use the service registered by the operator and the mobile phone number bound to the Taobao user name.

It should be noted that although the communication authentication method is introduced by using the operator authentication system and the third-party authentication system as an example, those skilled in the art can understand that the present invention is not limited thereto, and other communication devices with different names but similar functions can The completion of the functions of the present invention is within the scope of the present invention.

In the communication authentication method of the embodiment of the present invention, the user only needs to provide an account once to log in once on the terminal device. After the account is verified by the third-party authentication system, the user identity of the account can be obtained through the operator authentication system. The authorization of the registered business, thereby using the service, the process is simple and the user experience is good.

Example 2

2 is a flow chart of a communication authentication method according to Embodiment 2 of the present invention. The same steps in Fig. 2 as those in Fig. 1 have the same functions, and a detailed description of these steps will be omitted for the sake of brevity.

As shown in FIG. 2, the communication authentication method shown in FIG. 2 and the main area of the communication authentication method shown in FIG. In addition, in addition to the step S100 and the step S120 in the first embodiment, the method may further include: Step S200: Send a user identifier input request to the terminal device.

Specifically, if the account corresponding to the first token sent by the third-party authentication system is received, the operator authentication system may search whether the account is bound with the user identifier. If the user identifier is not associated with the account, the S200 can be performed. The operator authentication system can request the terminal device to send the user identifier. On the other hand, if there is a user identifier bound to the account, the foregoing step S140 can be performed, and the operator authentication system can obtain the user identifier bound to the account. For example: If the user logs in to Taobao through the mobile phone and uses the mobile phone function of China Mobile on Taobao, if the China Mobile authentication system receives the user name of the Taobao network sent by the Taobao authentication system, the China Mobile authentication system can be based on the Taobao network. The user name is used to find out whether the user name of the Taobao network is bound to the mobile phone number of the user. If the mobile phone number of the user is not bound, the China Mobile authentication system can request the user to send the mobile phone number through the mobile phone.

In a possible implementation, the sending the user identifier input request to the terminal device includes: sending, by the operator authentication portal, the user identifier input request to the terminal device.

Specifically, if there is no user identifier bound to the account, the operator authentication system may send a user identity input request to the operator authentication portal, and then the carrier authentication portal sends a user identity input request to the terminal device.

Step S220: After receiving the user identifier sent by the terminal device, record a binding relationship between the account and the user identifier.

In a possible implementation manner, the foregoing step S220 may specifically include:

Receiving, by the operator authentication portal, the user identifier from the terminal device;

Recording a binding relationship between the account and the user identifier.

Specifically, the operator authentication system may receive the user identifier from the terminal device through the operator authentication portal, and the operator authentication system may record the binding relationship between the account and the user identifier. among them, The user can input only the IMPU or IMPI through the terminal device, and can input both the IMPU and the IMPIo. Because the IMPU has a certain mapping relationship with the IMPI, the operator authentication system can find the corresponding IMPI according to the IMPU input by the user through the terminal device. The user can also input only the user ID that the user has signed with the operator through the terminal device. The operator authentication system cannot authenticate the user ID and can authenticate to the home subscriber server (English: Home Subscriber Server, HSS) in the IMS core network of the operator. If the HSS authenticates the user ID, the operator authentication system may record the binding relationship between the account and the user identifier. The account may include only the account assigned by the third-party authentication system for the terminal device in step S220. For example: If the user logs in to Taobao through the mobile phone and uses the mobile phone function of China Mobile on Taobao, the China Mobile authentication system can receive the mobile phone number of the user from the mobile phone through the China Mobile Authentication Portal, the China Mobile authentication system can record Taobao. The binding relationship between the username and the user's mobile number. After the subsequent user registration is completed, the service registered by the mobile phone number provided by China Mobile and bound to the Taobao user name can be directly used.

Step S240: Allocate the second token and an IP address of the gateway according to the user identifier. Step S260: Send the second token and the IP address to the terminal device, so that the terminal device sends an authentication request of the second token to the gateway according to the IP address.

For example, if the user logs in to Taobao (a third-party application website) through a mobile phone and uses the mobile phone function of China Mobile (operator) on Taobao, if the China Mobile authentication system obtains the mobile phone number bound to the user name of Taobao. , the China Mobile authentication system can assign the second token and the IP address of the gateway (English: gateway) to the mobile phone according to the mobile phone number. In addition, the China Mobile authentication system can send the second token and the IP address to the mobile phone, and the mobile phone can find a gateway corresponding to the IP address according to the IP address, and establish a communication channel with the gateway, and the gateway can be sent to China. The mobile authentication system sends a second token authentication request.

Step S280: If the second token is authenticated and passed in the operator authentication system, send the user identifier to the gateway, so that the gateway is shipped according to the user identifier. The core network of the business initiates user registration, and after the registration is completed, the user is allowed to use the service provided by the operator through the terminal device.

Specifically, in the foregoing steps S240 to S280, the operator authentication system may allocate the IP address of the second token and the gateway, and send the allocated second token and the IP address of the gateway to the terminal device, where The terminal device may send an authentication request of the second token to the gateway according to the IP address. After receiving the authentication request of the second token, the gateway may send the second token authentication request to the operator authentication system. The operator authentication system can authenticate whether the second token passes. If the operator authentication system authenticates that the second token passes, the user identifier can be sent to the gateway. The gateway can register according to the user identifier instead of the user to the core network, for example, the IMS core network, and the gateway can indicate that the user of the core network has been authenticated, and the authentication challenge is no longer needed. After the gateway replaces the user registration, the user can directly use the service provided by the operator through the terminal device.

Example 3

FIG. 3 is a flowchart of a communication authentication method according to Embodiment 3 of the present invention. As shown in FIG. 3, the communication authentication method may include:

Step S300: Receive a third-party authentication request sent by the operator authentication system, where the third-party authentication request carries a first token, where the first token is a token that is allocated by the third-party authentication system according to the account provided by the terminal device. The account is allocated by the third-party authentication system for the terminal device. account number.

In a possible implementation manner, before receiving the third-party authentication request sent by the operator authentication system, the method includes: verifying an account provided by the terminal device; and returning to the terminal device if the verification is passed First token.

Specifically, the user may log in to the third-party application website by using the terminal device. The third-party application website may include its own authentication system, which is referred to as a third-party authentication system, and may also include its own application server, which is referred to as a third-party application server.

