WO2016078419A1 - Procédé d'autorisation ouverte, dispositif et plate-forme ouverte - Google Patents

Procédé d'autorisation ouverte, dispositif et plate-forme ouverte Download PDF

Info

Publication number
WO2016078419A1
WO2016078419A1 PCT/CN2015/083110 CN2015083110W WO2016078419A1 WO 2016078419 A1 WO2016078419 A1 WO 2016078419A1 CN 2015083110 W CN2015083110 W CN 2015083110W WO 2016078419 A1 WO2016078419 A1 WO 2016078419A1
Authority
WO
WIPO (PCT)
Prior art keywords
authorization
terminal
user account
user
party application
Prior art date
Application number
PCT/CN2015/083110
Other languages
English (en)
Chinese (zh)
Inventor
张耀
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016078419A1 publication Critical patent/WO2016078419A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the invention relates to the field of network application technologies, in particular to an open authorization method, device and open platform.
  • OAuth is an open protocol.
  • third-party applications can obtain personal information (such as contacts, photos, documents, etc.) saved by the user on the service provider side without knowing the user's password.
  • a user account can log in to multiple applications without having to re-register. But the ensuing security authorization process is yet to be tested.
  • the embodiment of the invention provides an open authorization method, device and an open platform, which can prevent a user account from being authorized by another person to access private information.
  • an embodiment of the present invention provides an open authorization method, including:
  • the authorization request is used to obtain an access right for a resource saved by the first user on the resource server, and the authorization request carries the user account of the first user And terminal characteristic information of the terminal;
  • the terminal feature information includes at least one of a mobile device international identity code, a MAC address of the terminal, and a system ID of the terminal.
  • the performing the corresponding authorization operation for the third-party application includes:
  • the authorization credential is sent to the third-party application, so that the third-party application can access the resources of the user of the service provider according to the authorization credential.
  • the method further includes:
  • a new user account is created, and the correspondence between the terminal feature information of the target terminal and the new user account is saved.
  • an open authorization device including:
  • a first receiving module configured to receive an authorization request initiated by a third-party application on a terminal, where the authorization request is used to obtain an access right for a resource saved by the first user on the resource server, and the authorization request carries Describe a user account of the first user and terminal feature information of the terminal;
  • a determining module configured to determine, according to pre-stored terminal feature information corresponding to the user account, whether the user account matches the terminal feature information in the authorization request;
  • an authorization module configured to perform a corresponding authorization operation for the third-party application if the determining module verifies that the user account matches the terminal feature information in the authorization request.
  • the authorization module is further configured to: if the determining module verifies that the user account does not match the terminal feature information in the authorization request, then refuse to perform a corresponding authorization operation on the third-party application.
  • the terminal feature information includes at least one of a mobile device international identity code, a MAC address of the terminal, and a system ID of the terminal.
  • the authorization module includes:
  • An authentication module configured to perform identity authentication on the user account
  • a sending module configured to send an authorization credential to the third-party application if the authentication module is successfully authenticated, so that the third-party application can access the resource of the user of the service provider according to the authorization credential.
  • the device further comprises:
  • a second receiving module configured to receive a registration request of a new user account initiated by the second user
  • An acquiring module configured to acquire terminal feature information of a target terminal specified by the second user
  • the registration module is configured to establish a new user account, and save the correspondence between the terminal feature information of the target terminal and the new user account.
  • another embodiment of the present invention further provides an open platform, including a resource server and an authorization authentication server, wherein the authorization authentication server further includes the above-mentioned open authorization device.
  • FIG. 1 is a schematic diagram showing the steps of an open authorization method of the present invention
  • FIG. 2 is a flow chart showing an open authorization method of the present invention for implementing the present invention
  • FIG. 3 is a schematic structural diagram of an open authorization device according to the present invention.
  • an embodiment of the present invention provides an open authorization method, including:
  • Step 11 Receive an authorization request initiated by a third-party application on a terminal, where the authorization request is used to obtain an access right for a resource saved by the first user on the resource server, and the authorization request carries the first user User account and terminal characteristic information of the terminal;
  • Step 12 Determine, according to the terminal feature information corresponding to the user account that is saved in advance, whether the user account matches the terminal feature information in the authorization request.
  • Step 13 if it matches, perform a corresponding authorization operation for the third-party application.
  • the authentication of the terminal feature information is added, thereby preventing the user's account from accessing the user's private information through the user account on the other terminal after being stolen.
  • step 12 if the result of the above step 12 is a mismatch, the corresponding authorization operation is refused to be performed on the third-party application.
  • the feature information should be information capable of reflecting the unique characteristics of the terminal, such as at least one of a mobile device international identity code, a terminal's MAC address, and a terminal's system ID.
  • Step 131 Perform identity authentication on the user account; that is, input a password of the user account to authenticate the user.
  • Step 132 If the authentication is successful, send an authorization credential to the third-party application, so that the third-party application can access the resource of the user of the service provider according to the authorization credential.
