WO2017008640A1 - Method for issuing access token and related device - Google Patents

Method for issuing access token and related device Download PDF

Info

Publication number
WO2017008640A1
WO2017008640A1 PCT/CN2016/087973 CN2016087973W WO2017008640A1 WO 2017008640 A1 WO2017008640 A1 WO 2017008640A1 CN 2016087973 W CN2016087973 W CN 2016087973W WO 2017008640 A1 WO2017008640 A1 WO 2017008640A1
Authority
WO
WIPO (PCT)
Prior art keywords
access token
resource
entity
access
token
Prior art date
Application number
PCT/CN2016/087973
Other languages
French (fr)
Chinese (zh)
Inventor
周巍
Original Assignee
电信科学技术研究院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 电信科学技术研究院 filed Critical 电信科学技术研究院
Publication of WO2017008640A1 publication Critical patent/WO2017008640A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W28/00Network traffic management; Network resource management
    • H04W28/16Central resource management; Negotiation of resources or communication parameters, e.g. negotiating bandwidth or QoS [Quality of Service]

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to an access token issuance method and related device.
  • OneM2M the Internet of Things standardization organization, is dedicated to developing technical specifications for constructing a common Machine-To-Machine (M2M) Service Layer.
  • M2M Machine-To-Machine
  • the oneM2M functional architecture is shown in Figure 1. Three basic entities are defined:
  • an Application Entity is located at the application layer, and the entity can implement an M2M application service logic.
  • An application service logic can reside in multiple M2M nodes, or multiple execution instances in a single node. Each execution instance of the application service logic is referred to as an application entity, and each application entity is identified by a unique AE identity (AE-ID).
  • a fleet tracking application instance For example, a fleet tracking application instance, a remote blood glucose monitoring application instance, a remote power metering instance, or a control application instance are all application entities.
  • the Common Service Entity a public service entity consists of a set of common service functions in the M2M environment.
  • the public service function is exposed to other entities through the reference point Mca and the reference point Mcc.
  • the reference point Mcn is used to access the underlying network service entity.
  • Each public service entity is identified by a unique CSE-ID.
  • NSE Underlying Network Services Entity
  • an underlying network service entity provides underlying network services to multiple CSEs, such as providing device management, location services, and device triggering services.
  • oneM2M implements service layer resource sharing and interaction through operations on standardized resource trees.
  • the oneM2M resource tree exists in the CSE defined by the oneM2M system.
  • CSEBase1 represents a CSE root resource ⁇ CSEBase>
  • CSE1 represents a resource ⁇ remoteCSE>
  • APP1 represents a resource ⁇ AE>
  • CONT1 and CONT2 respectively represent a resource ⁇ container>
  • ACP1 and ACP2 respectively represent a resource ⁇ accessControlPolice>.
  • operations such as Create (C, C, Retrieve, R), Update (U), and Delete (D) can be performed.
  • the resource related to the authorization defined by oneM2M is the access control policy resource ⁇ accessControlPolicy>, which defines an Access Control Policy (ACP), and the ⁇ accessControlPolicy> resource is uniquely identified by the resource identity (ID).
  • ACP Access Control Policy
  • ID resource identity
  • Other resources specify the applicable access control policy through the accessControlPolicyIDs attribute in the resource.
  • the service subscription information in the oneM2M system is stored in the ⁇ m2mServiceSubscriptionProfile> resource.
  • the serviceRoles attribute of the resource stores a list of serviceable service IDs (Service Role IDs), and the AE obtains the corresponding contract service by acquiring the contractable service role. It is the authority to manage the M2M Node (M2M Node) described in the ⁇ serviceSubscribedNode> sub-resource in the ⁇ m2mServiceSubscriptionProfile> resource.
  • OneM2M defines three resource types:
  • a virtual resource does not have a specific resource structure and resource attributes, and is mainly used to trigger a specific process
  • Announced Resource has a specific resource structure and resource attributes. This resource is a copy of some content in common resources on other entities. The main purpose is to facilitate resource discovery.
  • An embodiment of the present invention provides an access token issuance method and related device, which are used to provide a specific authorization mechanism in a oneM2M system.
  • an access token issuance method including:
  • Receiving an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the requested access token Description;
  • the access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is a virtual resource under the access token root resource, where the access token resource is Access common resources under the token root resource.
  • the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates that the access token root resource and the access order are allowed to be accessed.
  • the entity of the virtual resource under the root resource is not limited to.
  • the method after receiving an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, the method further includes:
  • the access token resource has a common attribute of a common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, where the expired time attribute is used to specify a validity period of the access token resource.
  • the issuer attribute is used to indicate an entity that generates the access token
  • the holder attribute is used to indicate an entity requesting and obtaining the access token
  • the token attribute is used to store the access token.
  • the method further includes: before generating an access token for the initiating entity, according to the access token authorization policy and the rights description information, the method further includes:
  • the access token authorization policy is obtained from an access token authorization policy entity.
  • the access token further includes authentication information, where the authentication information includes an entity identifier that generates the access token, an identifier of the initiating entity, and an expiration time;
  • the authorization information of the access token includes a service role and/or an access control policy of the originating entity.
  • generating an access token for the initiating entity according to the access token authorization policy and the permission description information including:
  • an access token issuance method including:
  • the access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is a virtual resource under the access token root resource, where the access token resource is the access A common resource under the token root resource.
  • the access token root resource has a common attribute of a common resource and a public attribute specifying an access control policy, and the access control policy specified by the public attribute indicates that access to the An entity that accesses the token root resource and the virtual resource under the access token root resource.
  • the access token resource has a common attribute of a common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, where the expired time attribute is used to specify a validity period of the access token resource.
  • the issuer attribute is used to indicate an entity that generates the access token
  • the holder attribute is used to indicate an entity that requests and obtains the access token
  • the token attribute is used to store the access token .
  • the method after receiving the address information of the access token resource created by the authorized entity under the access token root resource, the method further includes:
  • the access token further includes authentication information, where the authentication information includes an entity identifier that generates the access token, an entity identifier that requests and holds the access token, and an expiration time;
  • the authorization information of the access token includes a service role and/or an access control policy of the originating entity.
  • the method further includes:
  • an authorized entity including:
  • a receiving module configured to receive an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier and the request of the initiating entity Access permission description information of the access token;
  • a processing module configured to generate, according to the access token authorization policy and the rights description information, an access token, where the access token carries at least authorization information, and is generated under the access token root resource.
  • Access token resource of the access token the access token is stored in the access token resource;
  • a sending module configured to send the access token or address information of the access token resource to the initiating entity
  • the access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is a virtual resource under the access token root resource, where the access token is The resource is a common resource under the access token root resource.
  • the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates that the access token root resource and the access order are allowed to be accessed.
  • the entity of the virtual resource under the root resource is not limited to.
  • processing module is further configured to:
  • the access token resource has a common attribute of a common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, where the expired time attribute is used to specify a validity period of the access token resource.
  • the issuer attribute is used to indicate an entity that generates the access token
  • the holder attribute is used to indicate an entity that requests and obtains the access token
  • the token attribute is used to store the access token .
  • the processing module is further configured to: obtain the access token authorization policy from an access token authorization policy entity.
  • the access token further includes authentication information, where the authentication information includes an entity identifier that generates the access token, an identifier of the initiating entity, and an expiration time;
  • the authorization information of the access token includes a service role and/or an access control policy of the originating entity.
  • processing module is specifically configured to:
  • the sending module is further configured to:
  • the receiving module is further configured to:
  • an originating entity including:
  • a sending module configured to send, to the authorized entity, an access token resource creation request for the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the requested access token Permission description information;
  • a receiving module configured to receive an access token returned by the authorized entity, or receive address information of an access token resource created by the authorized entity under the access token root resource, where the access token resource is saved An access token, the access token carrying at least authorization information;
  • the access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is a virtual resource under the access token root resource, where the access token resource is the access A common resource under the token root resource.
  • the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates that the access token root resource and the access order are allowed to be accessed.
  • the entity of the virtual resource under the root resource is not limited to.
  • the access token resource has a common attribute of a common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, where the expired time attribute is used to specify a validity period of the access token resource.
  • the issuer attribute is used to indicate an entity that generates the access token
  • the holder attribute is used to indicate an entity that requests and obtains the access token
  • the token attribute is used to store the access token .
  • the acquisition module is also included for:
  • the receiving module After the receiving module receives the address information of the access token resource created by the authorized entity under the access token root resource, the access token is obtained according to the address information.
  • the access token further includes authentication information, where the authentication information includes an entity identifier that generates the access token, an entity identifier that requests and holds the access token, and an expiration time;
  • the authorization information of the access token includes a service role and/or an access control policy of the originating entity.
  • the sending module is further configured to:
  • an authorization entity including: a processor, a transceiver, and a memory;
  • the processor is configured to read a program in the memory and perform the following process:
  • an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, where the access token resource creation request carries the permission description information of the requested access token;
  • an originating entity including: a processor, a transceiver, and a memory;
  • the processor is configured to read a program in the memory and perform the following process:
  • an access token resource creation request for the access token issuing resource under the access token root resource to the authorized entity, where the access token resource creation request carries the permission description information of the requested access token;
  • the access token carries at least authorization information.
  • an access token root resource whose resource type is a common resource is defined under the CSE root resource, and an access token issuing resource whose resource type is a virtual resource is defined under the access token root resource.
  • FIG. 1 is a schematic diagram of a oneM2M functional architecture in the prior art
  • FIG. 2 is a schematic structural diagram of a oneM2M resource tree in the prior art
  • 3 is a schematic diagram of relationships between three resources defined in an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of a basic structure of an ⁇ accessToken> resource according to an embodiment of the present invention.
  • FIG. 5 is a schematic diagram of a process for an authorization entity to issue an access token according to an embodiment of the present invention
  • FIG. 6 is a schematic diagram of a process for an originating entity to request an access token according to an embodiment of the present invention
  • FIG. 7 is a schematic diagram of a process of using an access token by a managed entity according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of a basic process of issuing and using an access token according to an embodiment of the present invention.
  • FIG. 9 is a schematic diagram of a specific implementation process of issuing and using an access token according to an embodiment of the present invention.
  • FIG. 10 is a schematic diagram of another specific implementation process of issuing and using an access token according to an embodiment of the present invention.
  • FIG. 11 is a schematic structural diagram of an authorization entity according to an embodiment of the present invention.
  • FIG. 12 is a schematic structural diagram of another authorized entity according to an embodiment of the present invention.
  • FIG. 13 is a schematic structural diagram of an initiating entity according to an embodiment of the present invention.
  • FIG. 14 is a schematic structural diagram of another initiating entity according to an embodiment of the present invention.
  • three oneM2M resources are defined to implement an authorization access token (Access Token).
  • Access Token an authorization access token
  • the three oneM2M resources defined are: access token root resource ⁇ accessTokens>, access token issuance resource ⁇ accessTokenIssuing>, and access token resource ⁇ accessToken>.
  • the relationship between the three is shown in Figure 3.
  • the ⁇ accessTokens> resource is defined as a sub-resource of the CSE root resource ⁇ CSEBase>, the resource type is oneM2M common resource, and the ⁇ CSEBase> resource may have zero or more ⁇ accessTokens> resources.
  • the ⁇ accessTokens> resource has a common attribute (Universal Attribute) contained in the oneM2M common resource, and has a Common Attribute of the specified access control policy: accessControlPolicyIDs, and the access control of the virtual resource under the ⁇ accessTokens> resource is controlled by the
  • the public attribute determines that the AE entity and the CSE entity that allow access to the ⁇ accessTokens> resource and the virtual resource under it are defined in the access control policy specified by the public attribute.
  • the ⁇ accessTokenIssuing> resource is a sub-resource under the ⁇ accessTokens> resource, and an ⁇ accessTokens> resource has an ⁇ accessTokenIssuing> resource.
  • the resource type of the ⁇ accessTokenIssuing> resource is oneM2M virtual resource, so there is no resource attribute and no child resource.
  • the oneM2M virtual resource is mainly used to trigger a process.
  • a Create Request for the ⁇ accessTokenIssuing> resource will trigger an access token issuance process.
  • the access control of the ⁇ accessTokenIssuing> resource is determined by the access control policy specified by the accessControlPolicyIDs attribute of its parent resource ⁇ accessTokens>.
  • the accessControlPolicyIDs attribute specifies the AE entity and CSE entity that can access the ⁇ accessTokenIssuing> resource, that is, apply for an access token.
  • the ⁇ accessToken> resource is a sub-resource under the ⁇ accessTokens> resource, and an ⁇ accessTokens> resource can contain zero or more ⁇ accessToken> resources.
  • Each ⁇ accessToken> represents an access token (Access Token) issued by an authorized entity, and its resource type is oneM2M Normal Resource.
  • ⁇ accessToken> The basic structure of ⁇ accessToken> is shown in Figure 4.
  • the ⁇ accessToken> resource also contains the Common Attribute: expirationTime, including The newly defined 3 resource attributes.
  • expirationTime specifies the validity period of the resource, which is the same as the validity period of the access token.
  • the three newly defined resource attributes are:
  • Issuer The issuer of the access token, specifically the CSE identifier (CSE-ID) that generated the access token.
  • CSE-ID CSE identifier
  • the Holder The holder of the access token, specifically the AE identifier (AE-ID) or CES identifier (CSE-ID) that requests and holds the access token.
  • AE-ID AE identifier
  • CSE-ID CES identifier
  • Token Stores the access token issued.
  • Originator Entity The owner of the access token in the oneM2M system, specifically the AE entity or CSE entity in the oneM2M system that needs to access the resources in the managed entity;
  • Authorization Entity is the issuer of the access token in the oneM2M system, specifically the CSE entity with the access token issuing capability in the oneM2M system;
  • a user accessing a token in the oneM2M system, specifically a CSE entity providing resource access in the oneM2M system, which provides a resource access service for the initiating entity according to the access right described in the access token;
  • Access Token Authorization Policy Entity Provides an access token authorization policy for the authorized entity, and the access token authorization policy is used to determine the permission to write the access token;
  • the access token plaintext can be digitally signed and/or encrypted to generate an access token, or the access token can be decrypted and/or the digital signature verified to obtain the access token plaintext.
  • the access token in the embodiment of the present invention is defined as: carrying the authorization information applied in the oneM2M environment, and mainly includes a service role and/or an access control policy.
  • the service role carried in the access token is used for Role Based Access Control (RBAC); and is also used to carry authentication information, where the authentication information includes a CSE identifier (ie, an issuer identifier) that generates an access token. , the entity ID that requested and holds the access token (the holder's identity) and the timeout period.
  • RBAC Role Based Access Control
  • the escrow entity evaluates the resource access request of the initiating entity by using the role carried in the access token and the role-based access control policy stored locally by the escrow entity to determine whether to agree to the resource of the initiating entity. Access request.
  • the access control policy is access.
  • the token holder's private authorization policy the escrow entity uses the access control policy carried in the access token to evaluate the resource access request of the originating entity to determine whether to agree to the resource access request.
  • the escrow entity uses the role and the access control policy carried in the access token to evaluate the resource access request of the initiating entity to determine whether to agree to the resource access request of the initiating entity.
  • the specific format of the access token is not limited in the embodiment of the present invention.
  • the access token can be correctly used by the format of the access token between the authorized entity, the initiating entity and the escrow entity.
  • the scope of protection of the present invention is not limited by the specific format of the access token.
  • the detailed method for issuing an access token by an authorized entity is as follows:
  • Step 501 Receive an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the requested access order The license description information of the card.
  • the access token root resource is a common resource under the CSE root resource, and the access token is issued as a virtual resource under the access token root resource.
  • the access control policy specified by the public attribute indicates that the access token root resource and the virtual resource under the access token root resource are allowed to be accessed. Entity, therefore, after the receiving entity sends an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, before the generating the access token for the initiating entity, according to the designation of the access token root resource
  • the public attribute of the access control policy determines that the initiating entity is allowed to access the virtual resource under the access token root resource.
  • a resource creation operation that issues a resource for an access token triggers an access token issuance process.
  • Step 502 Generate an access token for the initiating entity according to the access token authorization policy and the entitlement description information carried in the access token resource creation request, where the access token carries at least the authorization information, and is created under the access token root resource.
  • the access token resource of the generated access token, and the access token is stored in the access token resource.
  • the access token resource has a common attribute of the common resource and an expired time attribute, and is issued.
  • Owner attribute, holder attribute and token attribute, the expired time attribute is used to specify the validity period of the access token resource, and the issuer attribute is used to indicate the entity that generated the access token, that is, the identifier of the authorized entity, and the holder attribute is used for
  • the access token generated by the authorized entity and the access token stored by the token attribute include authentication information in addition to the authorization information.
  • the authentication information includes an identifier of the authorized entity that generates the access token (ie, the issuer identifier), an identifier of the originating entity that requests and holds the access token (the holder identifier), and an expiration time, and the expiration time defines the access order.
  • the validity period of the card includes a service role of the initiating entity and/or an access control policy.