In the process of authenticating the account provided by the user through the terminal device (for example, the username of a certain Taobao network), the third-party authentication system can verify whether the account is a legal account assigned by the third-party authentication system for the user. Whether the password corresponding to the account is accurate. Therefore, when the user provides an account to the third-party authentication system through the terminal device, the user can provide the password corresponding to the account to the third-party authentication system. When the third-party authentication system verifies that the account has passed, the third-party authentication system may assign the first token corresponding to the account to the user according to the account.

An interface device can be set inside or outside the third-party authentication system. In one case, the interface device is set up outside the third-party authentication system, and the interface device forwards information between the operator authentication system and the third-party authentication system, and the interface device receives the third-party authentication request sent by the operator authentication system. The third-party authentication system receives the third-party authentication request forwarded by the interface device. In another case, the interface device is set in the third-party authentication system, and the third-party authentication system can directly receive the third-party authentication request sent by the carrier authentication system.

For example: If the user logs in to Taobao (a third-party application website) through the mobile phone and uses the mobile phone function of China Mobile (operator) on Taobao, the Taobao server (third-party application server) pops up a dialog box, and the user inputs Taobao. After the user name (account number) and password, click Login to direct to the Taobao network authentication system (third-party authentication system), the Taobao network authentication system can verify the Taobao user name. If the Taobao authentication system verifies that the user name of the Taobao network passes, the Taobao authentication system can assign a first token corresponding to the username to the user, and instruct the mobile phone to jump. Go to the Taobao server.

In step S320, if the first token is authenticated, the account corresponding to the first token is sent to the operator authentication system, so that the operator authentication system obtains the account number. The specified user ID.

Specifically, if the third-party authentication system authenticates the first token, the third-party authentication system may send an account corresponding to the first token to the operator authentication system through the interface device, and the third-party authentication system may directly authenticate the carrier. The system sends an account corresponding to the first token. The operator authentication system can obtain the user identifier bound to the account according to the account. After the subsequent user registration is completed, the service registered by the operator and the user identifier bound to the account can be directly used.

In the communication authentication method of the embodiment of the present invention, the user only needs to provide an account once to log in once, and the third-party authentication system verifies the account. After the account is verified, the account can be obtained through the operator authentication system. The user identifies the authorization of the registered service, thereby using the service, and the process is simple and the user experience is good.

Example 4

4 is a flow chart of a communication authentication method according to Embodiment 4 of the present invention. As shown in FIG. 4, the communication authentication method may include:

Step S400: In the case that the account authentication provided by the third-party authentication system for the terminal device passes, the terminal device sends an access authentication request to the operator authentication system, where the access authentication request carries the third-party application identifier and the first order. a card, the first token is a token allocated by the third-party authentication system according to an account of the terminal device, so that the operator authentication system requests the third-party authentication system according to the third-party application identifier. The first token is authenticated to obtain the account The user ID of the number binding.

Specifically, the user may log in to the third-party application website by using the terminal device. The third-party application website may include its own authentication system, which is referred to as a third-party authentication system, and may also include its own application server, which is referred to as a third-party application server. If the third-party authentication system verifies that the account provided by the terminal device passes, the terminal device can receive the first token corresponding to the account assigned by the third-party authentication system. The terminal device may send an access authentication request carrying the third-party application identifier and the first token to the operator authentication system. For example, if the user logs in to Taobao (a third-party application website) through the mobile phone and uses the mobile phone function of China Mobile (operator) on Taobao, the Taobao server (third-party application server) pops up a dialog box, and the user inputs Taobao. After the user name and password, click Login will be directed to the Taobao network authentication system (third-party authentication system), the Taobao network authentication system can authenticate whether the Taobao user name is passed. If the username of the Taobao network is authenticated, the Taobao authentication system can assign a first token to the user and instruct the mobile phone to jump to the Taobao server. If the user needs to use the service provided by China Mobile, the user can send an access authentication request carrying the Taobao application identifier (third-party application identifier) and the first token to the China Mobile authentication system.

In a possible implementation, the acquiring the user identifier bound to the account includes: if the operator authentication system does not have the user identifier bound to the account, The operator authentication system receives the user identification input request;

For example, if the user logs in to Taobao (a third-party application website) through a mobile phone and uses the mobile phone function of China Mobile (operator) on Taobao, if the China Mobile authentication system finds that there is no binding to the user name of Taobao. The mobile phone number, the mobile phone can receive the mobile phone number input request sent by the China Mobile authentication system. After receiving the mobile phone number input request, the user can send the mobile phone number to the China Mobile authentication system through the mobile phone. China Mobile's authentication system can record the binding relationship between the mobile phone number and the user name of Taobao. After the subsequent user registration is completed, you can directly use China. The service registered by the mobile phone number that is provided by the mobile phone and bound to the user name of the Taobao. Step S420: Receive an IP address of a second token and a gateway sent by the operator authentication system, where the IP address of the second token and the gateway is a token and an IP that are allocated by the carrier authentication system according to the user identifier. address.

Step S440: After the gateway authenticates the second token, use the service provided by the operator, specifically, the terminal device may receive the second token and the IP address of the gateway sent by the operator authentication system, according to the gateway. The IP address finds the corresponding gateway, and sends an authentication request for the second token to the gateway. And the gateway sends the authentication request of the second token to the carrier authentication system. After receiving the authentication request of the second token, the operator authentication system may authenticate whether the second token passes, and if the carrier authenticates After the system authenticates that the second token passes, the user identifier may be sent to the gateway, and the gateway may perform user registration according to the user identifier instead of the user. After the gateway is replaced by the user registration, the user can directly use the terminal device to directly register the service registered by the operator with the user ID bound to the account.

It should be noted that although the communication authentication method is described by taking the operator authentication system, the third-party authentication system, and the terminal device as an example, those skilled in the art can understand that the present invention is not limited thereto, and other names have different functions but similar functions. The ability of the communication device to perform the functions of the present invention is within the scope of the present invention.

Example 5

FIG. 5 is a flowchart of a communication authentication method according to Embodiment 5 of the present invention. As shown in FIG. 5, the communication authentication method may include: Step 501: The terminal device sends an HTTP GET (IP address of the third-party application server) command to the third-party application server, where the command indicates that the terminal device obtains the IP address of the third-party application server.