  • Service provider including authentication server, resource server, service provider mobile client
  • Step 201 The third-party application software obtains the IMEI number of the mobile phone, and carries other basic parameters required for OAuth authentication to the authentication server through the interface provided by the mobile phone proxy software, and simultaneously guides the user to enter the authorization and authentication interface through the mobile phone proxy software.
  • step 202 the user inputs the user account and password, sets the authorization range, and submits to the authorized authentication server.
  • Step 203 The authentication and authorization server first matches whether the IMEI number uploaded by the third-party application software and the IMEI number corresponding to the locally stored user account are the same. If they are not the same, the authorization is denied. If they are the same, then the user account is authenticated according to the password. If the authentication is passed, a hash-processed access_token (ie, the authorization credential described above) is generated to the mobile agent software, and if the user authentication fails, the authorization is denied.
  • a hash-processed access_token ie, the authorization credential described above
  • Step 204 The authentication authorization server returns the hash_accessed access_token and other OAuth-requested return parameters.
  • step 205 the mobile agent software requests the script code from the resource server.
  • step 206 the resource server returns the script code to the mobile agent software.
  • step 207 the mobile agent software decrypts the hashed access_token with the script code.
  • Step 208 the mobile agent software passes the access_token to the third party application software.
  • the third-party application software can use the obtained access_token to access the user-authorized personal privacy information (such as contact information, photos, privacy documents, etc.).
  • user-authorized personal privacy information such as contact information, photos, privacy documents, etc.
  • FIG. 3 Another embodiment of the present invention further provides an open authorization device, as shown in FIG. 3, including:
  • a first receiving module configured to receive an authorization request initiated by a third-party application on a terminal, where the authorization request is used to obtain an access right for a resource saved by the first user on the resource server, and the authorization request carries Describe a user account of the first user and terminal feature information of the terminal;
  • a determining module configured to determine, according to pre-stored terminal feature information corresponding to the user account, whether the user account matches the terminal feature information in the authorization request;
  • an authorization module configured to perform a corresponding authorization operation for the third-party application if the determining module verifies that the user account matches the terminal feature information in the authorization request.
  • the authentication of the terminal feature information is added, thereby preventing the user's account from accessing the user's private information through the user account on the other terminal after being stolen.
  • the authorization module is further configured to: if the determining module verifies that the user account does not match the terminal feature information in the authorization request, then refuse to perform a corresponding authorization operation on the third-party application.
  • the feature information should be information capable of reflecting the unique characteristics of the terminal, such as at least one of a mobile device international identity code, a terminal's MAC address, and a terminal's system ID.
  • the authorization module includes:
  • An authentication module configured to perform identity authentication on the user account
  • a sending module configured to send an authorization credential to the third-party application if the authentication module is successfully authenticated, so that the third-party application can access the resource of the user of the service provider according to the authorization credential.
  • the second receiving module is configured to receive a registration request of a new user account initiated by the user
  • a second receiving module configured to receive a registration request of a new user account initiated by the second user
  • An acquiring module configured to acquire terminal feature information of a target terminal specified by the second user
  • the registration module is configured to establish a new user account, and save the correspondence between the terminal feature information of the target terminal and the new user account.
  • the open authorization method of this embodiment corresponds to the open authorization method of the previous embodiment, and the same technical effect can be achieved.
  • another embodiment of the present invention further provides an open authorization system, including a resource server and an authorization authentication server, wherein the authorization authentication server further includes the above-mentioned open authorization device.
  • the user can log in to his or her own user account to save information (such as contact information, photos, privacy documents, etc.) in the resource server.
  • the authorization request is sent to the authorization authentication server, and the authorization request carries the terminal characteristic information of the terminal to which the terminal belongs and the target user. account number.
  • the authorization authentication server further performs identity authentication to the user only when determining the terminal feature information in the authorization request and the terminal feature information of the corresponding target user saved in advance (that is, the user who applies to the third party) password). After the user enters the password correctly, the authorization authentication server sends an authorization credential to the Mito application. In this way, one is to prevent others from using the target user's terminal to obtain the target user's private information, and the other is to prevent others from stealing the target user's account and password, and using other terminals to obtain the target user's private information.
  • an open authorization method, apparatus, and open platform provided by the embodiments of the present invention have the following beneficial effects: by increasing the identification of mobile phone feature information, a more secure improvement is achieved, that is, the user account is used by another terminal to log in. When authorized, the authorization will be rejected because the feature information of the terminal is different.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