  • the access token authorization policy is saved in the access token authorization policy entity; the authorization entity obtains the access order from the access token authorization policy entity before generating the access token for the initiating entity according to the access token authorization policy and the rights description information. Card authorization strategy.
  • the access token authorization policy entity stores the correspondence between the access token authorization policy and the initiating entity and the authorized entity.
  • the access token authorization policy entity includes each authorized entity resource tree, which respectively corresponds to different authorized entities.
  • the number of authorized entity resources includes access token authorization policy resources of different initiating entities.
  • the privilege description information is used to describe the privilege of the requesting entity, and the privilege may be the requested service role, or the requested access control policy, or the service role and the access control policy.
  • the service role issued to the initiating entity in the authorization information is: the service role requested in the authorization description information and the access token authorization policy allows the service role issued to the initiating entity.
  • the access control policy issued to the initiating entity in the authorization information is: the authorization request information in the authorization description information and the access token authorization policy allows the access control policy corresponding to the authority used by the initiating entity.
  • the access token authorization policy is used to determine whether to issue an access token for the initiating entity, and to determine the permission to write the access token, that is, the authority issued to the initiator of the access token and the holder, the specific policy Those skilled in the art can apply the existing authorization policies to the present invention in combination with the specific application, and the scope of protection of the present invention is not limited thereto.
  • the authorization entity determines that the access token is not allowed to be issued for the initiating entity according to the access token authorization policy and the rights description information, and does not perform step 503 to return an error message to the initiating entity.
  • Step 503 Send the address information of the access token or the access token resource to the initiating entity.
  • the access token resource is a common resource under the access token root resource.
  • the authorization entity generates an access token plaintext according to the access token authorization policy and the rights description information, and sends the generated access token clear text to the security function entity, where the security function entity digitally signs the access token. And/or encrypting to obtain an access token and returning; the authorized entity receives the access token returned by the security function entity, and sends the access token to the initiating entity.
  • digital signature algorithm and the encryption algorithm specifically used by the security function entity are not limited, and existing digital signature algorithms and encryption algorithms can be used in the present invention, and the specific digital signature algorithm and encryption algorithm are not limited, and the present invention The scope of protection is not subject to this limitation.
  • the detailed method for the initiating entity to request an access token is as follows:
  • Step 601 Send an access token resource creation request for the access token issuing resource under the access token root resource to the authorized entity, where the access token resource creation request carries the identifier of the initiating entity and the permission description information of the requested access token. .
  • the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates an entity that allows access to the access token root resource and the virtual resource under the access token root resource. .
  • the privilege description information is used to describe the privilege of the requesting entity, and the privilege may be the requested service role, or the requested access control policy, or the service role and the access control policy.
  • Step 602 Receive an access token returned by the authorized entity, or receive the address information of the access token resource created by the authorized entity under the access token root resource, where the access token is stored with an access token, and the access token carries at least Authorization information.
  • the access token root resource is a common resource under the CSE root resource, and the access token is issued as a virtual resource under the access token root resource, and the access token resource is an ordinary under the access token root resource. Resources.
  • the access token resource has a common attribute of the common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute.
  • the expired time attribute is used to specify the validity period of the access token resource
  • the issuer attribute is used to indicate the generation of the access order.
  • the entity of the card, the holder attribute is used to indicate the entity requesting and obtaining the access token, and the token attribute is used to store the access token.
  • the initiating entity if the initiating entity receives the address information of the access token resource created by the authorized entity under the access token root resource, the initiating entity obtains the access token according to the address information.
  • the access token carries the authentication information in addition to the authorization information, and the authentication information includes an entity identifier for generating an access token, an entity identifier for requesting and holding the access token, and an expiration time, and the authorization information includes a service role of the initiating entity. And/or access control policies.
  • the service role issued to the initiating entity in the authorization information is: the service role requested in the authorization description information and the access token authorization policy allows the service role issued to the initiating entity.
  • the access control policy issued to the initiating entity in the authorization information is: the authorization request information in the authorization description information and the access token authorization policy allows the access control policy corresponding to the authority used by the initiating entity.
  • the sending entity sends a resource access request to the authorized entity, where the resource access request carries the access token.
  • Step 701 Receive a resource access request sent by the initiating entity, where the resource access request carries an access token.
  • the access token carries at least the authorization information, and the authorization information includes a service role and/or an access control policy of the initiating entity.
  • the access token carries the authentication information in addition to the authorization information, and the authentication information includes an entity identifier that generates an access token, an entity identifier that requests and holds the access token, and an expiration time.
  • the escrow entity After the escrow entity obtains the access token in the resource access request, it determines whether the access token is valid, as follows:
  • Preset conditions can include the following conditions:
  • the entity identifier of the request carried in the access token and holding the access token is the same as the identity of the originating entity; and/or,
  • the access token does not exceed the expiration time carried in the access token, it is determined that the access token is valid.
  • step 702 if the escrow entity determines that the access token is invalid, step 702 is no longer performed, and an error message is returned to the initiating entity.
  • Step 702 Determine, according to the authorization information in the access token, that the resource access request of the initiating entity is within the authorization scope, and execute the resource access request of the initiating entity.
  • the authorization information includes only the service role
  • the locally saved service role-based access control policy is obtained according to the service role in the access token
  • the resource access request of the initiating entity is determined according to the service role-based access control policy. If the authorization information includes only the access control policy, the resource access request of the initiating entity is determined according to the access control policy in the access token; if the authorization information includes the service role and the access control policy, according to the access token
  • the service role and access control policy in the determination determines that the resource access request of the initiating entity is within the scope of authorization.
  • the escrow entity after obtaining the access token in the resource access request, sends the access token to the security authentication entity, and the security authentication entity decrypts and/or digitally signs the access token.
  • the authentication obtains the plaintext of the access token and returns; the escrow entity receives the plaintext of the access token returned by the security authentication entity, obtains the authorization information in the plaintext of the access token, and determines whether the resource access request of the originating entity is within the authorized scope according to the obtained authorization information. .
  • the authorized entity and the managed entity may be deployed in the same entity device or in different physical devices.
  • the security association is established by mutual authentication by using the method provided by oneM2M to ensure communication between the two entities communicating with each other. Integrity and confidentiality, specific through two-way recognition For the way to establish a security association, see the rules of oneM2M, which will not be detailed here.
  • the access token issuance and use process provided by the present invention is exemplified by two specific embodiments.
  • an oneM2M Infrastructure Node as an Authorized Entity issues an access token containing a Service Role to an Initiating Entity (AE-1); the Initiating Entity (AE-1) utilizes the The access token accesses the device management resource in the managed entity (CSE-1); the node where CSE-1 is located is Node-1.
  • the IN-CSE accessible security function entity and the CSE-1 accessible security function entity have a symmetric key Ks for access token encryption and decryption;
  • the IN-CSE accessible security function entity There is a private key Kprv for signing the access token plaintext;
  • the CSE-1 accessible security function entity has a public key certificate INcert for verifying the IN-CSE digital signature, which contains the public key Kpub that matches Kprv.
  • an ⁇ accessTokens-1> resource responsible for issuing an access token is created under the root resource ⁇ CSEBase> of the IN-CSE resource tree; resources such as ⁇ m2mServiceSubscriptionProfile>, ⁇ serviceSubscribedNode>, and ⁇ serviceSubscribedAppRule> are defined in the IN-CSE resource tree. , which describes the role and managed M2M Node (M2M Node) that the application service provider's application entity can have.
  • Step 901 AE-1 and IN-CSE establish a security association by mutual authentication
  • Step 902 The AE-1 sends an ⁇ accessToken> resource creation request to the IN-CSE to the sub-resource ⁇ accessTokenIssuing> of the ⁇ accessTokens-1> resource under the IN-CSE resource tree, where the request requires the node Node where the CSE-1 is located. -1 performs the device diagnostic function, that is, AE-1 wants to obtain an access token containing the "Device Diagnostics and Management" role;
  • Step 903 After the IN-CSE receives the request of the AE-1, the access token activated by the request is created. The process will do the following:
  • the required access token authorization policy from the IN-CSE resource tree as the access token authorization policy entity, that is, resources such as ⁇ m2mServiceSubscriptionProfile>, ⁇ serviceSubscribedNode>, and ⁇ serviceSubscribedAppRule> related to AE-1;
  • the security function entity is required to digitally sign the access token plaintext by using the private key Kprv, and then encrypt the access token plaintext and the signature result by using the symmetric key Ks to generate the access token AE-Token-1.
  • Step 904 The IN-CSE sends the generated access token AE-Token-1 to the AE-1.
  • Step 905 AE-1 and CSE-1 establish a security association by mutual authentication
  • Step 906 The AE-1 sends a device diagnostic request to the CSE-1 included in the Node-1, where the request includes an access token AE-Token-1;
  • Step 907 CSE-1 receives a device diagnosis request from AE-1, and requests a device diagnosis from the device Extract the access token AE-Token-1, and then do the following:
  • the security function entity is required to decrypt the access token by using Ks, and then use the public key Kpub in the INCR to verify the digital signature of the access token. If it is correct, proceed to the next step;
  • Step 908 CSE-1 returns the execution result to AE-1.
  • the authorized entity and the escrow entity are the same entity, that is, CSE-1.
  • the access token is issued and used with the first specific The process of the embodiment is similar except that:
  • the security mechanism for protecting the access token in the security function entity can adopt a simple symmetric key mechanism, that is, the integrity and confidentiality protection of the access token is implemented by using the symmetric key.
  • CSE-1 cannot issue an access token containing a Service Role.
  • an authorization entity is provided in the embodiment of the present invention.
  • the authorization entity mainly includes:
  • the receiving module 1101 is configured to receive an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the requested access token. Permission description information;
  • the processing module 1102 is configured to generate an access token for the initiating entity according to the access token authorization policy and the rights description information, where the access token carries at least the authorization information, and the access token of the generated access token is created under the access token root resource.
  • Card resource an access token is stored in the access token resource;
  • the sending module 1103 is configured to send the address information of the access token or the access token resource to the initiating entity.
  • the access token root resource is a common resource under the CSE root resource, and the access token is a virtual resource under the access token root resource, and the access token resource is an ordinary resource under the access token root resource.
  • the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates that the access token root resource and the virtual resource under the access token root resource are allowed to access. entity.
  • processing module 1102 is further configured to:
  • the access token resource has a common attribute of the common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, and the expired time attribute is used to specify the validity period of the access token resource, and the issuer attribute is used to indicate The entity that generates the access token, the holder attribute is used to indicate the entity that requested and obtained the access token, and the token attribute is used to store the access token.
  • processing module 1102 is further configured to: obtain an access token authorization policy from an access token authorization policy entity.
  • the access token further carries the authentication information, where the authentication information includes an entity identifier that generates an access token, an identifier of the initiating entity, and an expiration time;
  • the authorization information of the access token includes the service role of the originating entity and/or the access control policy.
  • processing module 1102 is specifically configured to:
  • the sending module 1103 is also used to:
  • the receiving module 1101 is further configured to:
  • the authorized entity is a CSE entity.
  • an authorization entity is provided in the embodiment of the present invention.
  • the authorization entity mainly includes processing.
  • the device 1201 and the transceiver 1203 are configured to receive and transmit data under the control of the processor 1201, the preset program is saved in the memory 1202, and the processor 1201 is configured to read the program stored in the memory according to the program.
  • the program performs the following process:
  • an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the requested access token.
  • An access token is generated for the initiating entity according to the access token authorization policy and the rights description information, and the access token carries at least the authorization information, and the access token resource of the generated access token is created under the access token root resource, and the access token is used.
  • An access token is stored in the resource;
  • the address information of the access token or the access token resource is transmitted by the transceiver 1203 to the initiating entity.
  • the access token root resource is a common resource under the CSE root resource, and the access token is a virtual resource under the access token root resource, and the access token resource is an ordinary resource under the access token root resource.
  • the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates that the access token root resource and the virtual resource under the access token root resource are allowed to access. entity.
  • the processor 1201 determines, according to the public attribute of the specified access control policy of the access token root resource, that the initiating entity is allowed to access the virtual resource under the access token root resource.
  • the access token resource has a common attribute of the common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, and the expired time attribute is used to specify the validity period of the access token resource, and the issuer attribute is used to indicate The entity that generates the access token, the holder attribute is used to indicate the entity that requested and obtained the access token, and the token attribute is used to store the access token.
  • the processor 1201 obtains an access token authorization policy from the access token authorization policy entity.
  • the access token further carries the authentication information, where the authentication information includes an entity identifier that generates an access token, an identifier of the initiating entity, and an expiration time;
  • the authorization information of the access token includes the service role of the originating entity and/or the access control policy.
  • the processor 1201 generates an access token plaintext according to the access token authorization policy and the rights description information, and sends the generated access token plaintext to the security function entity by the transceiver 1203, and the security function entity performs the access token plaintext.
  • the digital signature and/or encryption results in an access token and returns; the transceiver 1203 receives the access token returned by the security function entity.
  • the authorized entity is a CSE entity.
  • the bus architecture may include any number of interconnected buses and bridges, specifically linked by one or more processors represented by the processor and various circuits of memory represented by the memory.
  • the bus architecture can also link various other circuits such as peripherals, voltage regulators, and power management circuits, which are well known in the art and, therefore, will not be further described herein.
  • the bus interface provides an interface.
  • the transceiver can be a plurality of components, including a transmitter and a transceiver, providing means for communicating with various other devices on a transmission medium.
  • the processor is responsible for managing the bus architecture and the usual processing, and the memory can store the data that the processor uses when performing operations.
  • an embodiment of the present invention provides an initiating entity.
  • the initiating entity mainly includes:
  • the sending module 1301 is configured to send, to the authorized entity, an access token resource creation request for the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the requested access token.
  • Permission description information
  • the receiving module 1302 is configured to receive an access token returned by the authorized entity, or receive address information of the access token resource created by the authorized entity under the access token root resource, where the access token includes an access token and an access token. Carry at least authorization information;
  • the access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is issued as a virtual resource under the access token root resource, and the access token resource is an ordinary resource under the access token root resource.
  • the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates an entity that allows access to the access token root resource and the virtual resource under the access token root resource. .
  • the access token resource has a common attribute of the common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, and the expired time attribute is used to specify the validity period of the access token resource, and the issuer attribute is used to indicate the generation.
  • the entity that accesses the token, the holder attribute is used to indicate the entity that requested and obtained the access token, and the token attribute is used to store the access token.
  • the obtaining module 1303 is further included for:
  • the receiving module 1302 After receiving the address information of the access token resource created by the authorized entity under the access token root resource, the receiving module 1302 obtains the access token according to the address information.
  • the access token further carries the authentication information, where the authentication information includes an entity identifier that generates an access token, an entity identifier that requests and holds the access token, and an expiration time;
  • the authorization information of the access token includes the service role of the originating entity and/or the access control policy.
  • the sending module 1301 is further configured to:
  • a resource access request is sent, and the resource access request carries an access token.
  • the originating entity is an AE entity or a CSE entity.
  • the embodiment of the present invention further provides another initiating entity.
  • the initiating entity mainly includes processing.
  • the device 1401, the memory 1402 and the transceiver 1403 are configured to receive and transmit data under the control of the processor 1401, the preset program is saved in the memory 1402, and the processor 1401 is configured to read the program stored in the memory according to the program.
  • the program performs the following process:
  • the access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is issued as a virtual resource under the access token root resource, and the access token resource is an ordinary resource under the access token root resource.
  • the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates an entity that allows access to the access token root resource and the virtual resource under the access token root resource. .
  • the access token resource has a common attribute of the common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, and the expired time attribute is used to specify the validity period of the access token resource, and the issuer attribute is used to indicate the generation.
  • the entity that accesses the token, the holder attribute is used to indicate the entity that requested and obtained the access token, and the token attribute is used to store the access token.
  • the processor 1401 after receiving the address information of the access token resource created by the authorized entity under the access token root resource by the transceiver 1403, the processor 1401 obtains the access token according to the address information.
  • the access token further carries the authentication information, where the authentication information includes an entity identifier that generates an access token, an entity identifier that requests and holds the access token, and an expiration time;
  • the authorization information of the access token includes the service role of the originating entity and/or the access control policy.
  • the processor 1401 instructs the transceiver 1403 to send a resource access request, where the resource access request carries an access token.
  • the originating entity is an AE entity or a CSE entity.
  • the bus architecture may include any number of interconnected buses and bridges, specifically linked by one or more processors represented by the processor and various circuits of memory represented by the memory.
  • the bus architecture can also link various other circuits such as peripherals, voltage regulators, and power management circuits, which are well known in the art and, therefore, will not be further described herein.
  • the bus interface provides an interface.
  • the transceiver can be a plurality of components, including a transmitter and a transceiver, providing means for communicating with various other devices on a transmission medium.
  • the processor is responsible for managing the bus architecture and the usual processing, and the memory can store the data that the processor uses when performing operations.
  • the resource type is defined as virtual under the access token root resource.