Step 502: The third-party application server sends an HTTP 200 OK (login page of the third-party application server) command to the terminal device, where the command indicates that the terminal device successfully loads the login page of the third-party application server.

Step 503: The terminal device sends a POST (Account, Password) command to the third-party authentication system. The command indicates that the user can log in to the third-party application server by using the account and the password corresponding to the account, and clicking to log in to the third-party application server. Then redirect to a third-party authentication system to verify the account.

Step 504: The third-party authentication system sends a 302 (Authentication Pass, Assign First Token) command to the terminal device, where the command indicates that the third-party authentication system verifies the account provided by the user through the terminal device, in the process of verifying, Verify that the account is a legal account assigned to the user by the third-party authentication system. You can also verify that the password corresponding to the account is accurate. Therefore, the user can provide the account corresponding to the account to the third-party authentication system while providing the account to the third-party authentication system through the terminal device. If the third-party authentication system verifies that the account is approved, the third-party authentication system can assign a first token (token1) corresponding to the account to the user, and instruct the terminal device to re-joke to the third-party application server.

Step 505: The terminal device sends a POST (authentication pass) to the third-party application server, where the command indicates that the terminal device notifies the third-party application server that the third-party authentication system verifies that the account is approved.

Step 506: The third-party application server sends an HTTP 200 OK command to the terminal device, where the command indicates that the third-party application server notifies the terminal device that the third-party authentication system has verified that the account is approved.

Specifically, the user may log in to the third-party application website by using the terminal device. The third-party application website may include its own authentication system, which is referred to as a third-party authentication system, and may also include its own application server, which is referred to as a third-party application server. In the above steps 501 to 506, if the third party authentication system After the verification account is passed, the third-party authentication system can assign a first token corresponding to the account to the user, and send the first token to the terminal device.

Step 507: The terminal device sends an HTTP GET (Service Request) command to the third-party application server, where the command indicates that the user can send a service request to the third-party application server by using the terminal device, where the service request carries the login service mode and the operator. The identifier of the carrier is the identifier of the carrier to which the service to be used by the user belongs.

Step 508: The third-party application server sends an HTTP 200 OK (IP address of the operator authentication portal) command to the terminal device, where the third-party application server obtains the user to log in to the service through the terminal device according to the received service request. The mode is one-time login, and the IP address of the carrier authentication portal can be sent to the terminal device.

Specifically, the third-party application server can receive the service request sent by the user through the terminal device, and obtain the manner in which the user logs in to the service through the terminal device, and if the user needs to use the account once to log in through the terminal device, the device can directly obtain the service request. For the authorization of the service, the third-party application server may send the IP address of the carrier authentication portal to the terminal device.

Step 509: The terminal device sends an access authentication request to the operator authentication portal, where the access authentication request carries a third-party application identifier and a first token, where the first token is a third-party authentication system according to the account allocation brand.

Step 510: The operator authentication portal sends the foregoing access authentication request to the operator authentication system. Specifically, the operator authentication portal may receive the access authentication request sent by the terminal device, and then the operator authentication system receives the access authentication request sent by the operator authentication portal.

Step 511: The operator authentication system sends a third-party authentication request to the third-party authentication system corresponding to the third-party application identifier, where the third-party authentication request carries the first token.

An interface device can be set inside or outside the carrier authentication system. In one case, the interface device is set outside the operator authentication system, and the interface device forwards information between the operator authentication system and the third-party authentication system, and the operator authentication system sends the third-party authentication request. The third-party authentication request is forwarded to the third-party authentication system by the interface device. In another case, the interface device is set inside the operator authentication system, and the operator authentication system can directly send a third-party authentication request to the third-party authentication system.

Step 512: The third-party authentication system authenticates the first token. If the third-party authentication system authenticates the first token, the account corresponding to the first token may be sent to the operator authentication system.

An interface device can be set inside or outside the third-party authentication system. In one case, the interface device is disposed outside the third-party authentication system, and the interface device can receive the account corresponding to the first token sent by the third-party authentication system, and forward the first token to the operator authentication system. In the other case, the interface device is set in the third-party authentication system, and the third-party authentication system can directly send the account corresponding to the first token to the operator authentication system.

Step 513: The operator authentication system searches whether the account is bound to the user identifier. The user identifier may include any one or more of the user names that the IMPU and the IMPK user subscribe to. If the account is not bound to the user identifier, the operator authentication system may send a user identity input request to the operator authentication portal, and perform steps 514 to 516 to request the user to input the user identifier; if the account is bound with the user identifier, execute Step 517: The operator authentication system allocates a second token to the user.

Step 514: The operator authentication portal sends a user identity input request to the terminal device, and requests the user to input the user identifier and password.

Step 515: The terminal device sends a POST (User Identity, Password) command to the operator authentication portal. The command indicates that the user can input the user identifier and password through the terminal device, and then the terminal device sends the user identifier to the operator authentication portal. The user can input any one or more of the IMPU, the IMPI, and the user name signed by the user and the operator through the terminal device. Since the IMPU has a certain mapping relationship with the IMPI, the operator authentication system can find the corresponding IMPI according to the IMPU input by the user through the terminal device.

Step 516: The operator authentication portal sends an HTTP GET authentication (user identification, password) command to the operator authentication system, where the command indicates that the operator authentication system can receive the operator authentication portal. User ID and password sent.

Specifically, in step 513 to step 516, if the account is not bound with the user identifier, the terminal device is requested to input the user identifier, and the input user identifier can be authenticated by the operator authentication system, but the operator authentication system cannot be authenticated. The user ID can be authenticated to the HSS. If the HSS authentication user ID is passed, the carrier authentication system can record the binding relationship between the account and the user ID.

Step 517: The operator authentication system sends an HTTP 200 OK (second token, IP address of the gateway) command to the operator authentication portal, where the command indicates that the operator authentication system can allocate the second terminal to the terminal device according to the user identifier. The token (token2) and the IP address of the gateway, and send a second token to the carrier authentication portal.

Step 518: The operator authentication portal sends an HTTP 200 OK (second token, IP address of the gateway) command to the terminal device, where the command indicates that the operator authentication portal can send the second token and the IP address of the gateway to the terminal device. So that the terminal device can send an authentication request of the second token to the gateway according to the IP address.