L'invention concerne un procédé d'autorisation ouverte, dispositif et plate-forme ouverte. Le procédé comporte les étapes consistant à: recevoir des droits d'accès à une ressource stockée par un utilisateur sur un serveur de ressources, et la demande d'autorisation transportant le compte d'utilisateur d'un premier utilisateur et les informations caractéristiques de terminal d'un terminal; confirmer si le compte d'utilisateur concorde avec les informations caractéristiques de terminal figurant dans la demande d'autorisation d'après les informations caractéristiques de terminal correspondant au compte d'utilisateur pré-stocké; si oui, mettre en œuvre le processus respectif d'autorisation pour une application tierce. La solution de la présente invention peut empêcher d'autres personnes d'autoriser le compte d'utilisateur sur d'autres terminaux pour accéder à des informations de confidentialité.
PCT/CN2015/083110 2014-11-20 2015-07-01 Procédé d'autorisation ouverte, dispositif et plate-forme ouverte WO2016078419A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410665667.3A CN105681259A (zh) 2014-11-20 2014-11-20 一种开放授权方法、装置及开放平台
CN201410665667.3 2014-11-20

Publications (1)

Publication Number Publication Date
WO2016078419A1 true WO2016078419A1 (fr) 2016-05-26

Family

ID=56013237

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/083110 WO2016078419A1 (fr) 2014-11-20 2015-07-01 Procédé d'autorisation ouverte, dispositif et plate-forme ouverte

Country Status (2)

Country Link
CN (1) CN105681259A (fr)
WO (1) WO2016078419A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107979571A (zh) * 2016-10-25 2018-05-01 中国移动通信有限公司研究院 一种文件使用处理方法、终端和服务器
CN112929388A (zh) * 2021-03-10 2021-06-08 广东工业大学 网络身份跨设备应用快速认证方法和系统、用户代理设备

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106468886A (zh) * 2016-09-30 2017-03-01 海尔优家智能科技(北京)有限公司 一种第三方控制设备的方法和装置
CN109389449B (zh) * 2017-08-08 2022-11-04 腾讯科技(深圳)有限公司 一种信息处理方法、服务器及存储介质
CN109511115B (zh) 2017-09-14 2020-09-29 华为技术有限公司 一种授权方法和网元
CN107911282B (zh) * 2017-11-15 2021-11-16 杭州新新世相科技文化有限公司 一种面向社交网络实现第三方应用植入的网络系统
CN108650241A (zh) * 2018-04-20 2018-10-12 中国联合网络通信集团有限公司 一种共享授权方法及装置
CN109033774B (zh) * 2018-08-31 2020-08-07 阿里巴巴集团控股有限公司 获取、反馈用户资源的方法、装置及电子设备
CN112688791B (zh) * 2019-10-17 2022-06-14 珠海格力电器股份有限公司 基于云端授权的设备配网方法和装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050055709A1 (en) * 2003-09-05 2005-03-10 Thompson James Alfred Cable network access control solution
CN103237235A (zh) * 2013-03-18 2013-08-07 中国科学院信息工程研究所 一种面向云电视终端身份认证实现方法及系统
CN103258151A (zh) * 2012-10-30 2013-08-21 中国科学院沈阳自动化研究所 一种实时授权的软件License控制方法
CN103428699A (zh) * 2013-07-16 2013-12-04 李锦风 一种基于手机硬件特征信息的注册绑定和身份认证的方法