  • the access token of the resource issues the resource, and the access token resource whose resource type is a common resource is defined under the access token root resource, and the access token resource creation operation that defines the resource for the access token is triggered to trigger an access token issuance process. Therefore, the access token resource creation request of the originating entity to the access token issuing resource under the access token root resource is received, the access token issuance process is triggered, and the initiating entity is generated according to the access token authorization policy and the permission description information. The token is accessed and an access token resource is created, and the mechanism for authorization by the access token is implemented in the oneM2M system.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in a block or blocks of a flow or a flow and/or a block diagram of a flowchart Step.

Abstract

A method for issuing an access token and a related device are used for giving a specific authorization mechanism in a oneM2M system. The method comprises: receiving an access token resource creating request, transmitted by an initiating entity, for an access token issuing resource under an access token root resource, and the access token resource creating request carrying an identify of the initiating entity and authority description information of the requested access token; according to an access token authorization policy and the authority description information, generating an access token for the initiating entity, the access token carrying at least authorization information, and creating the access token resource of the generated access token under the access token root resource; transmitting the access token or address information of the access token resource to the initiating entity; and the access token root resource being a common resource under an CSE root resource, the access token issuing resource being a virtual resource under the access token root resource, and the access token resource being a common resource under the access token root resource.

Description

一种访问令牌颁发方法及相关设备Access token issuance method and related equipment
本申请要求在2015年7月16日提交中国专利局、申请号为201510419740.3、发明名称为“一种访问令牌颁发方法及相关设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. 201510419740.3, entitled "Access Token Issuance Method and Related Equipment", filed on July 16, 2015, the entire contents of which are incorporated herein by reference. In this application.
技术领域Technical field
本发明涉及通信技术领域,尤其涉及一种访问令牌颁发方法及相关设备。The present invention relates to the field of communications technologies, and in particular, to an access token issuance method and related device.
背景技术Background technique
物联网标准化组织oneM2M致力于开发用于构造一个公共的机器对机器通信(Machine-To-Machine,简称M2M)服务层(Service Layer)的技术规范。OneM2M, the Internet of Things standardization organization, is dedicated to developing technical specifications for constructing a common Machine-To-Machine (M2M) Service Layer.
oneM2M功能架构如图1所示,定义了三种基本实体:The oneM2M functional architecture is shown in Figure 1. Three basic entities are defined:
一,应用实体(Application Entity,简称AE),位于应用层,该实体可实现一个M2M应用服务逻辑。一个应用服务逻辑既可以驻留在多个M2M节点中,也可以在单个节点中存在多个执行实例。应用服务逻辑的每个执行实例被称为一个应用实体,每个应用实体由唯一的AE身份标识(AE-ID)标识。First, an Application Entity (AE) is located at the application layer, and the entity can implement an M2M application service logic. An application service logic can reside in multiple M2M nodes, or multiple execution instances in a single node. Each execution instance of the application service logic is referred to as an application entity, and each application entity is identified by a unique AE identity (AE-ID).
例如,车队跟踪应用实例、远程血糖监测应用实例、远程电力计量实例或控制应用实例等都属于应用实体。For example, a fleet tracking application instance, a remote blood glucose monitoring application instance, a remote power metering instance, or a control application instance are all application entities.
二,公共服务实体(Common Services Entity,简称CSE),一个公共服务实体由一组M2M环境中的公共服务功能(common service functions)构成。公共服务功能通过参考点Mca和参考点Mcc公开给其他实体。参考点Mcn用于访问底层网络服务实体。每个公共服务实体由唯一的CSE-ID标识。Second, the Common Service Entity (CSE), a public service entity consists of a set of common service functions in the M2M environment. The public service function is exposed to other entities through the reference point Mca and the reference point Mcc. The reference point Mcn is used to access the underlying network service entity. Each public service entity is identified by a unique CSE-ID.
三,底层网络服务实体(Underlying Network Services Entity,简称NSE),一个底层网络服务实体向多个CSE提供底层网络服务,例如提供设备管理、位置服务和设备触发服务。Third, the Underlying Network Services Entity (NSE), an underlying network service entity provides underlying network services to multiple CSEs, such as providing device management, location services, and device triggering services.
oneM2M通过对标准化的资源树的操作实现服务层资源共享和交互。 oneM2M资源树存在于oneM2M系统定义的CSE中。oneM2M implements service layer resource sharing and interaction through operations on standardized resource trees. The oneM2M resource tree exists in the CSE defined by the oneM2M system.
根据oneM2M TS-0001中关于功能架构的定义,oneM2M资源树的形式如图2所示。其中,CSEBase1表示一个CSE根资源<CSEBase>,CSE1表示一个资源<remoteCSE>,APP1表示一个资源<AE>,CONT1和CONT2分别代表一个资源<container>,ACP1和ACP2分别代表一个资源<accessControlPolice>。对于oneM2M资源可进行创建(Create,简称C)、查询(Retrieve,简称R)、修改(Update,简称U)和删除(Delete,简称D)等操作。According to the definition of the functional architecture in oneM2M TS-0001, the form of oneM2M resource tree is shown in Figure 2. Among them, CSEBase1 represents a CSE root resource <CSEBase>, CSE1 represents a resource <remoteCSE>, APP1 represents a resource <AE>, CONT1 and CONT2 respectively represent a resource <container>, and ACP1 and ACP2 respectively represent a resource <accessControlPolice>. For oneM2M resources, operations such as Create (C, C, Retrieve, R), Update (U), and Delete (D) can be performed.
oneM2M定义的资源中与授权相关的资源为访问控制策略资源<accessControlPolicy>,其中定义有访问控制策略(Access Control Policy,简称ACP),<accessControlPolicy>资源由资源身份标识(ID)唯一标识。其他资源通过资源中的accessControlPolicyIDs属性指定适用的访问控制策略。The resource related to the authorization defined by oneM2M is the access control policy resource <accessControlPolicy>, which defines an Access Control Policy (ACP), and the <accessControlPolicy> resource is uniquely identified by the resource identity (ID). Other resources specify the applicable access control policy through the accessControlPolicyIDs attribute in the resource.
oneM2M系统中服务签约信息存储在<m2mServiceSubscriptionProfile>资源中,该资源的serviceRoles属性保存有可签约的服务角色ID(Service Role ID)列表,AE通过获取可签约的服务角色而获得相应的签约服务,也就是拥有管理<m2mServiceSubscriptionProfile>资源中<serviceSubscribedNode>子资源中所描述的M2M节点(M2M Node)的权限。The service subscription information in the oneM2M system is stored in the <m2mServiceSubscriptionProfile> resource. The serviceRoles attribute of the resource stores a list of serviceable service IDs (Service Role IDs), and the AE obtains the corresponding contract service by acquiring the contractable service role. It is the authority to manage the M2M Node (M2M Node) described in the <serviceSubscribedNode> sub-resource in the <m2mServiceSubscriptionProfile> resource.
oneM2M定义有三种资源类型:OneM2M defines three resource types:
普通资源(Normal Resource),具有具体的资源结构以及资源属性;Normal Resource, with specific resource structure and resource attributes;
虚拟资源(Virtual Resource),不具有具体的资源结构以及资源属性,主要用于触发特定的处理过程;A virtual resource (Virtual Resource) does not have a specific resource structure and resource attributes, and is mainly used to trigger a specific process;
公布资源(Announced Resource),具有具体的资源结构及资源属性,该资源为其他实体上普通资源中某些内容的复制,主要目的是为资源发现提供便利。Announced Resource has a specific resource structure and resource attributes. This resource is a copy of some content in common resources on other entities. The main purpose is to facilitate resource discovery.
目前,oneM2M系统中仅给出了服务签约信息以及授权相关的资源,并没有给出具体的授权机制。 At present, only the service subscription information and the authorization related resources are given in the oneM2M system, and no specific authorization mechanism is given.
发明内容Summary of the invention
本发明实施例提供一种访问令牌颁发方法及相关设备,用以给出oneM2M系统中具体的授权机制。An embodiment of the present invention provides an access token issuance method and related device, which are used to provide a specific authorization mechanism in a oneM2M system.
本发明实施例提供的具体技术方案如下:The specific technical solutions provided by the embodiments of the present invention are as follows:
第一方面,提供了一种访问令牌颁发方法,包括:In a first aspect, an access token issuance method is provided, including:
接收发起实体发送的对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求,所述访问令牌资源创建请求中携带所述发起实体的标识和请求的访问令牌的权限描述信息;Receiving an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the requested access token Description;
根据访问令牌授权策略和所述权限描述信息,为所述发起实体生成访问令牌,所述访问令牌中至少携带授权信息,在所述访问令牌根资源下创建生成的访问令牌的访问令牌资源,所述访问令牌资源中保存有所述访问令牌;Generating an access token for the initiating entity according to the access token authorization policy and the rights description information, where the access token carries at least authorization information, and the generated access token is created under the access token root resource. Accessing a token resource, where the access token is stored in the access token resource;
将所述访问令牌或者所述访问令牌资源的地址信息发送给所述发起实体;Sending the access token or address information of the access token resource to the initiating entity;
其中,所述访问令牌根资源为公共服务实体CSE根资源下的普通资源,所述访问令牌签发资源为所述访问令牌根资源下的虚拟资源,所述访问令牌资源为所述访问令牌根资源下的普通资源。The access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is a virtual resource under the access token root resource, where the access token resource is Access common resources under the token root resource.
实施中,所述访问令牌根资源具有普通资源的通用属性以及指定访问控制策略的公共属性,所述公共属性所指定的访问控制策略指示允许访问所述访问令牌根资源及所述访问令牌根资源下的虚拟资源的实体。In an implementation, the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates that the access token root resource and the access order are allowed to be accessed. The entity of the virtual resource under the root resource.
实施中,接收发起实体发送的对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求之后,为所述发起实体生成访问令牌之前,所述方法还包括:In an implementation, after receiving an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, the method further includes:
根据所述访问令牌根资源的指定访问控制策略的公共属性,确定允许所述发起实体访问所述访问令牌根资源下的虚拟资源。And determining, according to the public attribute of the specified access control policy of the access token root resource, that the initiating entity is allowed to access the virtual resource under the access token root resource.
实施中,所述访问令牌资源具有普通资源的通用属性以及超期时间属性、签发者属性、持有者属性和令牌属性,所述超期时间属性用于指定所述访问令牌资源的有效期,所述签发者属性用于指示生成所述访问令牌的实体,所 述持有者属性用于指示请求并获得所述访问令牌的实体,所述令牌属性用于存储所述访问令牌。In an implementation, the access token resource has a common attribute of a common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, where the expired time attribute is used to specify a validity period of the access token resource. The issuer attribute is used to indicate an entity that generates the access token, The holder attribute is used to indicate an entity requesting and obtaining the access token, and the token attribute is used to store the access token.
实施中,根据访问令牌授权策略和所述权限描述信息,为所述发起实体生成访问令牌之前,所述方法还包括:The method further includes: before generating an access token for the initiating entity, according to the access token authorization policy and the rights description information, the method further includes:
从访问令牌授权策略实体获取所述访问令牌授权策略。The access token authorization policy is obtained from an access token authorization policy entity.
实施中,所述访问令牌中还携带认证信息,所述认证信息包括生成所述访问令牌的实体标识、所述发起实体的标识和超期时间;In an implementation, the access token further includes authentication information, where the authentication information includes an entity identifier that generates the access token, an identifier of the initiating entity, and an expiration time;
所述访问令牌的授权信息包括所述发起实体的服务角色和/或访问控制策略。The authorization information of the access token includes a service role and/or an access control policy of the originating entity.
实施中,根据访问令牌授权策略和所述权限描述信息,为所述发起实体生成访问令牌,包括:In an implementation, generating an access token for the initiating entity according to the access token authorization policy and the permission description information, including:
根据所述访问令牌授权策略和所述权限描述信息,生成访问令牌明文;Generating an access token plaintext according to the access token authorization policy and the permission description information;
将生成的所述访问令牌明文发送给安全功能实体,由所述安全功能实体对所述访问令牌明文进行数字签名和/或加密后得到所述访问令牌并返回;Transmitting the generated access token clear text to the security function entity, and the security function entity digitally signs and/or encrypts the access token plaintext to obtain the access token and returns;
接收所述安全功能实体返回的所述访问令牌。Receiving the access token returned by the security function entity.
第二方面,提供了一种访问令牌颁发方法,包括:In a second aspect, an access token issuance method is provided, including:
向授权实体发送对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求,所述访问令牌资源创建请求中携带发起实体的标识和请求的访问令牌的权限描述信息;And sending, to the authorized entity, an access token resource creation request for the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the permission description information of the requested access token;
接收所述授权实体返回的访问令牌,或者接收所述授权实体在所述访问令牌根资源下创建的访问令牌资源的地址信息,所述访问令牌资源中保存有访问令牌,所述访问令牌中至少携带授权信息;Receiving an access token returned by the authorized entity, or receiving address information of an access token resource created by the authorized entity under the access token root resource, where the access token resource stores an access token, where The access token carries at least the authorization information;
其中,所述访问令牌根资源为公共服务实体CSE根资源下普通资源,所述访问令牌签发资源为所述访问令牌根资源下的虚拟资源,所述访问令牌资源为所述访问令牌根资源下的普通资源。The access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is a virtual resource under the access token root resource, where the access token resource is the access A common resource under the token root resource.
实施中,所述访问令牌根资源具有普通资源的通用属性以及指定访问控制策略的公共属性,所述公共属性所指定的访问控制策略指示允许访问所述 访问令牌根资源及所述访问令牌根资源下的虚拟资源的实体。In an implementation, the access token root resource has a common attribute of a common resource and a public attribute specifying an access control policy, and the access control policy specified by the public attribute indicates that access to the An entity that accesses the token root resource and the virtual resource under the access token root resource.
实施中,所述访问令牌资源具有普通资源的通用属性以及超期时间属性、签发者属性、持有者属性和令牌属性,所述超期时间属性用于指定所述访问令牌资源的有效期,所述签发者属性用于指示生成所述访问令牌的实体,所述持有者属性用于指示请求并获得所述访问令牌的实体,所述令牌属性用于存储所述访问令牌。In an implementation, the access token resource has a common attribute of a common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, where the expired time attribute is used to specify a validity period of the access token resource. The issuer attribute is used to indicate an entity that generates the access token, the holder attribute is used to indicate an entity that requests and obtains the access token, and the token attribute is used to store the access token .
实施中,接收所述授权实体在所述访问令牌根资源下创建的访问令牌资源的地址信息后,所述方法还包括:In an implementation, after receiving the address information of the access token resource created by the authorized entity under the access token root resource, the method further includes:
根据所述地址信息获取所述访问令牌。Obtaining the access token according to the address information.
实施中,所述访问令牌中还携带认证信息,所述认证信息包括生成所述访问令牌的实体标识、请求并持有所述访问令牌的实体标识和超期时间;In an implementation, the access token further includes authentication information, where the authentication information includes an entity identifier that generates the access token, an entity identifier that requests and holds the access token, and an expiration time;
所述访问令牌的授权信息包括所述发起实体的服务角色和/或访问控制策略。The authorization information of the access token includes a service role and/or an access control policy of the originating entity.
实施中,所述方法还包括:In implementation, the method further includes:
发送资源访问请求,所述资源访问请求中携带所述访问令牌。Sending a resource access request, where the resource access request carries the access token.
第三方面,提供了一种授权实体,包括:In a third aspect, an authorized entity is provided, including:
接收模块,用于接收发起实体发送的对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求,所述访问令牌资源创建请求中携带所述发起实体的标识和请求的访问令牌的权限描述信息;a receiving module, configured to receive an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier and the request of the initiating entity Access permission description information of the access token;
处理模块,用于根据访问令牌授权策略和所述权限描述信息,为所述发起实体生成访问令牌,所述访问令牌中至少携带授权信息,在所述访问令牌根资源下创建生成的访问令牌的访问令牌资源,所述访问令牌资源中保存有所述访问令牌;a processing module, configured to generate, according to the access token authorization policy and the rights description information, an access token, where the access token carries at least authorization information, and is generated under the access token root resource. Access token resource of the access token, the access token is stored in the access token resource;
发送模块,用于将所述访问令牌或者所述访问令牌资源的地址信息发送给所述发起实体;a sending module, configured to send the access token or address information of the access token resource to the initiating entity;
其中,所述访问令牌根资源为公共服务实体CSE根资源下的普通资源,所述访问令牌签发资源为所述访问令牌根资源下的虚拟资源,所述访问令牌 资源为所述访问令牌根资源下的普通资源。The access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is a virtual resource under the access token root resource, where the access token is The resource is a common resource under the access token root resource.
实施中,所述访问令牌根资源具有普通资源的通用属性以及指定访问控制策略的公共属性,所述公共属性所指定的访问控制策略指示允许访问所述访问令牌根资源及所述访问令牌根资源下的虚拟资源的实体。In an implementation, the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates that the access token root resource and the access order are allowed to be accessed. The entity of the virtual resource under the root resource.