Step 519a: The terminal device sends an HTTP GET (Web Socket Request) command to the gateway. Step 519b: The gateway sends an HTTP GET (Web Socket Response) command to the terminal device. The commands of step 519a and step 519b indicate that the terminal device can access the gateway corresponding to the IP address according to the IP address of the gateway sent by the operator authentication portal, and establish a web socket (English: websocket) channel with the gateway.

Step 520: The terminal device sends an authentication request of the second token to the gateway, where the second token authentication request carries the second token.

Step 521: The gateway sends an HTTP GET authentication (second token) command to the operator authentication system, where the command indicates that the gateway can send the second token authentication request to the operator authentication system.

Step 522: The operator authentication system sends an HTTP 200 OK (second token valid, user identifier, authenticated pass) command to the gateway, where the command indicates that the operator authentication system can authenticate whether the second token sent by the gateway passes. The carrier authentication system authenticates the second token and can go to the gateway. Sending a user identifier corresponding to the second token.

Step 523: The gateway sends a SIP Register (User Identity, Passed, Without Challenge Process) command to the core network, for example, the IMS core network, where the command indicates that the gateway can register the user to the core network, and indicates that the user of the core network has Authentication does not require an authentication challenge process.

Step 524: The core network sends a SIP 200 OK command to the gateway, where the command indicates that the core network can notify the gateway that the registration is successful.

Step 525: The gateway notifies the user that the authentication is passed, and the user has already registered, and the user can directly use the user-registered service provided by the operator, such as a voice service, a video service, and a data transmission service, through the terminal device.

Specifically, compared with the process in which the user needs to use multiple sets of user names and passwords to perform multiple logins by using the terminal device, the embodiment may be used for one login, specifically: after the user logs in to the third-party application server by using the account on the terminal device, You can obtain the authorization of the user's registered service without entering the operator's username and password. BP: The user only needs to use the account to log in once through the terminal device, and the user can register the service.

It should be noted that although the communication authentication method is described by using a terminal device, a carrier authentication system, a carrier authentication portal, a third-party application server, a third-party authentication system, a gateway, and a core network as an example, those skilled in the art can understand that The present invention is not limited thereto, and other communication devices having different names but similar functions can perform the functions of the present invention, and are all within the scope of the present invention.

Example 6

Figure 6 is a block diagram showing the structure of a communication authentication apparatus according to a sixth embodiment of the present invention. The communication authentication apparatus 600 provided in this embodiment is used to implement the communication authentication method provided in the first embodiment shown in FIG. As shown As shown in FIG. 6, the communication authentication apparatus 600 can include:

The first receiving module 620 is configured to receive an access authentication request sent by the terminal device when the third-party authentication system passes the account verification provided by the terminal device, where the access authentication request carries the third-party application identifier and The first token is a token that is allocated by the third-party authentication system according to the account, and the account is an account that the third-party authentication system allocates for the terminal device.

Specifically, the user can use a terminal device, such as a mobile phone, a personal computer, a tablet computer, etc., to log in to a third-party application website (for example: Taobao, Sina, Dangdang, Mushroom Street, etc.). The third-party application website may include its own authentication system, referred to as a third-party authentication system. After the user is authenticated by the third-party authentication system, the third-party application website can be logged in. The third-party application website can then be used to provide services provided by operators (for example, China Mobile, China Unicom, China Telecom, IMS service providers, etc.). The service may be a real-time communication of a webpage, such as a voice service, a video service, a file transmission service, and the like. For a specific example, refer to the related description of step S100 in the first embodiment.

In a possible implementation, the first receiving module 620 is further configured to receive the access authentication request from the terminal device by using an operator authentication terminal.

Specifically, the operator authentication portal may receive the access authentication request sent by the terminal device, and then the first receiving module 620 receives the access authentication request sent by the operator authentication portal.

a first sending module 640, connected to the first receiving module 620, configured to send to the third party Sending a third-party authentication request by using the third-party authentication system corresponding to the identifier, where the third-party authentication request carries the first token.

An interface device can be provided inside or outside the communication authentication device 600. In one case, the interface device is disposed outside the communication authentication device 600, and the interface device forwards information between the communication authentication device 600 and the third-party authentication system, and the first sending module 640 of the communication authentication device 600 sends a third-party authentication request. Sended to the interface device, and the interface device forwards the third-party authentication request to the third-party authentication system. In another case, the interface device is disposed inside the communication authentication device 600, and the first sending module 640 of the communication authentication device 600 can directly send a third-party authentication request to the third-party authentication system.

Specifically, the communication authentication apparatus 600 can learn, according to the third-party application identifier carried in the access authentication request received by the first receiving module 620, which third-party application website is accessed by the access authentication request, and can pass the interface. The device sends a third-party authentication request that carries the first token to the third-party authentication system of the third-party application website, and may also send the first-party sending module 640 to the third-party authentication system of the third-party application website. A third-party authentication request for a token. For a specific example, refer to the related description of step S120 in the first embodiment.

The second receiving module 660 is configured to receive the account corresponding to the first token sent by the third-party authentication system.

The first processing module 680 is connected to the second receiving module 660, configured to acquire a user identifier bound to the account, and allocate a second token and an IP address of the gateway according to the user identifier, so that the terminal device After the gateway authenticates the second token, the service provided by the operator is used. The user identifier is an identifier assigned by the communication authentication device 600 to the user.

Specifically, if the third-party authentication system authenticates that the first token passes, the communication authentication device 600 can receive the account that is sent by the third-party authentication system by using the interface device, and the communication authentication device 600 can also receive the third-party authentication by using the second receiving module 660. The account number sent by the system. The communication authentication device 600 can also receive the first token corresponding to the account by using the interface device or the second receiving module 660. Then, the first processing module 680 can obtain the user identifier bound to the account according to the account, and the user identifier can include any one or more of an IMPU, an IMPI, and a user name signed by the user and the operator. For example, mobile phone number, email address, ID number, etc. Finally, the first processing module 680 can allocate the IP address of the second token and the gateway according to the obtained user identifier, and send the IP address of the second token and the gateway to the terminal device, so that the terminal device can After the gateway authenticates the second token, the user can directly use the service provided by the operator. For example, if the third-party application website is Taobao, if the Taobao authentication system authenticates the first token, the interface device or the second receiving module 660 can receive the user name of the Taobao network sent by the Taobao authentication system, and then the first The processing module 680 can obtain a user identifier, such as a mobile phone number, bound to the username of the Taobao network. After the subsequent gateway is replaced by the user registration, the user can directly use the terminal device to use the service registered by the operator and the mobile phone number bound to the Taobao user name.