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101729633B1 (ko) * 2011-03-03 2017-04-24 삼성전자주식회사 통신 시스템에서 소셜 네트워크 서비스의 컨텐츠를 공유하기 위한 장치 및 방법
CN103188244B (zh) * 2011-12-31 2016-04-06 卓望数码技术(深圳)有限公司 基于开放授权协议实现授权管理的系统及方法
CN103220259B (zh) * 2012-01-20 2016-06-08 华为技术有限公司 Oauth API的使用、调用方法、设备及系统
CN103795692B (zh) * 2012-10-31 2017-11-21 中国电信股份有限公司 开放授权方法、系统与认证授权服务器

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050055709A1 (en) * 2003-09-05 2005-03-10 Thompson James Alfred Cable network access control solution
CN103258151A (zh) * 2012-10-30 2013-08-21 中国科学院沈阳自动化研究所 一种实时授权的软件License控制方法
CN103237235A (zh) * 2013-03-18 2013-08-07 中国科学院信息工程研究所 一种面向云电视终端身份认证实现方法及系统
CN103428699A (zh) * 2013-07-16 2013-12-04 李锦风 一种基于手机硬件特征信息的注册绑定和身份认证的方法

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107979571A (zh) * 2016-10-25 2018-05-01 中国移动通信有限公司研究院 一种文件使用处理方法、终端和服务器
CN112929388A (zh) * 2021-03-10 2021-06-08 广东工业大学 网络身份跨设备应用快速认证方法和系统、用户代理设备
CN112929388B (zh) * 2021-03-10 2022-11-01 广东工业大学 网络身份跨设备应用快速认证方法和系统、用户代理设备

Also Published As

Publication number Publication date
CN105681259A (zh) 2016-06-15

Similar Documents

Publication Publication Date Title
WO2016078419A1 (fr) Procédé d'autorisation ouverte, dispositif et plate-forme ouverte
CN111327582B (zh) 一种基于OAuth协议的授权方法、装置及系统
US9722984B2 (en) Proximity-based authentication
US20230055282A1 (en) Multi-Factor Authentication with Increased Security
US8646063B2 (en) Methods, apparatus, and computer program products for subscriber authentication and temporary code generation
US11510054B2 (en) Methods, apparatuses, and computer program products for performing identification and authentication by linking mobile device biometric confirmation with third-party mobile device account association
US9264420B2 (en) Single sign-on for network applications
CN106921663B (zh) 基于智能终端软件/智能终端的身份持续认证系统及方法
US11823007B2 (en) Obtaining device posture of a third party managed device
WO2016123112A1 (fr) Accès sécurisé à des services basés sur le nuage
US20160006743A1 (en) Bidirectional authorization system, client and method
DK2924944T3 (en) Presence authentication
WO2014183526A1 (fr) Procédé, dispositif, et système de reconnaissance d'identité
US10523660B1 (en) Asserting a mobile identity to users and devices in an enterprise authentication system
US10050969B2 (en) Credential-free identification and authentication
EP3179695B1 (fr) Authentification de réseau
WO2018099407A1 (fr) Procédé et dispositif de connexion basée sur une authentification de compte
CN114500074B (zh) 单点系统安全访问方法、装置及相关设备
CN111131140A (zh) 基于消息推送增强Windows操作系统登录安全性的方法和系统
US10447688B1 (en) System for secure communications
CN106487741B (zh) 基于ims网络的认证方法、认证终端及认证系统
Cheol-Joo et al. A Study of the OAuth 2.0 Protocol Extended Using SMS for Safe User Access
CN117614726A (zh) 一种身份认证方法及装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15861420

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15861420

Country of ref document: EP

Kind code of ref document: A1