实施中,所述处理模块还用于:In implementation, the processing module is further configured to:
为所述发起实体生成访问令牌之前,根据所述访问令牌根资源的指定访问控制策略的公共属性,确定允许所述发起实体访问所述访问令牌根资源下的虚拟资源。Before generating the access token for the initiating entity, determining, according to the public attribute of the specified access control policy of the access token root resource, that the initiating entity is allowed to access the virtual resource under the access token root resource.
实施中,所述访问令牌资源具有普通资源的通用属性以及超期时间属性、签发者属性、持有者属性和令牌属性,所述超期时间属性用于指定所述访问令牌资源的有效期,所述签发者属性用于指示生成所述访问令牌的实体,所述持有者属性用于指示请求并获得所述访问令牌的实体,所述令牌属性用于存储所述访问令牌。In an implementation, the access token resource has a common attribute of a common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, where the expired time attribute is used to specify a validity period of the access token resource. The issuer attribute is used to indicate an entity that generates the access token, the holder attribute is used to indicate an entity that requests and obtains the access token, and the token attribute is used to store the access token .
实施中,所述处理模块还用于:从访问令牌授权策略实体获取所述访问令牌授权策略。In an implementation, the processing module is further configured to: obtain the access token authorization policy from an access token authorization policy entity.
实施中,所述访问令牌中还携带认证信息,所述认证信息包括生成所述访问令牌的实体标识、所述发起实体的标识和超期时间;In an implementation, the access token further includes authentication information, where the authentication information includes an entity identifier that generates the access token, an identifier of the initiating entity, and an expiration time;
所述访问令牌的授权信息包括所述发起实体的服务角色和/或访问控制策略。The authorization information of the access token includes a service role and/or an access control policy of the originating entity.
实施中,所述处理模块具体用于:In implementation, the processing module is specifically configured to:
根据所述访问令牌授权策略和所述权限描述信息,生成访问令牌明文;Generating an access token plaintext according to the access token authorization policy and the permission description information;
所述发送模块还用于:The sending module is further configured to:
将生成的所述访问令牌明文发送给安全功能实体,由所述安全功能实体对所述访问令牌明文进行数字签名和/或加密后得到所述访问令牌并返回;Transmitting the generated access token clear text to the security function entity, and the security function entity digitally signs and/or encrypts the access token plaintext to obtain the access token and returns;
所述接收模块还用于:The receiving module is further configured to:
接收所述安全功能实体返回的所述访问令牌。Receiving the access token returned by the security function entity.
第四方面,提供了一种发起实体,包括: In a fourth aspect, an originating entity is provided, including:
发送模块,用于向授权实体发送对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求,所述访问令牌资源创建请求中携带发起实体的标识和请求的访问令牌的权限描述信息;a sending module, configured to send, to the authorized entity, an access token resource creation request for the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the requested access token Permission description information;
接收模块,用于接收所述授权实体返回的访问令牌,或者接收所述授权实体在所述访问令牌根资源下创建的访问令牌资源的地址信息,所述访问令牌资源中保存有访问令牌,所述访问令牌中至少携带授权信息;a receiving module, configured to receive an access token returned by the authorized entity, or receive address information of an access token resource created by the authorized entity under the access token root resource, where the access token resource is saved An access token, the access token carrying at least authorization information;
其中,所述访问令牌根资源为公共服务实体CSE根资源下普通资源,所述访问令牌签发资源为所述访问令牌根资源下的虚拟资源,所述访问令牌资源为所述访问令牌根资源下的普通资源。The access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is a virtual resource under the access token root resource, where the access token resource is the access A common resource under the token root resource.
实施中,所述访问令牌根资源具有普通资源的通用属性以及指定访问控制策略的公共属性,所述公共属性所指定的访问控制策略指示允许访问所述访问令牌根资源及所述访问令牌根资源下的虚拟资源的实体。In an implementation, the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates that the access token root resource and the access order are allowed to be accessed. The entity of the virtual resource under the root resource.
实施中,所述访问令牌资源具有普通资源的通用属性以及超期时间属性、签发者属性、持有者属性和令牌属性,所述超期时间属性用于指定所述访问令牌资源的有效期,所述签发者属性用于指示生成所述访问令牌的实体,所述持有者属性用于指示请求并获得所述访问令牌的实体,所述令牌属性用于存储所述访问令牌。In an implementation, the access token resource has a common attribute of a common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, where the expired time attribute is used to specify a validity period of the access token resource. The issuer attribute is used to indicate an entity that generates the access token, the holder attribute is used to indicate an entity that requests and obtains the access token, and the token attribute is used to store the access token .
实施中,还包括获取模块用于:In the implementation, the acquisition module is also included for:
在所述接收模块接收所述授权实体在所述访问令牌根资源下创建的访问令牌资源的地址信息后,根据所述地址信息获取所述访问令牌。After the receiving module receives the address information of the access token resource created by the authorized entity under the access token root resource, the access token is obtained according to the address information.
实施中,所述访问令牌中还携带认证信息,所述认证信息包括生成所述访问令牌的实体标识、请求并持有所述访问令牌的实体标识和超期时间;In an implementation, the access token further includes authentication information, where the authentication information includes an entity identifier that generates the access token, an entity identifier that requests and holds the access token, and an expiration time;
所述访问令牌的授权信息包括所述发起实体的服务角色和/或访问控制策略。The authorization information of the access token includes a service role and/or an access control policy of the originating entity.
实施中,所述发送模块还用于:In implementation, the sending module is further configured to:
发送资源访问请求,所述资源访问请求中携带所述访问令牌。Sending a resource access request, where the resource access request carries the access token.
第五方面,提供了一种授权实体,包括:处理器、收发机和存储器; In a fifth aspect, an authorization entity is provided, including: a processor, a transceiver, and a memory;
所述处理器,用于读取存储器中的程序,执行下列过程:The processor is configured to read a program in the memory and perform the following process:
通过收发机接收发起实体发送的对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求,所述访问令牌资源创建请求中携带请求的访问令牌的权限描述信息;Receiving, by the transceiver, an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, where the access token resource creation request carries the permission description information of the requested access token;
根据访问令牌授权策略和所述权限描述信息,为所述发起实体生成访问令牌,所述访问令牌中至少携带授权信息,在所述访问令牌根资源下创建生成的访问令牌的访问令牌资源,所述访问令牌资源中保存有所述访问令牌;Generating an access token for the initiating entity according to the access token authorization policy and the rights description information, where the access token carries at least authorization information, and the generated access token is created under the access token root resource. Accessing a token resource, where the access token is stored in the access token resource;
将所述访问令牌或者所述访问令牌资源的地址信息通过收发机发送给所述发起实体。And transmitting, by the transceiver, the address information of the access token or the access token resource to the initiating entity.
第六方面,提供了一种发起实体,包括:处理器、收发机和存储器;In a sixth aspect, an originating entity is provided, including: a processor, a transceiver, and a memory;
所述处理器,用于读取存储器中的程序,执行下列过程:The processor is configured to read a program in the memory and perform the following process:
通过收发机向授权实体发送对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求,所述访问令牌资源创建请求中携带请求的访问令牌的权限描述信息;Sending, by the transceiver, an access token resource creation request for the access token issuing resource under the access token root resource to the authorized entity, where the access token resource creation request carries the permission description information of the requested access token;
通过收发机接收所述授权实体返回的访问令牌,或者接收所述授权实体在所述访问令牌根资源下创建的访问令牌资源的地址信息,所述访问令牌资源中保存有访问令牌,所述访问令牌中至少携带授权信息。Receiving, by the transceiver, an access token returned by the authorized entity, or receiving address information of an access token resource created by the authorized entity under the access token root resource, where the access token resource has an access order Card, the access token carries at least authorization information.
基于上述技术方案,本发明实施例中,通过在CSE根资源下定义资源类型为普通资源的访问令牌根资源,在访问令牌根资源下定义资源类型为虚拟资源的访问令牌签发资源,以及在访问令牌根资源下定义资源类型为普通资源的访问令牌资源,且定义对访问令牌签发资源的访问令牌资源创建操作触发一个访问令牌颁发过程,从而使得接收到发起实体对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求,触发访问令牌颁发过程,根据访问令牌授权策略和所述权限描述信息,为所述发起实体生成访问令牌,并创建访问令牌资源,在oneM2M系统中实现了通过访问令牌进行授权的机制。Based on the foregoing technical solution, in the embodiment of the present invention, an access token root resource whose resource type is a common resource is defined under the CSE root resource, and an access token issuing resource whose resource type is a virtual resource is defined under the access token root resource. And defining an access token resource whose resource type is a common resource under the access token root resource, and defining an access token resource creation operation for the access token issuing resource triggers an access token issuance process, so that the receiving entity pair is received Accessing an access token resource creation request of the access token issuing resource under the token root resource, triggering an access token issuance process, and generating an access token for the initiating entity according to the access token authorization policy and the permission description information, And the access token resource is created, and the mechanism for authorizing by the access token is implemented in the oneM2M system.
附图说明 DRAWINGS
图1为现有技术中的oneM2M功能架构示意图;1 is a schematic diagram of a oneM2M functional architecture in the prior art;
图2为现有技术中的oneM2M资源树的结构示意图;2 is a schematic structural diagram of a oneM2M resource tree in the prior art;
图3为本发明实施例中定义的三种资源的关系示意图;3 is a schematic diagram of relationships between three resources defined in an embodiment of the present invention;
图4为本发明实施例中<accessToken>资源的基本结构示意图;4 is a schematic diagram of a basic structure of an <accessToken> resource according to an embodiment of the present invention;
图5为本发明实施例中授权实体颁发访问令牌的过程示意图;FIG. 5 is a schematic diagram of a process for an authorization entity to issue an access token according to an embodiment of the present invention; FIG.
图6为本发明实施例中发起实体请求访问令牌的过程示意图;6 is a schematic diagram of a process for an originating entity to request an access token according to an embodiment of the present invention;
图7为本发明实施例中托管实体使用访问令牌的过程示意图;FIG. 7 is a schematic diagram of a process of using an access token by a managed entity according to an embodiment of the present invention; FIG.
图8为本发明实施例中访问令牌颁发和使用的基本过程示意图;FIG. 8 is a schematic diagram of a basic process of issuing and using an access token according to an embodiment of the present invention; FIG.
图9为本发明实施例中访问令牌颁发以及使用的具体实施过程示意图;FIG. 9 is a schematic diagram of a specific implementation process of issuing and using an access token according to an embodiment of the present invention; FIG.
图10为本发明实施例中访问令牌颁发以及使用的另一具体实施过程示意图;FIG. 10 is a schematic diagram of another specific implementation process of issuing and using an access token according to an embodiment of the present invention; FIG.
图11为本发明实施例中授权实体的结构示意图;FIG. 11 is a schematic structural diagram of an authorization entity according to an embodiment of the present invention;
图12为本发明实施例中另一授权实体的结构示意图;FIG. 12 is a schematic structural diagram of another authorized entity according to an embodiment of the present invention;
图13为本发明实施例中发起实体的结构示意图;FIG. 13 is a schematic structural diagram of an initiating entity according to an embodiment of the present invention;
图14为本发明实施例中另一发起实体的结构示意图。FIG. 14 is a schematic structural diagram of another initiating entity according to an embodiment of the present invention.
具体实施方式detailed description
为了使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明作进一步地详细描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施例,都属于本发明保护的范围。The present invention will be further described in detail with reference to the accompanying drawings, in which FIG. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明实施例中,定义了三种oneM2M资源,以实现颁发授权访问令牌(Access Token)。In the embodiment of the present invention, three oneM2M resources are defined to implement an authorization access token (Access Token).
定义的三种oneM2M资源分别为:访问令牌根资源<accessTokens>、访问令牌签发资源<accessTokenIssuing>和访问令牌资源<accessToken>,三者之间的关系如图3所示。 The three oneM2M resources defined are: access token root resource <accessTokens>, access token issuance resource <accessTokenIssuing>, and access token resource <accessToken>. The relationship between the three is shown in Figure 3.
其中,<accessTokens>资源定义为CSE根资源<CSEBase>下的子资源,资源类型为oneM2M普通资源,<CSEBase>资源下可以有0个或多个<accessTokens>资源。The <accessTokens> resource is defined as a sub-resource of the CSE root resource <CSEBase>, the resource type is oneM2M common resource, and the <CSEBase> resource may have zero or more <accessTokens> resources.
<accessTokens>资源除拥有oneM2M普通资源所包含的通用属性(Universal Attribute)外,还具有指定访问控制策略的公共属性(Common Attribute):accessControlPolicyIDs,对<accessTokens>资源下的虚拟资源的访问控制由该公共属性确定,即该公共属性所指定的访问控制策略中定义了允许访问该<accessTokens>资源及其下的虚拟资源的AE实体和CSE实体。The <accessTokens> resource has a common attribute (Universal Attribute) contained in the oneM2M common resource, and has a Common Attribute of the specified access control policy: accessControlPolicyIDs, and the access control of the virtual resource under the <accessTokens> resource is controlled by the The public attribute determines that the AE entity and the CSE entity that allow access to the <accessTokens> resource and the virtual resource under it are defined in the access control policy specified by the public attribute.
其中,<accessTokenIssuing>资源为<accessTokens>资源下的子资源,一个<accessTokens>资源下有一个<accessTokenIssuing>资源。<accessTokenIssuing>资源的资源类型为oneM2M虚拟资源,因此没有资源属性,也没有子资源。oneM2M虚拟资源主要用来触发一个处理过程,一个针对<accessTokenIssuing>资源的创建请求(Create Request)将触发一个访问令牌颁发过程。The <accessTokenIssuing> resource is a sub-resource under the <accessTokens> resource, and an <accessTokens> resource has an <accessTokenIssuing> resource. The resource type of the <accessTokenIssuing> resource is oneM2M virtual resource, so there is no resource attribute and no child resource. The oneM2M virtual resource is mainly used to trigger a process. A Create Request for the <accessTokenIssuing> resource will trigger an access token issuance process.
<accessTokenIssuing>资源的访问控制由其父资源<accessTokens>的accessControlPolicyIDs属性指定的访问控制策略确定,accessControlPolicyIDs属性规定了可以访问<accessTokenIssuing>资源的AE实体和CSE实体,即申请访问令牌。The access control of the <accessTokenIssuing> resource is determined by the access control policy specified by the accessControlPolicyIDs attribute of its parent resource <accessTokens>. The accessControlPolicyIDs attribute specifies the AE entity and CSE entity that can access the <accessTokenIssuing> resource, that is, apply for an access token.
其中,<accessToken>资源为<accessTokens>资源下的子资源,一个<accessTokens>资源下可以包含0个或多个<accessToken>资源。每个<accessToken>表示一个授权实体所颁发的访问令牌(Access Token),其资源类型为oneM2M普通资源(Normal Resource)。The <accessToken> resource is a sub-resource under the <accessTokens> resource, and an <accessTokens> resource can contain zero or more <accessToken> resources. Each <accessToken> represents an access token (Access Token) issued by an authorized entity, and its resource type is oneM2M Normal Resource.
<accessToken>的基本结构如图4所示,<accessToken>资源除了包含oneM2M普通资源所共有的通用属性(Universal Attribute)外,还包含有公共属性(Common Attribute):超期时间(expirationTime),还包括新定义的3个资源属性。expirationTime指定该资源的有效期,其与访问令牌的有效期相同。3个新定义的资源属性为:The basic structure of <accessToken> is shown in Figure 4. In addition to the Universal Attribute common to oneM2M common resources, the <accessToken> resource also contains the Common Attribute: expirationTime, including The newly defined 3 resource attributes. expirationTime specifies the validity period of the resource, which is the same as the validity period of the access token. The three newly defined resource attributes are:
issuer:访问令牌的签发者,具体为生成该访问令牌的CSE标识(CSE-ID)。 Issuer: The issuer of the access token, specifically the CSE identifier (CSE-ID) that generated the access token.
holder:访问令牌的持有者,具体为请求并持有该访问令牌的AE标识(AE-ID)或CES标识(CSE-ID)。Holder: The holder of the access token, specifically the AE identifier (AE-ID) or CES identifier (CSE-ID) that requests and holds the access token.
token:存储所颁发的访问令牌。Token: Stores the access token issued.