In the communication authentication apparatus of the embodiment of the present invention, the user only needs to provide an account once to perform a login on the terminal device. After the account is verified by the third-party authentication system, the account authentication can be obtained by using the communication authentication device of this embodiment. The user identifies the authorization of the registered service, thereby using the service, the process is simple, and the user experience is good.

Example 7

Figure 7 is a block diagram showing the structure of a communication authentication apparatus according to a seventh embodiment of the present invention. The communication authentication apparatus 700 provided in this embodiment is used to implement the communication authentication method provided in the second embodiment shown in FIG. 2. The same components in Fig. 7 as those in Fig. 6 have the same functions, and a detailed description of these components will be omitted for the sake of brevity.

As shown in FIG. 7, the main difference between the communication authentication apparatus 700 shown in FIG. 7 and the communication authentication apparatus 600 shown in FIG. 6 is that the first receiving module 620, the first transmitting module 640, and the first embodiment are included in the sixth embodiment. In addition to the receiving module 660 and the first processing module 680, the communication authentication apparatus 700 may further include:

a second sending module 720, connected to the first processing module 680, for the terminal device Send a user ID input request.

Specifically, if the second receiving module 660 receives the account corresponding to the first token sent by the third-party authentication system, the first processing module 680 can search whether the account is bound with the user identifier. If there is no user identifier bound to the account, the second sending module 720 may request the terminal device to send the user identifier. On the other hand, if there is a user identifier bound to the account, the first processing module 680 can obtain the user identifier bound to the account. For example: If the user logs in to Taobao through the mobile phone and uses the mobile phone function of China Mobile on Taobao, if China Mobile's second receiving module 660 receives the Taobao network user name sent by the Taobao authentication system, China Mobile's first The processing module 680 can find, according to the user name of the Taobao network, whether the user name of the Taobao network is bound to the mobile phone number of the user. If the mobile phone number of the user is not bound, the second sending module 720 of China Mobile can request the user to send the mobile phone through the mobile phone. cellphone number.

In a possible implementation, the second sending module 720 is further configured to send the user identity input request to the terminal device by using the operator authentication portal.

Specifically, if the first processing module 680 finds that there is no user identifier bound to the account, the second sending module 720 may send a user identifier input request to the operator authentication portal, and then the portal authenticates the portal to the terminal. The device sends a user ID input request.

The second processing module 740 is connected to the second receiving module 660 and the first processing module 680, and configured to: after receiving the user identifier sent by the terminal device, record the binding of the account and the user identifier. Relationship.

In a possible implementation manner, the second processing module 740 specifically includes:

The first receiving submodule 741 is configured to receive, by using the operator authentication portal, the user identifier from the terminal device;

The recording sub-module 742 is connected to the first receiving sub-module 741, and is configured to record a binding relationship between the account and the user identifier.

Specifically, the first receiving submodule 741 can receive from the terminal device through the operator authentication portal. The user identifier, the recording submodule 742 can record the binding relationship between the account and the user identifier. The user can input only the IMPU or IMPI through the terminal device, and can input both the IMPU and the IMPI. Because the IMPU has a certain mapping relationship with the IMPI, the communication authentication apparatus 700 can find the corresponding IMPI according to the IMPU input by the user through the terminal device. The user can also input only the user ID that the user has signed with the operator through the terminal device. The communication authentication apparatus 700 cannot authenticate the user identity and can authenticate to the home subscriber server in the operator's IMS core network. If the HSS authenticates the user ID, the recording submodule 742 can record the binding relationship between the account and the user identifier. For a specific example, refer to the related description in step S220 in the second embodiment.

In a possible implementation manner, the first processing module 680 specifically includes:

The distribution submodule 681 is configured to allocate the second token and the IP address according to the user identifier.

The first sending submodule 682 is connected to the allocating submodule 681, and configured to send the second token and the IP address to the terminal device, so that the terminal device sends the The gateway sends an authentication request for the second token.

For example, if the user logs in to Taobao (a third-party application website) through a mobile phone and uses the mobile phone function of China Mobile (operator) on Taobao, if the first processing module 680 of China Mobile obtains the user name tied to Taobao. For the fixed mobile phone number, the distribution sub-module 681 can assign the second token and the IP address of the gateway to the mobile phone according to the mobile phone number. In addition, the first sending submodule 682 can send the second token and the IP address to the mobile phone, and the mobile phone can find a gateway corresponding to the IP address according to the IP address, and establish a communication channel with the gateway. The gateway can send a second token authentication request to the China Mobile Communications Authentication Device 700.

a second sending submodule 683, configured to send the user identifier to the gateway, so that the gateway is based on the user identifier, if the second token is authenticated in the communication authentication apparatus 700 User registration is initiated to the operator's core network, and after the registration is completed, the user is allowed to use the service provided by the operator through the terminal device. Specifically, the distribution submodule 681 can allocate the second token and the IP address of the gateway to the terminal device, and the first sending submodule 682 sends the allocated second token and the IP address of the gateway to the terminal device, where the terminal device The authentication request of the second token may be sent to the gateway according to the IP address. After receiving the authentication request of the second token, the gateway may send the authentication request of the second token to the communication authentication apparatus 700. The communication authentication apparatus 700 can authenticate whether the second token passes. If the communication authentication apparatus 700 authenticates that the second token passes, the second sending submodule 683 can transmit the user identifier to the gateway. The gateway can register the user to the core network, such as the IMS core network, according to the user identifier, and the gateway can indicate that the user of the core network has been authenticated, and the authentication challenge is no longer needed. After the gateway is used to replace the user registration, the user can directly use the communication authentication device of the embodiment of the present invention provided by the operator through the terminal device, and the user only needs to provide an account once to log in once on the terminal device, and the third-party authentication system After the account authentication is passed, the communication authentication device of the embodiment can obtain the authorization of the service registered by the user identifier bound to the account, so that the service is simple, and the user experience is good.

Example 8

Figure 8 is a block diagram showing the structure of a communication authentication apparatus according to an eighth embodiment of the present invention. The communication authentication apparatus 800 provided in this embodiment is used to implement the communication authentication method provided in the third embodiment shown in FIG. As shown in FIG. 8, the communication authentication apparatus 800 can include:

The verification module 810 is configured to verify an account provided by the terminal device.

The second sending module 820 is connected to the verification module 810, and is configured to return the first token to the terminal device if the verification module 810 passes the verification.

Specifically, the user may log in to the third-party application website by using the terminal device. The third-party application website may include its own authentication system, which is referred to as a third-party authentication system, and may also include its own application server, which is referred to as a third-party application server. The verification module 810 of the communication authentication device 800 can verify the account provided by the terminal device. If the verification module 810 verifies that the account is approved, the second sending module 820 can Returning the first token to the terminal device.

For example: If the user logs in to Taobao (a third-party application website) through the mobile phone and uses the mobile phone function of China Mobile (operator) on Taobao, the Taobao server (third-party application server) pops up a dialog box, and the user inputs Taobao. After the user name (account) and the password, the login is directed to the Taobao communication authentication device 800, and the verification module 810 of the communication authentication device 800 can verify the user name of the Taobao. If the verification module 810 verifies that the username of the Taobao network passes, the second sending module 820 of the Taobao network may return the first token to the mobile phone.

The receiving module 830 is configured to receive a third-party authentication request sent by the operator authentication system, where the third-party authentication request carries a first token, where the first token is an account provided by the communication authentication device 800 according to the terminal device. The assigned token is an account that the communication authentication device 800 allocates for the terminal device.

The first sending module 840 is connected to the receiving module 830, and configured to send the account corresponding to the first token to the operator authentication system, if the first token is authenticated, to And causing the operator authentication system to obtain the user identifier bound to the account.

Among them, an interface device can be provided inside or outside the communication authentication device 800. In one case, the interface device is disposed outside the communication authentication device 800, and the interface device forwards information between the operator authentication system and the communication authentication device 800, and the interface device receives the third-party authentication request sent by the operator authentication system. The receiving module 830 receives the third-party authentication request forwarded by the interface device. In another case, the interface device is disposed inside the communication authentication device 800, and the receiving module 830 can directly receive the third-party authentication request sent by the operator authentication system.

Specifically, if the communication authentication device 800 authenticates that the first token passes, the communication authentication device 800 can directly send the account corresponding to the first token to the operator authentication system by using the first sending module 840, and the communication authentication device 800 can also pass The first sending module 840 sends the account corresponding to the first token to the interface device, and the interface device sends the account to the operator authentication system. The operator authentication system can obtain the user identifier bound to the account according to the account, and the subsequent user is registered. After the configuration, the communication authentication device of the embodiment of the present invention, which is registered by the operator and is associated with the account identifier, can be directly used. The user only needs to provide an account once to log in once on the terminal device, and the verification module verifies the account. After the account is verified, the service authentication system can obtain the authorization of the service registered by the user ID bound to the account, so that the service is simple, and the user experience is good.

Example 9

FIG. 9 is a structural block diagram of a terminal device according to Embodiment 9 of the present invention. The terminal device 900 provided in this embodiment is used to implement the communication authentication method provided in Embodiment 4 shown in FIG. As shown in FIG. 9, the terminal device 900 may include:

The sending module 920 is configured to send an access authentication request to the operator authentication system, where the third-party application identifier and the first order are carried in the access authentication request, where the third-party authentication system passes the account verification provided by the terminal device. a card, the first token is a token allocated by the third-party authentication system according to an account of the terminal device, so that the operator authentication system requests the third-party authentication system according to the third-party application identifier. The first token is authenticated to obtain a user identifier bound to the account.

Specifically, the user may log in to the third-party application website by using the terminal device. The third-party application website may include its own authentication system, which is referred to as a third-party authentication system, and may also include its own application server, which is referred to as a third-party application server. If the third-party authentication system verifies that the account provided by the terminal device 900 passes, the terminal device 900 can receive the first token corresponding to the account that is allocated by the third-party authentication system. The sending module 920 can send an access authentication request carrying the third-party application identifier and the first token to the operator authentication system. For example: If the user logs in to Taobao (a third-party application website) through the mobile phone, and uses the mobile phone function of China Mobile (operator) on Taobao, the Taobao server (third-party application server) pops up a dialog box, and the user inputs Taobao. After the user name and password, click on the login will be directed to the Taobao certification system (third-party authentication system), The Taobao authentication system can authenticate whether the user name of the Taobao network passes. If the username of the Taobao network is authenticated, the Taobao authentication system can assign a first token to the user and instruct the mobile phone to jump to the Taobao server. If the user needs to use the service provided by China Mobile, the sending module 920 may send an access authentication request carrying the Taobao application identifier (third-party application identifier) and the first token to the China Mobile authentication system.

The receiving module 940 is configured to receive an IP address of the second token and the gateway sent by the operator authentication system, where the IP address of the second token and the gateway is allocated by the carrier authentication system according to the user identifier. Token and IP address.

In a possible implementation, the receiving module 940 is further configured to receive a user from the operator authentication system if the operator authentication system does not have the user identifier bound to the account. Identifies the input request.

In a possible implementation, the sending module 920 is further configured to send the user identifier input by the user to the operator authentication system, so that the operator authentication system records the account and the user identifier. Binding relationship.

For example, if the user logs in to Taobao (a third-party application website) through a mobile phone and uses the mobile phone function of China Mobile (operator) on Taobao, if the China Mobile authentication system finds that there is no binding to the user name of Taobao. The mobile phone number, the receiving module 940 of the mobile phone can receive the mobile phone number input request sent by the China Mobile authentication system. After receiving the mobile phone number input request, the receiving module 940 can send the mobile phone number to the China Mobile authentication system through the sending module 920 of the mobile phone. The China Mobile authentication system can record the binding relationship between the mobile phone number and the user name of Taobao. After the subsequent user registration is completed, the service registered by the mobile phone number bound by the mobile phone name of the Taobao network can be directly used.

The control module 960 is connected to the receiving module 940, and is configured to use the service provided by the operator after the gateway authenticates the second token.