本发明实施例中定义如下:The embodiments of the present invention are defined as follows:
发起实体(Originator Entity):为oneM2M系统中访问令牌的拥有者,具体为oneM2M系统中需要对托管实体中的资源进行访问的AE实体或CSE实体;Originator Entity: The owner of the access token in the oneM2M system, specifically the AE entity or CSE entity in the oneM2M system that needs to access the resources in the managed entity;
授权实体(Authority Entity):为oneM2M系统中访问令牌的颁发者,具体为oneM2M系统中具有访问令牌颁发能力的CSE实体;Authorization Entity (Authority Entity): is the issuer of the access token in the oneM2M system, specifically the CSE entity with the access token issuing capability in the oneM2M system;
托管实体(Hosting Entity):为oneM2M系统中访问令牌的使用者,具体为oneM2M系统中提供资源访问的CSE实体,其根据访问令牌中描述的访问权限为发起实体提供资源访问服务;Hosting Entity: A user accessing a token in the oneM2M system, specifically a CSE entity providing resource access in the oneM2M system, which provides a resource access service for the initiating entity according to the access right described in the access token;
访问令牌授权策略实体(Access Token Authorization Policy Entity):为授权实体提供访问令牌授权策略,该访问令牌授权策略用于确定写入访问令牌的权限;Access Token Authorization Policy Entity: Provides an access token authorization policy for the authorized entity, and the access token authorization policy is used to determine the permission to write the access token;
安全功能实体(Security Function Entity):可对访问令牌明文进行数字签名和/或加密以生成访问令牌,或对访问令牌进行解密和/或验证数字签名以获得访问令牌明文。Security Function Entity: The access token plaintext can be digitally signed and/or encrypted to generate an access token, or the access token can be decrypted and/or the digital signature verified to obtain the access token plaintext.
本发明实施例中的访问令牌定义为:用于携带应用于oneM2M环境中的授权信息,主要包括服务角色和/或访问控制策略。访问令牌中携带的服务角色用于基于角色的访问控制(Role Based Access Control,简称RBAC);还用于携带认证信息,所述认证信息包括生成访问令牌的CSE标识(即签发者标识)、请求并持有访问令牌的实体标识(将持有者标识)和超期时间。The access token in the embodiment of the present invention is defined as: carrying the authorization information applied in the oneM2M environment, and mainly includes a service role and/or an access control policy. The service role carried in the access token is used for Role Based Access Control (RBAC); and is also used to carry authentication information, where the authentication information includes a CSE identifier (ie, an issuer identifier) that generates an access token. , the entity ID that requested and holds the access token (the holder's identity) and the timeout period.
若访问令牌的授权信息中仅携带角色,托管实体利用访问令牌中携带的角色和托管实体本地存储的基于角色的访问控制策略评估发起实体的资源访问请求,以确定是否同意发起实体的资源访问请求。If the authorization information of the access token carries only the role, the escrow entity evaluates the resource access request of the initiating entity by using the role carried in the access token and the role-based access control policy stored locally by the escrow entity to determine whether to agree to the resource of the initiating entity. Access request.
若访问令牌的授权信息中仅携带访问控制策略,该访问控制策略为访问 令牌持有者的专用授权策略,托管实体使用访问令牌中携带的访问控制策略评估发起实体的资源访问请求,以确定是否同意该资源访问请求。If the authorization information of the access token carries only the access control policy, the access control policy is access. The token holder's private authorization policy, the escrow entity uses the access control policy carried in the access token to evaluate the resource access request of the originating entity to determine whether to agree to the resource access request.
若访问令牌的授权信息中携带角色和访问控制策略,托管实体利用访问令牌中携带的角色和访问控制策略评估发起实体的资源访问请求,以确定是否同意发起实体的资源访问请求。If the authorization information of the access token carries the role and the access control policy, the escrow entity uses the role and the access control policy carried in the access token to evaluate the resource access request of the initiating entity to determine whether to agree to the resource access request of the initiating entity.
需要说明的是,本发明实施例对访问令牌的具体格式不作限制。授权实体、发起实体和托管实体之间约定访问令牌的格式即可正确使用访问令牌,本发明的保护范围并不受访问令牌具体格式的限制。It should be noted that the specific format of the access token is not limited in the embodiment of the present invention. The access token can be correctly used by the format of the access token between the authorized entity, the initiating entity and the escrow entity. The scope of protection of the present invention is not limited by the specific format of the access token.
基于以上定义,本发明实施例中,如图5所示,授权实体颁发访问令牌的详细方法流程如下:Based on the above definition, in the embodiment of the present invention, as shown in FIG. 5, the detailed method for issuing an access token by an authorized entity is as follows:
步骤501:接收发起实体发送的对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求,所述访问令牌资源创建请求中携带所述发起实体的标识和请求的访问令牌的权限描述信息。Step 501: Receive an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the requested access order The license description information of the card.
其中,访问令牌根资源为CSE根资源下的普通资源,访问令牌签发资源为访问令牌根资源下的虚拟资源。The access token root resource is a common resource under the CSE root resource, and the access token is issued as a virtual resource under the access token root resource.
实施中,由于访问令牌根资源具有普通资源的通用属性以及指定访问控制策略的公共属性,公共属性所指定的访问控制策略指示允许访问访问令牌根资源及访问令牌根资源下的虚拟资源的实体,因此授权实体在接收发起实体向访问令牌根资源下的访问令牌签发资源发送的访问令牌资源创建请求之后,为发起实体生成访问令牌之前,根据访问令牌根资源的指定访问控制策略的公共属性,确定允许发起实体访问该访问令牌根资源下的虚拟资源。In an implementation, since the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, the access control policy specified by the public attribute indicates that the access token root resource and the virtual resource under the access token root resource are allowed to be accessed. Entity, therefore, after the receiving entity sends an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, before the generating the access token for the initiating entity, according to the designation of the access token root resource The public attribute of the access control policy determines that the initiating entity is allowed to access the virtual resource under the access token root resource.
对访问令牌签发资源的资源创建操作,将触发一个访问令牌颁发过程。A resource creation operation that issues a resource for an access token triggers an access token issuance process.
步骤502:根据访问令牌授权策略和访问令牌资源创建请求中携带的权限描述信息,为发起实体生成访问令牌,所述访问令牌中至少携带授权信息,在访问令牌根资源下创建生成的访问令牌的访问令牌资源,访问令牌资源中保存有访问令牌。Step 502: Generate an access token for the initiating entity according to the access token authorization policy and the entitlement description information carried in the access token resource creation request, where the access token carries at least the authorization information, and is created under the access token root resource. The access token resource of the generated access token, and the access token is stored in the access token resource.
其中,访问令牌资源具有普通资源的通用属性以及超期时间属性、签发 者属性、持有者属性和令牌属性,超期时间属性用于指定访问令牌资源的有效期,签发者属性用于指示生成访问令牌的实体,即授权实体的标识,持有者属性用于指示请求并获得访问令牌的实体,即发起实体的标识,令牌属性用于存储访问令牌。The access token resource has a common attribute of the common resource and an expired time attribute, and is issued. Owner attribute, holder attribute and token attribute, the expired time attribute is used to specify the validity period of the access token resource, and the issuer attribute is used to indicate the entity that generated the access token, that is, the identifier of the authorized entity, and the holder attribute is used for The entity that indicates the request and obtains the access token, that is, the identity of the originating entity, and the token attribute is used to store the access token.
授权实体生成的访问令牌以及令牌属性存储的访问令牌除包含授权信息外,还包括认证信息。其中,认证信息包括生成访问令牌的授权实体的标识(即签发者标识)、请求并持有访问令牌的发起实体的标识(将持有者标识)和超期时间,超期时间定义了访问令牌的有效期。其中,授权信息包括发起实体的服务角色和/或访问控制策略。The access token generated by the authorized entity and the access token stored by the token attribute include authentication information in addition to the authorization information. The authentication information includes an identifier of the authorized entity that generates the access token (ie, the issuer identifier), an identifier of the originating entity that requests and holds the access token (the holder identifier), and an expiration time, and the expiration time defines the access order. The validity period of the card. The authorization information includes a service role of the initiating entity and/or an access control policy.
可选地,访问令牌授权策略保存在访问令牌授权策略实体;授权实体根据访问令牌授权策略和权限描述信息,为发起实体生成访问令牌之前,从访问令牌授权策略实体获取访问令牌授权策略。Optionally, the access token authorization policy is saved in the access token authorization policy entity; the authorization entity obtains the access order from the access token authorization policy entity before generating the access token for the initiating entity according to the access token authorization policy and the rights description information. Card authorization strategy.
一个具体实施中,访问令牌授权策略实体中保存访问令牌授权策略与发起实体以及授权实体的对应关系,例如,访问令牌授权策略实体中包含各授权实体资源树,分别对应不同的授权实体,授权实体资源数下包含不同的发起实体的访问令牌授权策略资源。In a specific implementation, the access token authorization policy entity stores the correspondence between the access token authorization policy and the initiating entity and the authorized entity. For example, the access token authorization policy entity includes each authorized entity resource tree, which respectively corresponds to different authorized entities. The number of authorized entity resources includes access token authorization policy resources of different initiating entities.
其中,权限描述信息用于描述发起实体请求的权限,该权限可以是请求的服务角色,或者是请求的访问控制策略,也可以是服务角色和访问控制策略。The privilege description information is used to describe the privilege of the requesting entity, and the privilege may be the requested service role, or the requested access control policy, or the service role and the access control policy.
实施中,授权信息中颁发给发起实体的服务角色为:授权描述信息中请求的服务角色且访问令牌授权策略允许颁发给发起实体的服务角色。授权信息中颁发给发起实体的访问控制策略为:授权描述信息中所请求的权限且访问令牌授权策略允许发起实体使用的权限所对应的访问控制策略。In the implementation, the service role issued to the initiating entity in the authorization information is: the service role requested in the authorization description information and the access token authorization policy allows the service role issued to the initiating entity. The access control policy issued to the initiating entity in the authorization information is: the authorization request information in the authorization description information and the access token authorization policy allows the access control policy corresponding to the authority used by the initiating entity.
需要说明的是,访问令牌授权策略用于确定是否为发起实体颁发访问令牌,以及确定写入访问令牌的权限,即颁发给访问令牌的发起和持有者的权限,具体的策略根据具体应用进行设计,本领域技术人员可以将已有的授权策略结合应用于本发明,本发明的保护范围不以此为限制。 It should be noted that the access token authorization policy is used to determine whether to issue an access token for the initiating entity, and to determine the permission to write the access token, that is, the authority issued to the initiator of the access token and the holder, the specific policy Those skilled in the art can apply the existing authorization policies to the present invention in combination with the specific application, and the scope of protection of the present invention is not limited thereto.
实施中,授权实体若根据访问令牌授权策略和权限描述信息,确定不允许为发起实体颁发访问令牌,不再执行步骤503,向发起实体返回错误信息。In the implementation, the authorization entity determines that the access token is not allowed to be issued for the initiating entity according to the access token authorization policy and the rights description information, and does not perform step 503 to return an error message to the initiating entity.
步骤503:将访问令牌或者访问令牌资源的地址信息发送给发起实体。Step 503: Send the address information of the access token or the access token resource to the initiating entity.
其中,访问令牌资源为访问令牌根资源下的普通资源。The access token resource is a common resource under the access token root resource.
一个可选地实施方式中,授权实体根据访问令牌授权策略和权限描述信息生成访问令牌明文,将生成的访问令牌明文发送给安全功能实体,由安全功能实体对访问令牌进行数字签名和/或加密后得到访问令牌并返回;授权实体接收安全功能实体返回的访问令牌,并将访问令牌发送给发起实体。In an optional implementation manner, the authorization entity generates an access token plaintext according to the access token authorization policy and the rights description information, and sends the generated access token clear text to the security function entity, where the security function entity digitally signs the access token. And/or encrypting to obtain an access token and returning; the authorized entity receives the access token returned by the security function entity, and sends the access token to the initiating entity.
需要说明的是,安全功能实体具体采用的数字签名算法和加密算法不受限制,已有的数字签名算法和加密算法均可用于本发明,具体的数字签名算法和加密算法不受限制,本发明的保护范围不受此限制。It should be noted that the digital signature algorithm and the encryption algorithm specifically used by the security function entity are not limited, and existing digital signature algorithms and encryption algorithms can be used in the present invention, and the specific digital signature algorithm and encryption algorithm are not limited, and the present invention The scope of protection is not subject to this limitation.
基于以上定义,本发明实施例中,如图6所示,发起实体请求访问令牌的详细方法流程如下:Based on the above definition, in the embodiment of the present invention, as shown in FIG. 6, the detailed method for the initiating entity to request an access token is as follows:
步骤601:向授权实体发送对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求,访问令牌资源创建请求中携带发起实体的标识和请求的访问令牌的权限描述信息。Step 601: Send an access token resource creation request for the access token issuing resource under the access token root resource to the authorized entity, where the access token resource creation request carries the identifier of the initiating entity and the permission description information of the requested access token. .
其中,访问令牌根资源具有普通资源的通用属性以及指定访问控制策略的公共属性,公共属性所指定的访问控制策略指示允许访问访问令牌根资源及访问令牌根资源下的虚拟资源的实体。The access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates an entity that allows access to the access token root resource and the virtual resource under the access token root resource. .
其中,权限描述信息用于描述发起实体请求的权限,该权限可以是请求的服务角色,或者是请求的访问控制策略,也可以是服务角色和访问控制策略。The privilege description information is used to describe the privilege of the requesting entity, and the privilege may be the requested service role, or the requested access control policy, or the service role and the access control policy.
步骤602:接收授权实体返回的访问令牌,或者接收授权实体在访问令牌根资源下创建的访问令牌资源的地址信息,访问令牌资源中保存有访问令牌,访问令牌中至少携带授权信息。Step 602: Receive an access token returned by the authorized entity, or receive the address information of the access token resource created by the authorized entity under the access token root resource, where the access token is stored with an access token, and the access token carries at least Authorization information.
其中,访问令牌根资源为CSE根资源下的普通资源,访问令牌签发资源为访问令牌根资源下的虚拟资源,访问令牌资源为访问令牌根资源下的普通 资源。The access token root resource is a common resource under the CSE root resource, and the access token is issued as a virtual resource under the access token root resource, and the access token resource is an ordinary under the access token root resource. Resources.
访问令牌资源具有普通资源的通用属性以及超期时间属性、签发者属性、持有者属性和令牌属性,超期时间属性用于指定访问令牌资源的有效期,签发者属性用于指示生成访问令牌的实体,持有者属性用于指示请求并获得访问令牌的实体,令牌属性用于存储访问令牌。The access token resource has a common attribute of the common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute. The expired time attribute is used to specify the validity period of the access token resource, and the issuer attribute is used to indicate the generation of the access order. The entity of the card, the holder attribute is used to indicate the entity requesting and obtaining the access token, and the token attribute is used to store the access token.
实施中,若发起实体接收授权实体在访问令牌根资源下创建的访问令牌资源的地址信息后,根据地址信息获取访问令牌。In the implementation, if the initiating entity receives the address information of the access token resource created by the authorized entity under the access token root resource, the initiating entity obtains the access token according to the address information.
其中,访问令牌中除携带授权信息之外还携带认证信息,认证信息包括生成访问令牌的实体标识、请求并持有访问令牌的实体标识和超期时间,授权信息包括发起实体的服务角色和/或访问控制策略。The access token carries the authentication information in addition to the authorization information, and the authentication information includes an entity identifier for generating an access token, an entity identifier for requesting and holding the access token, and an expiration time, and the authorization information includes a service role of the initiating entity. And/or access control policies.
实施中,授权信息中颁发给发起实体的服务角色为:授权描述信息中请求的服务角色且访问令牌授权策略允许颁发给发起实体的服务角色。授权信息中颁发给发起实体的访问控制策略为:授权描述信息中所请求的权限且访问令牌授权策略允许发起实体使用的权限所对应的访问控制策略。In the implementation, the service role issued to the initiating entity in the authorization information is: the service role requested in the authorization description information and the access token authorization policy allows the service role issued to the initiating entity. The access control policy issued to the initiating entity in the authorization information is: the authorization request information in the authorization description information and the access token authorization policy allows the access control policy corresponding to the authority used by the initiating entity.
实施中,发起实体在获得访问令牌后,向授权实体发送资源访问请求,该资源访问请求中携带访问令牌。In an implementation, after the obtaining entity obtains the access token, the sending entity sends a resource access request to the authorized entity, where the resource access request carries the access token.
基于同一发明构思,本发明实施例中,如图7所示,托管实体使用访问令牌的详细方法流程如下:Based on the same inventive concept, in the embodiment of the present invention, as shown in FIG. 7, the detailed method of using the access token by the escrow entity is as follows:
步骤701:接收发起实体发送的资源访问请求,资源访问请求中携带访问令牌。Step 701: Receive a resource access request sent by the initiating entity, where the resource access request carries an access token.
其中,访问令牌中至少携带授权信息,授权信息包括发起实体的服务角色和/或访问控制策略。The access token carries at least the authorization information, and the authorization information includes a service role and/or an access control policy of the initiating entity.
实施中,访问令牌中除携带授权信息之外还携带认证信息,认证信息包括生成访问令牌的实体标识、请求并持有访问令牌的实体标识和超期时间。In the implementation, the access token carries the authentication information in addition to the authorization information, and the authentication information includes an entity identifier that generates an access token, an entity identifier that requests and holds the access token, and an expiration time.
实施中,托管实体获取资源访问请求中的访问令牌后,判断该访问令牌是否有效,具体如下:In the implementation, after the escrow entity obtains the access token in the resource access request, it determines whether the access token is valid, as follows:
若满足预设条件,则确定该访问令牌有效,否则,确定访问令牌无效; 预设条件可以包括以下条件:If the preset condition is met, it is determined that the access token is valid; otherwise, it is determined that the access token is invalid; Preset conditions can include the following conditions:
若确定访问令牌中携带的生成访问令牌的实体标识与预设的CSE标识相同;和/或,If it is determined that the entity identifier of the generated access token carried in the access token is the same as the preset CSE identifier; and/or,
访问令牌中携带的请求并持有访问令牌的实体标识与发起实体的标识相同;和/或,The entity identifier of the request carried in the access token and holding the access token is the same as the identity of the originating entity; and/or,
访问令牌的使用时间未超过访问令牌中携带的超期时间,则确定该访问令牌有效。If the access token does not exceed the expiration time carried in the access token, it is determined that the access token is valid.
实施中,托管实体若确定访问令牌无效,不再执行步骤702,向发起实体返回错误信息。In the implementation, if the escrow entity determines that the access token is invalid, step 702 is no longer performed, and an error message is returned to the initiating entity.
步骤702:根据访问令牌中的授权信息,确定发起实体的资源访问请求在授权范围内,执行发起实体的资源访问请求。Step 702: Determine, according to the authorization information in the access token, that the resource access request of the initiating entity is within the authorization scope, and execute the resource access request of the initiating entity.
实施中,若授权信息中仅包括服务角色,根据访问令牌中的服务角色,获取本地保存的基于服务角色的访问控制策略,根据基于服务角色的访问控制策略确定发起实体的资源访问请求在授权范围内;若授权信息中仅包括访问控制策略,根据访问令牌中的访问控制策略确定发起实体的资源访问请求在授权范围内;若授权信息中包括服务角色和访问控制策略,根据访问令牌中的服务角色和访问控制策略确定发起实体的资源访问请求在授权范围内。In the implementation, if the authorization information includes only the service role, the locally saved service role-based access control policy is obtained according to the service role in the access token, and the resource access request of the initiating entity is determined according to the service role-based access control policy. If the authorization information includes only the access control policy, the resource access request of the initiating entity is determined according to the access control policy in the access token; if the authorization information includes the service role and the access control policy, according to the access token The service role and access control policy in the determination determines that the resource access request of the initiating entity is within the scope of authorization.
一个可选地实施方式中,托管实体在获得资源访问请求中的访问令牌后,将该访问令牌发送给安全认证实体,由该安全认证实体对该访问令牌进行解密和/或数字签名验证获得访问令牌明文并返回;托管实体接收安全认证实体返回的访问令牌明文,获得访问令牌明文中的授权信息,根据获得的授权信息,判断发起实体的资源访问请求是否在授权范围内。In an optional implementation manner, after obtaining the access token in the resource access request, the escrow entity sends the access token to the security authentication entity, and the security authentication entity decrypts and/or digitally signs the access token. The authentication obtains the plaintext of the access token and returns; the escrow entity receives the plaintext of the access token returned by the security authentication entity, obtains the authorization information in the plaintext of the access token, and determines whether the resource access request of the originating entity is within the authorized scope according to the obtained authorization information. .
以上实施例中,授权实体和托管实体可以部署在同一个实体设备中,也可以部署在不同的实体设备中。In the above embodiment, the authorized entity and the managed entity may be deployed in the same entity device or in different physical devices.
以上实施例中,发起实体和授权实体之间通信之前,发起实体和托管实体之间通信之前,分别采用oneM2M提供的方法通过双向认证建立安全关联,以确保相互通信的两个实体之间通信的完整性和机密性,具体的通过双向认 证建立安全关联的方式参见oneM2M的规定,此处不再详述。In the above embodiment, before the communication between the initiating entity and the authorized entity, before the communication between the initiating entity and the managed entity, the security association is established by mutual authentication by using the method provided by oneM2M to ensure communication between the two entities communicating with each other. Integrity and confidentiality, specific through two-way recognition For the way to establish a security association, see the rules of oneM2M, which will not be detailed here.
以上实施例中所涉及的访问令牌颁发和使用的基本过程可参见图8所示,具体过程可参见以上实施例的描述,此处不再重复。The basic process of the issuance and use of the access tokens in the above embodiments can be seen in FIG. 8. For the specific process, refer to the description of the foregoing embodiments, which is not repeated here.
以下通过两个具体实施例对本发明所提供的访问令牌颁发以及使用过程进行举例说明。The access token issuance and use process provided by the present invention is exemplified by two specific embodiments.
第一具体实施例,作为授权实体的oneM2M基础设施节点(IN-CSE)向发起实体(AE-1)颁发包含有服务角色(Service Role)的访问令牌;发起实体(AE-1)利用该访问令牌访问托管实体(CSE-1)中的设备管理资源;CSE-1所在的节点为Node-1。In a first specific embodiment, an oneM2M Infrastructure Node (IN-CSE) as an Authorized Entity issues an access token containing a Service Role to an Initiating Entity (AE-1); the Initiating Entity (AE-1) utilizes the The access token accesses the device management resource in the managed entity (CSE-1); the node where CSE-1 is located is Node-1.
该具体实施例中假设:IN-CSE可访问的安全功能实体和CSE-1可访问的安全功能实体拥有用于访问令牌加密和解密的对称密钥Ks;IN-CSE可访问的安全功能实体拥有用于对访问令牌明文进行签名的私钥Kprv;CSE-1可访问的安全功能实体拥有用于验证IN-CSE数字签名的公钥证书INcert,其中包含有与Kprv匹配的公钥Kpub。It is assumed in this particular embodiment that the IN-CSE accessible security function entity and the CSE-1 accessible security function entity have a symmetric key Ks for access token encryption and decryption; the IN-CSE accessible security function entity There is a private key Kprv for signing the access token plaintext; the CSE-1 accessible security function entity has a public key certificate INcert for verifying the IN-CSE digital signature, which contains the public key Kpub that matches Kprv.
并且,假设oneM2M应用服务提供商的应用实体AE-1注册至oneM2M服务提供商的基础设施节点IN-CSE上。在IN-CSE资源树的根资源<CSEBase>下创建有负责颁发访问令牌的<accessTokens-1>资源;在IN-CSE资源树中定义有<m2mServiceSubscriptionProfile>,<serviceSubscribedNode>和<serviceSubscribedAppRule>等资源,其中描述了该应用服务提供商的应用实体所能拥有的角色和管理的M2M节点(M2M Node)And, it is assumed that the application entity AE-1 of the oneM2M application service provider is registered to the infrastructure node IN-CSE of the oneM2M service provider. An <accessTokens-1> resource responsible for issuing an access token is created under the root resource <CSEBase> of the IN-CSE resource tree; resources such as <m2mServiceSubscriptionProfile>, <serviceSubscribedNode>, and <serviceSubscribedAppRule> are defined in the IN-CSE resource tree. , which describes the role and managed M2M Node (M2M Node) that the application service provider's application entity can have.
如图9所示,访问令牌颁发以及使用的过程具体如下:As shown in Figure 9, the process of issuing and using an access token is as follows:
步骤901:AE-1与IN-CSE通过双向认证建立安全关联;Step 901: AE-1 and IN-CSE establish a security association by mutual authentication;
步骤902:AE-1向IN-CSE发送对IN-CSE资源树下的<accessTokens-1>资源的子资源<accessTokenIssuing>的<accessToken>资源创建请求,该请求要求对CSE-1所在的节点Node-1执行设备诊断功能,也即AE-1想要获取包含有“设备诊断和管理(Device Diagnostics and Management)”角色的访问令牌;Step 902: The AE-1 sends an <accessToken> resource creation request to the IN-CSE to the sub-resource <accessTokenIssuing> of the <accessTokens-1> resource under the IN-CSE resource tree, where the request requires the node Node where the CSE-1 is located. -1 performs the device diagnostic function, that is, AE-1 wants to obtain an access token containing the "Device Diagnostics and Management" role;
步骤903:IN-CSE接收到AE-1的请求后,该请求所激活的访问令牌创建 过程将做如下操作:Step 903: After the IN-CSE receives the request of the AE-1, the access token activated by the request is created. The process will do the following:
1、检查与<accessTokenIssuing>资源相关联的访问控制策略,确定AE-1是否拥有创建<accessToken>资源的权限,若允许则继续进行下一步的操作;1. Check the access control policy associated with the <accessTokenIssuing> resource to determine whether AE-1 has the authority to create the <accessToken> resource, and if so, proceed to the next step;
2、从作为访问令牌授权策略实体的IN-CSE资源树中获取所需的访问令牌授权策略,也即与AE-1相关的<m2mServiceSubscriptionProfile>,<serviceSubscribedNode>和<serviceSubscribedAppRule>等资源;2. Obtain the required access token authorization policy from the IN-CSE resource tree as the access token authorization policy entity, that is, resources such as <m2mServiceSubscriptionProfile>, <serviceSubscribedNode>, and <serviceSubscribedAppRule> related to AE-1;
3、检查属于该应用服务提供商的<m2mServiceSubscriptionProfile>资源中的serviceRoles属性以确定是否拥有所请求的“设备诊断和管理(Device Diagnostics and Management)”角色,若有则继续进行下一步的操作;3. Check the serviceRoles attribute in the <m2mServiceSubscriptionProfile> resource belonging to the application service provider to determine whether it has the requested Device Diagnostics and Management role, and if so, proceed to the next step;
4、检查<m2mServiceSubscriptionProfile>资源下的<serviceSubscribedNode>子资源,以确定该应用服务商是否拥有对节点Node-1的管理权限,也即是否某个<serviceSubscribedNode>子资源的node-ID属性的值为Node-1,若有则继续进行下一步的操作;4. Check the <serviceSubscribedNode> sub-resource under the <m2mServiceSubscriptionProfile> resource to determine whether the application service provider has the management authority for the node Node-1, that is, whether the value of the node-ID attribute of a <serviceSubscribedNode> sub-resource is Node-1, if any, proceed to the next step;
5、检查上一步匹配的<serviceSubscribedNode>资源下的ruleLinks属性所指定的<serviceSubscribedAppRule>资源,以确定该AE-1可以注册至节点Node-1,也即AE-1是否在该<serviceSubscribedAppRule>资源allowedAEs属性的AE列表中,若有则继续进行下一步的操作;5. Check the <serviceSubscribedAppRule> resource specified by the ruleLinks attribute of the <serviceSubscribedNode> resource in the previous step to determine whether the AE-1 can be registered to the node Node-1, that is, whether the AE-1 is in the <serviceSubscribedAppRule> resource allowedAEs. In the AE list of attributes, if any, proceed to the next step;
6、生成一个访问令牌明文,其中包含有“设备诊断和管理(Device Diagnostics and Management)”角色,并设定了访问令牌的有效期;6. Generate an access token plaintext containing the "Device Diagnostics and Management" role and set the validity period of the access token;
7、要求安全功能实体利用私钥Kprv对访问令牌明文进行数字签名,然后利用对称密钥Ks对访问令牌明文和签名结果进行加密,从而生成访问令牌AE-Token-1。7. The security function entity is required to digitally sign the access token plaintext by using the private key Kprv, and then encrypt the access token plaintext and the signature result by using the symmetric key Ks to generate the access token AE-Token-1.
步骤904:IN-CSE将生成的访问令牌AE-Token-1发送给AE-1;Step 904: The IN-CSE sends the generated access token AE-Token-1 to the AE-1.
步骤905:AE-1与CSE-1通过双向认证建立安全关联;Step 905: AE-1 and CSE-1 establish a security association by mutual authentication;
步骤906:AE-1向Node-1所包含的CSE-1发送设备诊断请求,该请求中包含有访问令牌AE-Token-1;Step 906: The AE-1 sends a device diagnostic request to the CSE-1 included in the Node-1, where the request includes an access token AE-Token-1;
步骤907:CSE-1接收到来自AE-1的设备诊断请求,并从设备诊断请求 中提取出访问令牌AE-Token-1,然后做如下操作:Step 907: CSE-1 receives a device diagnosis request from AE-1, and requests a device diagnosis from the device Extract the access token AE-Token-1, and then do the following:
1、要求安全功能实体利用Ks对访问令牌进行解密,然后利用INcert中的公钥Kpub验证访问令牌的数字签名,若正确则继续进行下一步的操作;1. The security function entity is required to decrypt the access token by using Ks, and then use the public key Kpub in the INCR to verify the digital signature of the access token. If it is correct, proceed to the next step;
2、检查访问令牌中的有效期,以确定令牌是否已经失效,若有效则继续进行下一步的操作;2. Check the validity period in the access token to determine whether the token has expired. If it is valid, proceed to the next step;
3、提取出令牌中包含的角色,并利用基于角色的访问控制策略评估是否同意AE-1的设备诊断请求,若同意则继续进行下一步的操作;3. Extract the roles contained in the token and use the role-based access control policy to evaluate whether to approve the device diagnostic request of AE-1, and if yes, proceed to the next step;
4、执行AE-1所要求的设备诊断功能。4. Perform the device diagnostic function required by AE-1.
步骤908:CSE-1将执行结果返回给AE-1。Step 908: CSE-1 returns the execution result to AE-1.
第二具体实施例中,如图10所示,该具体实施例中授权实体与托管实体为同一个实体,即为CSE-1,该具体实施例中访问令牌颁发与使用过程与第一具体实施例的过程类似,不同之处在于:In the second embodiment, as shown in FIG. 10, in this specific embodiment, the authorized entity and the escrow entity are the same entity, that is, CSE-1. In this specific embodiment, the access token is issued and used with the first specific The process of the embodiment is similar except that:
因为授权实体与托管实体为同一实体,安全功能实体中保护访问令牌的安全机制可以采用单纯的对称密钥机制,也即利用对称密钥实现访问令牌的完整性和机密性保护。Because the authorized entity and the managed entity are the same entity, the security mechanism for protecting the access token in the security function entity can adopt a simple symmetric key mechanism, that is, the integrity and confidentiality protection of the access token is implemented by using the symmetric key.
并且,由于CSE-1的类型不是IN-CSE,即基础设施节点,也不是基础设施节点信任和授权的节点,所以CSE-1不能颁发包含有服务角色(Service Role)的访问令牌。Also, since the type of CSE-1 is not an IN-CSE, that is, an infrastructure node, nor a node trusted and authorized by the infrastructure node, CSE-1 cannot issue an access token containing a Service Role.
基于同一发明构思,本发明实施例中提供了一种授权实体,该授权实体的具体实施可参见上述方法部分的描述,重复之处不再赘述,如图11所示,该授权实体主要包括:Based on the same inventive concept, an authorization entity is provided in the embodiment of the present invention. For the specific implementation of the authorization entity, refer to the description of the method part. The details are not described here. As shown in FIG. 11, the authorization entity mainly includes:
接收模块1101,用于接收发起实体发送的对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求,访问令牌资源创建请求中携带发起实体的标识和请求的访问令牌的权限描述信息;The receiving module 1101 is configured to receive an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the requested access token. Permission description information;
处理模块1102,用于根据访问令牌授权策略和权限描述信息,为发起实体生成访问令牌,访问令牌中至少携带授权信息,在访问令牌根资源下创建生成的访问令牌的访问令牌资源,访问令牌资源中保存有访问令牌; The processing module 1102 is configured to generate an access token for the initiating entity according to the access token authorization policy and the rights description information, where the access token carries at least the authorization information, and the access token of the generated access token is created under the access token root resource. Card resource, an access token is stored in the access token resource;
发送模块1103,用于将访问令牌或者访问令牌资源的地址信息发送给发起实体。The sending module 1103 is configured to send the address information of the access token or the access token resource to the initiating entity.
其中,访问令牌根资源为CSE根资源下的普通资源,访问令牌签发资源为访问令牌根资源下的虚拟资源,访问令牌资源为访问令牌根资源下的普通资源。The access token root resource is a common resource under the CSE root resource, and the access token is a virtual resource under the access token root resource, and the access token resource is an ordinary resource under the access token root resource.
实施中,访问令牌根资源具有普通资源的通用属性以及指定访问控制策略的公共属性,公共属性所指定的访问控制策略指示允许访问访问令牌根资源及访问令牌根资源下的虚拟资源的实体。In an implementation, the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates that the access token root resource and the virtual resource under the access token root resource are allowed to access. entity.
实施中,处理模块1102还用于:In implementation, the processing module 1102 is further configured to:
为发起实体生成访问令牌之前,根据访问令牌根资源的指定访问控制策略的公共属性,确定允许发起实体访问访问令牌根资源下的虚拟资源。Before generating the access token for the initiating entity, determining, according to the public attribute of the specified access control policy of the access token root resource, that the initiating entity is allowed to access the virtual resource under the access token root resource.
实施中,访问令牌资源具有普通资源的通用属性以及超期时间属性、签发者属性、持有者属性和令牌属性,超期时间属性用于指定访问令牌资源的有效期,签发者属性用于指示生成访问令牌的实体,持有者属性用于指示请求并获得访问令牌的实体,令牌属性用于存储访问令牌。In the implementation, the access token resource has a common attribute of the common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, and the expired time attribute is used to specify the validity period of the access token resource, and the issuer attribute is used to indicate The entity that generates the access token, the holder attribute is used to indicate the entity that requested and obtained the access token, and the token attribute is used to store the access token.