Specifically, the receiving module 940 can receive the second token and the gateway sent by the operator authentication system. The IP address of the control module 960 can find the corresponding gateway according to the IP address of the gateway, and send an authentication request of the second token to the gateway. And the gateway sends the authentication request of the second token to the carrier authentication system. After receiving the authentication request of the second token, the operator authentication system may authenticate whether the second token passes, and if the carrier authenticates After the system authenticates that the second token passes, the user identifier may be sent to the gateway, and the gateway may perform user registration according to the user identifier instead of the user. After the gateway is replaced by the user registration, the user can directly use the terminal device to use the service registered by the operator and the user identifier bound to the account.

In the terminal device of the embodiment of the present invention, the user only needs to provide an account once to log in once on the terminal device. After the account is verified by the third-party authentication system, the user identity system bound to the account can be obtained through the operator authentication system. The authorization of the registered business, thereby using the service, the process is simple and the user experience is good.

Example 10

Figure 10 is a block diagram showing the structure of a communication authentication apparatus according to Embodiment 10 of the present invention. The communication authentication device 1000 may be a host server having a computing capability, a personal computer PC, or a portable computer or terminal that can be carried. The specific embodiment of the present invention does not limit the specific implementation of the computing node.

The communication authentication apparatus 1000 includes a processor (English: processor) 1010, a communication interface (English interface: Communications Interface) 1020, a memory (English: memory array) 1030, and a bus 1040. The processor 1010, the communication interface 1020, and the memory 1030 complete communication with each other through the bus 1040.

The communication interface 1020 is configured to implement communication between network elements such as a third-party authentication system, a terminal device, and an operator authentication system.

The processor 1010 is configured to execute a program. The processor 1010 may be a central processing unit CPU, or an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present invention. Memory 1030 can be used to store programs and data. The area storing the program may include an operating system, an application required by at least one of the foregoing modules (for example, the first processing module 680); and the area for storing the data may include the first order allocated by the communication authentication method according to the embodiment. Card, user ID, second token, etc. In addition, the memory 1030 may include a high speed RAM memory, and may also include a non-volatile memory, such as at least one disk memory. Memory 1030 can also be a memory array. The memory 1030 may also be partitioned, and the blocks may be combined into a virtual volume according to certain rules.

In a possible implementation, the above program may be a program code including computer operating instructions. This program can be used to:

In a possible implementation, after the user identifier that is bound to the account is not present, after receiving the account corresponding to the first token sent by the third-party authentication system, Before the obtaining the user identifier bound to the account, the method further includes:

Sending a user identity input request to the terminal device;

After receiving the user identifier sent by the terminal device, the binding relationship between the account and the user identifier is recorded. In a possible implementation, the IP address of the second token and the gateway is allocated according to the user identifier, so that the terminal device uses the carrier after the gateway authenticates the second token. Services provided, including:

Allocating the second token and the IP address according to the user identifier;

Sending the second token and the IP address to the terminal device, so that the terminal device sends an authentication request of the second token to the gateway according to the IP address;

And sending, by the gateway, the user identifier to the gateway, so that the gateway initiates user registration to the core network of the operator according to the user identifier, where the second token is authenticated and passed in the carrier authentication system. After the registration is completed, the user is caused to use the service provided by the operator through the terminal device.

In a possible implementation, the receiving the access authentication request sent by the terminal device includes:

The program can also be used to:

Receiving a third-party authentication request sent by the operator authentication system, where the third-party authentication request carries a first token, where the first token is a token that is allocated by the third-party authentication system according to an account provided by the terminal device, and the account is An account that is allocated to the terminal device by the third-party authentication system; in the case that the first token is authenticated, the account corresponding to the first token is sent to the operator authentication system, to Having the operator authentication system acquire the user bound to the account Logo.

In a possible implementation, before receiving the third-party authentication request sent by the operator authentication system, the method includes:

Verifying the account provided by the terminal device;

In case the verification is passed, the first token is returned to the terminal device.

The program can also be used to:

In the communication authentication device of the embodiment, the user only needs to provide an account once to log in once on the terminal device. After the account is verified by the third-party authentication system, the user identity system bound to the account can be obtained through the operator authentication system. The authorization of the registered business, thereby using the service, the process is simple and the user experience is good. Those of ordinary skill in the art will appreciate that the various exemplary elements and algorithms of the embodiments described herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can select different methods for implementing the described functions for a particular application, but such implementation should not be considered to be beyond the scope of the present invention.

If the function is implemented in the form of computer software and sold or used as a stand-alone product, it may be considered to some extent that all or part of the technical solution of the present invention (for example, a part contributing to the prior art) is It is embodied in the form of computer software products. The computer software product is typically stored in a computer readable storage medium and includes instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of various embodiments of the present invention. . The foregoing storage medium includes a USB flash drive, a mobile hard disk, a read-only memory (English: Read-Only Memory, abbreviation: ROM), a random access memory (English: Random Access Memory, abbreviation: RAM), a magnetic disk or an optical disk, and the like. A medium that can store program code.

The above is only the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.

Claims

claims

1. A communication authentication method, characterized by including:

When the third-party authentication system passes the verification of the account provided by the terminal device, receiving an access authentication request sent by the terminal device, where the access authentication request carries the third-party application identification and the first token, and the third A token is a token assigned by the third-party authentication system according to the account number, and the account number is an account assigned by the third-party authentication system to the terminal device;

Send a third-party authentication request to the third-party authentication system corresponding to the third-party application identification, where the third-party authentication request carries the first token;

Receive the account corresponding to the first token sent by the third-party authentication system, obtain the user identification bound to the account, and allocate the second token and the IP address of the gateway according to the user identification, so that the The terminal device uses the service provided by the operator after the gateway authenticates the second token, and the user identification is an identification assigned to the user by the operator's authentication system.

2. The communication authentication method according to claim 1, characterized in that, in the case where the user identification bound to the account does not exist, the first step of receiving the first authentication message sent by the third-party authentication system is After obtaining the account number corresponding to the token and before obtaining the user ID bound to the account, it also includes:

Send a user identification input request to the terminal device;

After receiving the user identification sent by the terminal device, the binding relationship between the account and the user identification is recorded.

3. The communication authentication method according to claim 1 or 2, characterized in that, the second token and the IP address of the gateway are allocated according to the user identification, so that the terminal device authenticates the gateway to the After the second token is authenticated, the services provided by the operator are used, including:

According to the user identification, allocate the second token and the IP address;

Send the second token and the IP address to the terminal device, so that the terminal device sends an authentication request for the second token to the gateway according to the IP address; When the second token is authenticated in the operator authentication system, the user identification is sent to the gateway, so that the gateway initiates an operation to the operator's core network based on the user identification. User registration, after the registration is completed, enables the user to use services provided by the operator through the terminal device.