实施中,处理模块1102还用于:从访问令牌授权策略实体获取访问令牌授权策略。In an implementation, the processing module 1102 is further configured to: obtain an access token authorization policy from an access token authorization policy entity.
实施中,访问令牌中还携带认证信息,认证信息包括生成访问令牌的实体标识、发起实体的标识和超期时间;In the implementation, the access token further carries the authentication information, where the authentication information includes an entity identifier that generates an access token, an identifier of the initiating entity, and an expiration time;
访问令牌的授权信息包括发起实体的服务角色和/或访问控制策略。The authorization information of the access token includes the service role of the originating entity and/or the access control policy.
实施中,处理模块1102具体用于:In implementation, the processing module 1102 is specifically configured to:
根据访问令牌授权策略和权限描述信息,生成访问令牌明文;Generate an access token plaintext according to the access token authorization policy and the permission description information;
发送模块1103还用于:The sending module 1103 is also used to:
将生成的访问令牌明文发送给安全功能实体,由安全功能实体对访问令牌明文进行数字签名和/或加密后得到访问令牌并返回;Sending the generated access token clear text to the security function entity, and the security function entity digitally signs and/or encrypts the access token plaintext to obtain the access token and returns;
接收模块1101还用于:The receiving module 1101 is further configured to:
接收安全功能实体返回的访问令牌。 Receive the access token returned by the security function entity.
实施中,授权实体为CSE实体。In implementation, the authorized entity is a CSE entity.
基于同一发明构思,本发明实施例中提供了一种授权实体,该授权实体的具体实施可参见上述方法部分的描述,重复之处不再赘述,如图12所示,该授权实体主要包括处理器1201、存储器1202和收发机1203,收发机1203用于在处理器1201的控制下接收和发送数据,存储器1202中保存预设的程序,处理器1201用于读取存储器中保存的程序,按照该程序执行以下过程:Based on the same inventive concept, an authorization entity is provided in the embodiment of the present invention. For the specific implementation of the authorization entity, refer to the description of the method part. The repeated description is not repeated. As shown in FIG. 12, the authorization entity mainly includes processing. The device 1201 and the transceiver 1203 are configured to receive and transmit data under the control of the processor 1201, the preset program is saved in the memory 1202, and the processor 1201 is configured to read the program stored in the memory according to the program. The program performs the following process:
通过收发机1203接收发起实体发送的对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求,访问令牌资源创建请求中携带发起实体的标识和请求的访问令牌的权限描述信息;Receiving, by the transceiver 1203, an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the requested access token. Description;
根据访问令牌授权策略和权限描述信息,为发起实体生成访问令牌,访问令牌中至少携带授权信息,在访问令牌根资源下创建生成的访问令牌的访问令牌资源,访问令牌资源中保存有访问令牌;An access token is generated for the initiating entity according to the access token authorization policy and the rights description information, and the access token carries at least the authorization information, and the access token resource of the generated access token is created under the access token root resource, and the access token is used. An access token is stored in the resource;
通过收发机1203将访问令牌或者访问令牌资源的地址信息发送给发起实体。The address information of the access token or the access token resource is transmitted by the transceiver 1203 to the initiating entity.
其中,访问令牌根资源为CSE根资源下的普通资源,访问令牌签发资源为访问令牌根资源下的虚拟资源,访问令牌资源为访问令牌根资源下的普通资源。The access token root resource is a common resource under the CSE root resource, and the access token is a virtual resource under the access token root resource, and the access token resource is an ordinary resource under the access token root resource.
实施中,访问令牌根资源具有普通资源的通用属性以及指定访问控制策略的公共属性,公共属性所指定的访问控制策略指示允许访问访问令牌根资源及访问令牌根资源下的虚拟资源的实体。In an implementation, the access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates that the access token root resource and the virtual resource under the access token root resource are allowed to access. entity.
实施中,处理器1201为发起实体生成访问令牌之前,根据访问令牌根资源的指定访问控制策略的公共属性,确定允许发起实体访问访问令牌根资源下的虚拟资源。In an implementation, before generating the access token for the initiating entity, the processor 1201 determines, according to the public attribute of the specified access control policy of the access token root resource, that the initiating entity is allowed to access the virtual resource under the access token root resource.
实施中,访问令牌资源具有普通资源的通用属性以及超期时间属性、签发者属性、持有者属性和令牌属性,超期时间属性用于指定访问令牌资源的有效期,签发者属性用于指示生成访问令牌的实体,持有者属性用于指示请求并获得访问令牌的实体,令牌属性用于存储访问令牌。 In the implementation, the access token resource has a common attribute of the common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, and the expired time attribute is used to specify the validity period of the access token resource, and the issuer attribute is used to indicate The entity that generates the access token, the holder attribute is used to indicate the entity that requested and obtained the access token, and the token attribute is used to store the access token.
实施中,处理器1201从访问令牌授权策略实体获取访问令牌授权策略。In implementation, the processor 1201 obtains an access token authorization policy from the access token authorization policy entity.
实施中,访问令牌中还携带认证信息,认证信息包括生成访问令牌的实体标识、发起实体的标识和超期时间;In the implementation, the access token further carries the authentication information, where the authentication information includes an entity identifier that generates an access token, an identifier of the initiating entity, and an expiration time;
访问令牌的授权信息包括发起实体的服务角色和/或访问控制策略。The authorization information of the access token includes the service role of the originating entity and/or the access control policy.
实施中,处理器1201根据访问令牌授权策略和权限描述信息,生成访问令牌明文;通过收发机1203将生成的访问令牌明文发送给安全功能实体,由安全功能实体对访问令牌明文进行数字签名和/或加密后得到访问令牌并返回;通过收发机1203接收安全功能实体返回的访问令牌。In an implementation, the processor 1201 generates an access token plaintext according to the access token authorization policy and the rights description information, and sends the generated access token plaintext to the security function entity by the transceiver 1203, and the security function entity performs the access token plaintext. The digital signature and/or encryption results in an access token and returns; the transceiver 1203 receives the access token returned by the security function entity.
实施中,授权实体为CSE实体。In implementation, the authorized entity is a CSE entity.
其中,总线架构可以包括任意数量的互联的总线和桥,具体由处理器代表的一个或多个处理器和存储器代表的存储器的各种电路链接在一起。总线架构还可以将诸如外围设备、稳压器和功率管理电路等之类的各种其他电路链接在一起,这些都是本领域所公知的,因此,本文不再对其进行进一步描述。总线接口提供接口。收发机可以是多个元件,即包括发送机和收发机,提供用于在传输介质上与各种其他装置通信的单元。处理器负责管理总线架构和通常的处理,存储器可以存储处理器在执行操作时所使用的数据。The bus architecture may include any number of interconnected buses and bridges, specifically linked by one or more processors represented by the processor and various circuits of memory represented by the memory. The bus architecture can also link various other circuits such as peripherals, voltage regulators, and power management circuits, which are well known in the art and, therefore, will not be further described herein. The bus interface provides an interface. The transceiver can be a plurality of components, including a transmitter and a transceiver, providing means for communicating with various other devices on a transmission medium. The processor is responsible for managing the bus architecture and the usual processing, and the memory can store the data that the processor uses when performing operations.
基于同一发明构思,本发明实施例提供了一种发起实体,该发起实体的具体实施可参见上述方法部分的描述,如图13所示,该发起实体主要包括:Based on the same inventive concept, an embodiment of the present invention provides an initiating entity. For the specific implementation of the initiating entity, refer to the description of the method part. As shown in FIG. 13 , the initiating entity mainly includes:
发送模块1301,用于向授权实体发送对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求,访问令牌资源创建请求中携带发起实体的标识和请求的访问令牌的权限描述信息;The sending module 1301 is configured to send, to the authorized entity, an access token resource creation request for the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the requested access token. Permission description information;
接收模块1302,用于接收授权实体返回的访问令牌,或者接收授权实体在访问令牌根资源下创建的访问令牌资源的地址信息,访问令牌资源中保存有访问令牌,访问令牌中至少携带授权信息;The receiving module 1302 is configured to receive an access token returned by the authorized entity, or receive address information of the access token resource created by the authorized entity under the access token root resource, where the access token includes an access token and an access token. Carry at least authorization information;
其中,访问令牌根资源为公共服务实体CSE根资源下普通资源,访问令牌签发资源为访问令牌根资源下的虚拟资源,访问令牌资源为访问令牌根资源下的普通资源。 The access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is issued as a virtual resource under the access token root resource, and the access token resource is an ordinary resource under the access token root resource.
其中,访问令牌根资源具有普通资源的通用属性以及指定访问控制策略的公共属性,公共属性所指定的访问控制策略指示允许访问访问令牌根资源及访问令牌根资源下的虚拟资源的实体。The access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates an entity that allows access to the access token root resource and the virtual resource under the access token root resource. .
其中,访问令牌资源具有普通资源的通用属性以及超期时间属性、签发者属性、持有者属性和令牌属性,超期时间属性用于指定访问令牌资源的有效期,签发者属性用于指示生成访问令牌的实体,持有者属性用于指示请求并获得访问令牌的实体,令牌属性用于存储访问令牌。The access token resource has a common attribute of the common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, and the expired time attribute is used to specify the validity period of the access token resource, and the issuer attribute is used to indicate the generation. The entity that accesses the token, the holder attribute is used to indicate the entity that requested and obtained the access token, and the token attribute is used to store the access token.
实施中,还包括获取模块1303用于:In the implementation, the obtaining module 1303 is further included for:
在接收模块1302接收授权实体在访问令牌根资源下创建的访问令牌资源的地址信息后,根据地址信息获取访问令牌。After receiving the address information of the access token resource created by the authorized entity under the access token root resource, the receiving module 1302 obtains the access token according to the address information.
其中,访问令牌中还携带认证信息,认证信息包括生成访问令牌的实体标识、请求并持有访问令牌的实体标识和超期时间;The access token further carries the authentication information, where the authentication information includes an entity identifier that generates an access token, an entity identifier that requests and holds the access token, and an expiration time;
访问令牌的授权信息包括发起实体的服务角色和/或访问控制策略。The authorization information of the access token includes the service role of the originating entity and/or the access control policy.
实施中,发送模块1301还用于:In implementation, the sending module 1301 is further configured to:
发送资源访问请求,资源访问请求中携带访问令牌。A resource access request is sent, and the resource access request carries an access token.
实施中,发起实体为AE实体或CSE实体。In implementation, the originating entity is an AE entity or a CSE entity.
基于同一发明构思,本发明实施例还提供了另一发起实体,该发起实体的具体实施可参见上述方法部分的描述,重复之处不再赘述,如图14所示,该发起实体主要包括处理器1401、存储器1402和收发机1403,收发机1403用于在处理器1401的控制下接收和发送数据,存储器1402中保存预设的程序,处理器1401用于读取存储器中保存的程序,按照该程序执行以下过程:Based on the same inventive concept, the embodiment of the present invention further provides another initiating entity. For the specific implementation of the initiating entity, refer to the description of the method part. The repeated description is not repeated. As shown in FIG. 14 , the initiating entity mainly includes processing. The device 1401, the memory 1402 and the transceiver 1403 are configured to receive and transmit data under the control of the processor 1401, the preset program is saved in the memory 1402, and the processor 1401 is configured to read the program stored in the memory according to the program. The program performs the following process:
指示收发机1403向授权实体发送对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求,访问令牌资源创建请求中携带发起实体的标识和请求的访问令牌的权限描述信息;Instructing the transceiver 1403 to send an access token resource creation request to the authorization entity for the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the permission description of the requested access token. information;
通过收发机1403接收授权实体返回的访问令牌,或者接收授权实体在访问令牌根资源下创建的访问令牌资源的地址信息,访问令牌资源中保存有访问令牌,访问令牌中至少携带授权信息; Receiving, by the transceiver 1403, an access token returned by the authorized entity, or receiving address information of the access token resource created by the authorized entity under the access token root resource, where the access token is stored with an access token, and the access token is at least Carrying authorization information;
其中,访问令牌根资源为公共服务实体CSE根资源下普通资源,访问令牌签发资源为访问令牌根资源下的虚拟资源,访问令牌资源为访问令牌根资源下的普通资源。The access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is issued as a virtual resource under the access token root resource, and the access token resource is an ordinary resource under the access token root resource.
其中,访问令牌根资源具有普通资源的通用属性以及指定访问控制策略的公共属性,公共属性所指定的访问控制策略指示允许访问访问令牌根资源及访问令牌根资源下的虚拟资源的实体。The access token root resource has a common attribute of a common resource and a public attribute of the specified access control policy, and the access control policy specified by the public attribute indicates an entity that allows access to the access token root resource and the virtual resource under the access token root resource. .
其中,访问令牌资源具有普通资源的通用属性以及超期时间属性、签发者属性、持有者属性和令牌属性,超期时间属性用于指定访问令牌资源的有效期,签发者属性用于指示生成访问令牌的实体,持有者属性用于指示请求并获得访问令牌的实体,令牌属性用于存储访问令牌。The access token resource has a common attribute of the common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, and the expired time attribute is used to specify the validity period of the access token resource, and the issuer attribute is used to indicate the generation. The entity that accesses the token, the holder attribute is used to indicate the entity that requested and obtained the access token, and the token attribute is used to store the access token.
实施中,处理器1401在通过收发机1403接收授权实体在访问令牌根资源下创建的访问令牌资源的地址信息后,根据地址信息获取访问令牌。In an implementation, after receiving the address information of the access token resource created by the authorized entity under the access token root resource by the transceiver 1403, the processor 1401 obtains the access token according to the address information.
其中,访问令牌中还携带认证信息,认证信息包括生成访问令牌的实体标识、请求并持有访问令牌的实体标识和超期时间;The access token further carries the authentication information, where the authentication information includes an entity identifier that generates an access token, an entity identifier that requests and holds the access token, and an expiration time;
访问令牌的授权信息包括发起实体的服务角色和/或访问控制策略。The authorization information of the access token includes the service role of the originating entity and/or the access control policy.
实施中,处理器1401指示收发机1403发送资源访问请求,资源访问请求中携带访问令牌。In an implementation, the processor 1401 instructs the transceiver 1403 to send a resource access request, where the resource access request carries an access token.
实施中,发起实体为AE实体或CSE实体。In implementation, the originating entity is an AE entity or a CSE entity.
其中,总线架构可以包括任意数量的互联的总线和桥,具体由处理器代表的一个或多个处理器和存储器代表的存储器的各种电路链接在一起。总线架构还可以将诸如外围设备、稳压器和功率管理电路等之类的各种其他电路链接在一起,这些都是本领域所公知的,因此,本文不再对其进行进一步描述。总线接口提供接口。收发机可以是多个元件,即包括发送机和收发机,提供用于在传输介质上与各种其他装置通信的单元。处理器负责管理总线架构和通常的处理,存储器可以存储处理器在执行操作时所使用的数据。The bus architecture may include any number of interconnected buses and bridges, specifically linked by one or more processors represented by the processor and various circuits of memory represented by the memory. The bus architecture can also link various other circuits such as peripherals, voltage regulators, and power management circuits, which are well known in the art and, therefore, will not be further described herein. The bus interface provides an interface. The transceiver can be a plurality of components, including a transmitter and a transceiver, providing means for communicating with various other devices on a transmission medium. The processor is responsible for managing the bus architecture and the usual processing, and the memory can store the data that the processor uses when performing operations.
基于上述技术方案,本发明实施例中,通过在CSE根资源下定义资源类型为普通资源的访问令牌根资源,在访问令牌根资源下定义资源类型为虚拟 资源的访问令牌签发资源,以及在访问令牌根资源下定义资源类型为普通资源的访问令牌资源,且定义对访问令牌签发资源的访问令牌资源创建操作触发一个访问令牌颁发过程,从而使得接收到发起实体对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求,触发访问令牌颁发过程,根据访问令牌授权策略和权限描述信息,为发起实体生成访问令牌,并创建访问令牌资源,在oneM2M系统中实现了通过访问令牌进行授权的机制。Based on the foregoing technical solution, in the embodiment of the present invention, by defining an access token root resource whose resource type is a common resource under the CSE root resource, the resource type is defined as virtual under the access token root resource. The access token of the resource issues the resource, and the access token resource whose resource type is a common resource is defined under the access token root resource, and the access token resource creation operation that defines the resource for the access token is triggered to trigger an access token issuance process. Therefore, the access token resource creation request of the originating entity to the access token issuing resource under the access token root resource is received, the access token issuance process is triggered, and the initiating entity is generated according to the access token authorization policy and the permission description information. The token is accessed and an access token resource is created, and the mechanism for authorization by the access token is implemented in the oneM2M system.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步 骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in a block or blocks of a flow or a flow and/or a block diagram of a flowchart Step.