4. The communication authentication method according to claim 2, wherein the receiving the access authentication request sent by the terminal device specifically includes:

Receive the access authentication request from the terminal device through the operator authentication portal; and send the user identification input request to the terminal device, specifically including:

Send the user identification input request to the terminal device through the operator authentication portal; after receiving the user identification sent by the terminal device, record the binding relationship between the account number and the user identification, specifically include:

Receive the user identification from the terminal device through the operator authentication portal; record the binding relationship between the account number and the user identification.

5. A communication authentication method, characterized by including:

Receive a third-party authentication request sent by the operator's authentication system, the third-party authentication request carries a first token, the first token is a token allocated by the third-party authentication system according to the account provided by the terminal device, and the account The account number assigned to the terminal device by the third-party authentication system; if the first token authentication passes, send the account number corresponding to the first token to the operator authentication system, to The operator authentication system is caused to obtain the user identification bound to the account.

6. The communication authentication method according to claim 5, characterized in that, before receiving the third-party authentication request sent by the operator authentication system, the method includes:

Verify the account provided by the terminal device;

If the verification passes, the first token is returned to the terminal device.

7. A communication authentication method, characterized by including: When the third-party authentication system passes the verification of the account provided by the terminal device, the terminal device sends an access authentication request to the operator authentication system, and the access authentication request carries the third-party application identifier and the first token. The first token is a token allocated by the third-party authentication system according to the account of the terminal device, so that the operator authentication system requests the third-party authentication system to verify the first token according to the third-party application identifier. The token is authenticated to obtain the user ID bound to the account;

Receive the second token and the IP address of the gateway sent by the operator authentication system, where the second token and the IP address of the gateway are the token and IP address allocated by the operator authentication system according to the user identification;

8. The communication authentication method according to claim 7, wherein the obtaining the user identification bound to the account includes:

In the case where the user identification bound to the account does not exist in the operator authentication system, receive a user identification input request from the operator authentication system;

Send the user identification input by the user to the operator authentication system, so that the operator authentication system records the binding relationship between the account and the user identification.

9. A communication authentication device, characterized by including:

The first receiving module is configured to receive an access authentication request sent by the terminal device when the third-party authentication system passes the verification of the account provided by the terminal device. The access authentication request carries the third-party application identifier and the third-party application identifier. A token, the first token is a token assigned by the third-party authentication system according to the account number, and the account number is an account assigned by the third-party authentication system to the terminal device;

A first sending module, connected to the first receiving module, is used to send a third-party authentication request to the third-party authentication system corresponding to the third-party application identifier, where the third-party authentication request carries the first command Card; a second receiving module, configured to receive the account number corresponding to the first token sent by the third-party authentication system;

A first processing module, connected to the second receiving module, is used to obtain the user identification bound to the account, and allocate a second token and the IP address of the gateway according to the user identification, so that the terminal device is located where The gateway uses the service provided by the operator after authenticating the second token, and the user identification is an identification assigned to the user by the communication authentication device.

10. The communication authentication device according to claim 9, characterized in that, in the absence of the user identification bound to the account, the communication authentication device further includes:

A second sending module, connected to the first processing module, is used to send a user identification input request to the terminal device;

The second processing module is connected to the second receiving module and the first processing module, and is configured to record the binding relationship between the account and the user identification after receiving the user identification sent by the terminal device.

11. The communication authentication device according to claim 9 or 10, characterized in that the first processing module specifically includes:

a distribution sub-module, configured to distribute the second token and the IP address according to the user identification; a first sending sub-module, connected to the distribution sub-module, used to send the third token to the terminal device two tokens and the IP address, so that the terminal device sends an authentication request for the second token to the gateway according to the IP address;

The second sending submodule is configured to send the user identification to the gateway when the second token is authenticated in the communication authentication device, so that the gateway sends the user identification to the user identification according to the user identification. The operator's core network initiates user registration. After the registration is completed, the user is allowed to use the services provided by the operator through the terminal device.

12. The communication authentication device according to claim 10, characterized in that,

The first receiving module is also configured to receive the information from the terminal device through the operator authentication portal. The above access authentication request;

The second sending module is also configured to send the user identification input request to the terminal device through the operator authentication portal;

The second processing module specifically includes:

The first receiving sub-module is used to receive the user identification from the terminal device through the operator authentication portal;

The recording sub-module is connected to the first receiving sub-module and is used to record the binding relationship between the account and the user identification.

13. A communication authentication device, characterized by including:

A receiving module, configured to receive a third-party authentication request sent by the operator authentication system. The third-party authentication request carries a first token. The first token is assigned by the communication authentication device according to the account provided by the terminal device. Token, the account is the account assigned by the communication authentication device to the terminal device;

The first sending module is connected to the receiving module, and is used to send the account number corresponding to the first token to the operator authentication system when the first token authentication passes, so that the The operator authentication system obtains the user ID bound to the account.

14. The communication authentication device according to claim 13, characterized in that the device further includes:

A verification module, used to verify the account provided by the terminal device;

The second sending module is connected to the verification module, and is used to return the first token to the terminal device if the verification module passes the verification.

15. A terminal device, characterized in that it includes:

A sending module, configured to send an access authentication request to the operator authentication system when the third-party authentication system passes the verification of the account provided by the terminal device, where the access authentication request carries the third-party application identifier and the first token , the first token is the third-party authentication system according to the terminal The token assigned by the device's account, so that the operator authentication system requests the third-party authentication system to authenticate the first token according to the third-party application identifier to obtain the user identifier bound to the account ;

A receiving module, configured to receive the second token and the IP address of the gateway sent by the operator authentication system, where the second token and the IP address of the gateway are the tokens assigned by the operator authentication system according to the user identity. Brand and IP address;

The control module is connected to the receiving module and is used to use the service provided by the operator after the gateway authenticates the second token.

16. The terminal device according to claim 15, characterized in that,

The receiving module is also configured to receive a user identification input request from the operator authentication system when the user identification bound to the account does not exist in the operator authentication system; the sending module is also configured to: The user identification input by the user is sent to the operator authentication system, so that the operator authentication system records the binding relationship between the account and the user identification.