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。 It is apparent that those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and modifications of the invention

Claims (28)

  1. 一种访问令牌颁发方法,其特征在于,包括:An access token issuance method, which is characterized by comprising:
    接收发起实体发送的对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求,所述访问令牌资源创建请求中携带所述发起实体的标识和请求的访问令牌的权限描述信息;Receiving an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the requested access token Description;
    根据访问令牌授权策略和所述权限描述信息,为所述发起实体生成访问令牌,所述访问令牌中至少携带授权信息,在所述访问令牌根资源下创建生成的访问令牌的访问令牌资源,所述访问令牌资源中保存有所述访问令牌;Generating an access token for the initiating entity according to the access token authorization policy and the rights description information, where the access token carries at least authorization information, and the generated access token is created under the access token root resource. Accessing a token resource, where the access token is stored in the access token resource;
    将所述访问令牌或者所述访问令牌资源的地址信息发送给所述发起实体;Sending the access token or address information of the access token resource to the initiating entity;
    其中,所述访问令牌根资源为公共服务实体CSE根资源下的普通资源,所述访问令牌签发资源为所述访问令牌根资源下的虚拟资源,所述访问令牌资源为所述访问令牌根资源下的普通资源。The access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is a virtual resource under the access token root resource, where the access token resource is Access common resources under the token root resource.
  2. 如权利要求1所述的方法,其特征在于,所述访问令牌根资源具有普通资源的通用属性以及指定访问控制策略的公共属性,所述公共属性所指定的访问控制策略指示允许访问所述访问令牌根资源及所述访问令牌根资源下的虚拟资源的实体。The method of claim 1, wherein the access token root resource has a common attribute of a common resource and a public attribute specifying an access control policy, the access control policy specified by the public attribute indicating permission to access the An entity that accesses the token root resource and the virtual resource under the access token root resource.
  3. 如权利要求2所述的方法,其特征在于,接收发起实体发送的对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求之后,为所述发起实体生成访问令牌之前,所述方法还包括:The method according to claim 2, after receiving an access token resource creation request sent by the initiating entity for the access token issuing resource under the access token root resource, before generating the access token for the initiating entity The method further includes:
    根据所述访问令牌根资源的指定访问控制策略的公共属性,确定允许所述发起实体访问所述访问令牌根资源下的虚拟资源。And determining, according to the public attribute of the specified access control policy of the access token root resource, that the initiating entity is allowed to access the virtual resource under the access token root resource.
  4. 如权利要求1所述的方法,其特征在于,所述访问令牌资源具有普通资源的通用属性以及超期时间属性、签发者属性、持有者属性和令牌属性,所述超期时间属性用于指定所述访问令牌资源的有效期,所述签发者属性用于指示生成所述访问令牌的实体,所述持有者属性用于指示请求并获得所述 访问令牌的实体,所述令牌属性用于存储所述访问令牌。The method of claim 1 wherein said access token resource has a generic attribute of a generic resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, said overdue time attribute being used Specifying an expiration date of the access token resource, the issuer attribute is used to indicate an entity that generates the access token, the holder attribute is used to indicate a request and obtain the An entity accessing a token, the token attribute being used to store the access token.
  5. 如权利要求1所述的方法,其特征在于,根据访问令牌授权策略和所述权限描述信息,为所述发起实体生成访问令牌之前,所述方法还包括:The method of claim 1, wherein the method further comprises: before generating an access token for the initiating entity, according to the access token authorization policy and the rights description information, the method further comprising:
    从访问令牌授权策略实体获取所述访问令牌授权策略。The access token authorization policy is obtained from an access token authorization policy entity.
  6. 如权利要求1-5任一项所述的方法,其特征在于,所述访问令牌中还携带认证信息,所述认证信息包括生成所述访问令牌的实体标识、所述发起实体的标识和超期时间;The method according to any one of claims 1-5, wherein the access token further carries authentication information, where the authentication information includes an entity identifier that generates the access token, and an identifier of the originating entity. And overtime;
    所述访问令牌的授权信息包括所述发起实体的服务角色和/或访问控制策略。The authorization information of the access token includes a service role and/or an access control policy of the originating entity.
  7. 如权利要求6所述的方法,其特征在于,根据访问令牌授权策略和所述权限描述信息,为所述发起实体生成访问令牌,包括:The method of claim 6, wherein generating an access token for the initiating entity according to the access token authorization policy and the rights description information comprises:
    根据所述访问令牌授权策略和所述权限描述信息,生成访问令牌明文;Generating an access token plaintext according to the access token authorization policy and the permission description information;
    将生成的所述访问令牌明文发送给安全功能实体,由所述安全功能实体对所述访问令牌明文进行数字签名和/或加密后得到所述访问令牌并返回;Transmitting the generated access token clear text to the security function entity, and the security function entity digitally signs and/or encrypts the access token plaintext to obtain the access token and returns;
    接收所述安全功能实体返回的所述访问令牌。Receiving the access token returned by the security function entity.
  8. 一种访问令牌颁发方法,其特征在于,包括:An access token issuance method, which is characterized by comprising:
    向授权实体发送对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求,所述访问令牌资源创建请求中携带发起实体的标识和请求的访问令牌的权限描述信息;And sending, to the authorized entity, an access token resource creation request for the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the permission description information of the requested access token;
    接收所述授权实体返回的访问令牌,或者接收所述授权实体在所述访问令牌根资源下创建的访问令牌资源的地址信息,所述访问令牌资源中保存有访问令牌,所述访问令牌中至少携带授权信息;Receiving an access token returned by the authorized entity, or receiving address information of an access token resource created by the authorized entity under the access token root resource, where the access token resource stores an access token, where The access token carries at least the authorization information;
    其中,所述访问令牌根资源为公共服务实体CSE根资源下普通资源,所述访问令牌签发资源为所述访问令牌根资源下的虚拟资源,所述访问令牌资源为所述访问令牌根资源下的普通资源。The access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is a virtual resource under the access token root resource, where the access token resource is the access A common resource under the token root resource.
  9. 如权利要求8所述的方法,其特征在于,所述访问令牌根资源具有普通资源的通用属性以及指定访问控制策略的公共属性,所述公共属性所指定 的访问控制策略指示允许访问所述访问令牌根资源及所述访问令牌根资源下的虚拟资源的实体。The method of claim 8, wherein the access token root resource has a common attribute of a common resource and a public attribute specifying an access control policy, the public attribute specifying The access control policy indicates an entity that allows access to the access token root resource and the virtual resource under the access token root resource.
  10. 如权利要求8所述的方法,其特征在于,所述访问令牌资源具有普通资源的通用属性以及超期时间属性、签发者属性、持有者属性和令牌属性,所述超期时间属性用于指定所述访问令牌资源的有效期,所述签发者属性用于指示生成所述访问令牌的实体,所述持有者属性用于指示请求并获得所述访问令牌的实体,所述令牌属性用于存储所述访问令牌。The method of claim 8 wherein said access token resource has a common attribute of a generic resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, said overdue time attribute being used Specifying an expiration date of the access token resource, the issuer attribute is used to indicate an entity that generates the access token, and the holder attribute is used to indicate an entity requesting and obtaining the access token, the order Card attributes are used to store the access token.
  11. 如权利要求10所述的方法,其特征在于,接收所述授权实体在所述访问令牌根资源下创建的访问令牌资源的地址信息后,所述方法还包括:The method of claim 10, after receiving the address information of the access token resource created by the authorized entity under the access token root resource, the method further includes:
    根据所述地址信息获取所述访问令牌。Obtaining the access token according to the address information.
  12. 如权利要求8-11任一项所述的方法,其特征在于,所述访问令牌中还携带认证信息,所述认证信息包括生成所述访问令牌的实体标识、请求并持有所述访问令牌的实体标识和超期时间;The method according to any one of claims 8 to 11, wherein the access token further carries authentication information, the authentication information including an entity identifier for generating the access token, requesting and holding the Entity ID and expiration time of the access token;
    所述访问令牌的授权信息包括所述发起实体的服务角色和/或访问控制策略。The authorization information of the access token includes a service role and/or an access control policy of the originating entity.
  13. 如权利要求12所述的方法,其特征在于,所述方法还包括:The method of claim 12, wherein the method further comprises:
    发送资源访问请求,所述资源访问请求中携带所述访问令牌。Sending a resource access request, where the resource access request carries the access token.
  14. 一种授权实体,其特征在于,包括:An authorized entity, comprising:
    接收模块,用于接收发起实体发送的对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求,所述访问令牌资源创建请求中携带所述发起实体的标识和请求的访问令牌的权限描述信息;a receiving module, configured to receive an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier and the request of the initiating entity Access permission description information of the access token;
    处理模块,用于根据访问令牌授权策略和所述权限描述信息,为所述发起实体生成访问令牌,所述访问令牌中至少携带授权信息,在所述访问令牌根资源下创建生成的访问令牌的访问令牌资源,所述访问令牌资源中保存有所述访问令牌;a processing module, configured to generate, according to the access token authorization policy and the rights description information, an access token, where the access token carries at least authorization information, and is generated under the access token root resource. Access token resource of the access token, the access token is stored in the access token resource;
    发送模块,用于将所述访问令牌或者所述访问令牌资源的地址信息发送给所述发起实体; a sending module, configured to send the access token or address information of the access token resource to the initiating entity;
    其中,所述访问令牌根资源为公共服务实体CSE根资源下的普通资源,所述访问令牌签发资源为所述访问令牌根资源下的虚拟资源,所述访问令牌资源为所述访问令牌根资源下的普通资源。The access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is a virtual resource under the access token root resource, where the access token resource is Access common resources under the token root resource.
  15. 如权利要求14所述的授权实体,其特征在于,所述访问令牌根资源具有普通资源的通用属性以及指定访问控制策略的公共属性,所述公共属性所指定的访问控制策略指示允许访问所述访问令牌根资源及所述访问令牌根资源下的虚拟资源的实体。The authorization entity according to claim 14, wherein the access token root resource has a common attribute of a common resource and a public attribute specifying an access control policy, and the access control policy specified by the public attribute indicates that the access is permitted An entity that accesses the token root resource and the virtual resource under the access token root resource.
  16. 如权利要求15所述的授权实体,其特征在于,所述处理模块还用于:The authorization entity according to claim 15, wherein the processing module is further configured to:
    为所述发起实体生成访问令牌之前,根据所述访问令牌根资源的指定访问控制策略的公共属性,确定允许所述发起实体访问所述访问令牌根资源下的虚拟资源。Before generating the access token for the initiating entity, determining, according to the public attribute of the specified access control policy of the access token root resource, that the initiating entity is allowed to access the virtual resource under the access token root resource.
  17. 如权利要求14所述的授权实体,其特征在于,所述访问令牌资源具有普通资源的通用属性以及超期时间属性、签发者属性、持有者属性和令牌属性,所述超期时间属性用于指定所述访问令牌资源的有效期,所述签发者属性用于指示生成所述访问令牌的实体,所述持有者属性用于指示请求并获得所述访问令牌的实体,所述令牌属性用于存储所述访问令牌。The authorization entity according to claim 14, wherein said access token resource has a general attribute of a common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, and the expired time attribute is used. Specifying an expiration date of the access token resource, the issuer attribute is used to indicate an entity that generates the access token, and the holder attribute is used to indicate an entity that requests and obtains the access token, A token attribute is used to store the access token.
  18. 如权利要求14所述的授权实体,其特征在于,所述处理模块还用于:从访问令牌授权策略实体获取所述访问令牌授权策略。The authorization entity according to claim 14, wherein the processing module is further configured to: acquire the access token authorization policy from an access token authorization policy entity.
  19. 如权利要求14-18任一项所述的授权实体,其特征在于,所述访问令牌中还携带认证信息,所述认证信息包括生成所述访问令牌的实体标识、所述发起实体的标识和超期时间;The authorization entity according to any one of claims 14 to 18, wherein the access token further carries authentication information, where the authentication information includes an entity identifier that generates the access token, and the originating entity Identification and timeout;
    所述访问令牌的授权信息包括所述发起实体的服务角色和/或访问控制策略。The authorization information of the access token includes a service role and/or an access control policy of the originating entity.
  20. 如权利要求19所述的授权实体,其特征在于,所述处理模块具体用于:The authorization entity according to claim 19, wherein the processing module is specifically configured to:
    根据所述访问令牌授权策略和所述权限描述信息,生成访问令牌明文;Generating an access token plaintext according to the access token authorization policy and the permission description information;
    所述发送模块还用于: The sending module is further configured to:
    将生成的所述访问令牌明文发送给安全功能实体,由所述安全功能实体对所述访问令牌明文进行数字签名和/或加密后得到所述访问令牌并返回;Transmitting the generated access token clear text to the security function entity, and the security function entity digitally signs and/or encrypts the access token plaintext to obtain the access token and returns;
    所述接收模块还用于:The receiving module is further configured to:
    接收所述安全功能实体返回的所述访问令牌。Receiving the access token returned by the security function entity.
  21. 一种发起实体,其特征在于,包括:An originating entity, comprising:
    发送模块,用于向授权实体发送对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求,所述访问令牌资源创建请求中携带发起实体的标识和请求的访问令牌的权限描述信息;a sending module, configured to send, to the authorized entity, an access token resource creation request for the access token issuing resource under the access token root resource, where the access token resource creation request carries the identifier of the initiating entity and the requested access token Permission description information;
    接收模块,用于接收所述授权实体返回的访问令牌,或者接收所述授权实体在所述访问令牌根资源下创建的访问令牌资源的地址信息,所述访问令牌资源中保存有访问令牌,所述访问令牌中至少携带授权信息;a receiving module, configured to receive an access token returned by the authorized entity, or receive address information of an access token resource created by the authorized entity under the access token root resource, where the access token resource is saved An access token, the access token carrying at least authorization information;
    其中,所述访问令牌根资源为公共服务实体CSE根资源下普通资源,所述访问令牌签发资源为所述访问令牌根资源下的虚拟资源,所述访问令牌资源为所述访问令牌根资源下的普通资源。The access token root resource is a common resource under the CSE root resource of the public service entity, and the access token is a virtual resource under the access token root resource, where the access token resource is the access A common resource under the token root resource.
  22. 如权利要求21所述的发起实体,其特征在于,所述访问令牌根资源具有普通资源的通用属性以及指定访问控制策略的公共属性,所述公共属性所指定的访问控制策略指示允许访问所述访问令牌根资源及所述访问令牌根资源下的虚拟资源的实体。The originating entity according to claim 21, wherein the access token root resource has a common attribute of a common resource and a public attribute specifying an access control policy, and the access control policy specified by the public attribute indicates that the access is permitted An entity that accesses the token root resource and the virtual resource under the access token root resource.
  23. 如权利要求21所述的发起实体,其特征在于,所述访问令牌资源具有普通资源的通用属性以及超期时间属性、签发者属性、持有者属性和令牌属性,所述超期时间属性用于指定所述访问令牌资源的有效期,所述签发者属性用于指示生成所述访问令牌的实体,所述持有者属性用于指示请求并获得所述访问令牌的实体,所述令牌属性用于存储所述访问令牌。The originating entity according to claim 21, wherein said access token resource has a common attribute of a common resource and an expired time attribute, an issuer attribute, a holder attribute, and a token attribute, and the expired time attribute is used. Specifying an expiration date of the access token resource, the issuer attribute is used to indicate an entity that generates the access token, and the holder attribute is used to indicate an entity that requests and obtains the access token, A token attribute is used to store the access token.
  24. 如权利要求23所述的发起实体,其特征在于,还包括获取模块用于:The originating entity according to claim 23, further comprising: an obtaining module, configured to:
    在所述接收模块接收所述授权实体在所述访问令牌根资源下创建的访问令牌资源的地址信息后,根据所述地址信息获取所述访问令牌。After the receiving module receives the address information of the access token resource created by the authorized entity under the access token root resource, the access token is obtained according to the address information.
  25. 如权利要求21-24任一项所述的发起实体,其特征在于,所述访问令 牌中还携带认证信息,所述认证信息包括生成所述访问令牌的实体标识、请求并持有所述访问令牌的实体标识和超期时间;An originating entity according to any one of claims 21-24, wherein said access order The card further carries authentication information, where the authentication information includes an entity identifier that generates the access token, an entity identifier that requests and holds the access token, and an expiration time;
    所述访问令牌的授权信息包括所述发起实体的服务角色和/或访问控制策略。The authorization information of the access token includes a service role and/or an access control policy of the originating entity.
  26. 如权利要求25所述的发起实体,其特征在于,所述发送模块还用于:The initiating entity of claim 25, wherein the sending module is further configured to:
    发送资源访问请求,所述资源访问请求中携带所述访问令牌。Sending a resource access request, where the resource access request carries the access token.
  27. 一种授权实体,其特征在于,包括:处理器、收发机和存储器;An authorized entity, comprising: a processor, a transceiver, and a memory;
    所述处理器,用于读取存储器中的程序,执行下列过程:The processor is configured to read a program in the memory and perform the following process:
    通过收发机接收发起实体发送的对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求,所述访问令牌资源创建请求中携带请求的访问令牌的权限描述信息;Receiving, by the transceiver, an access token resource creation request sent by the initiating entity to the access token issuing resource under the access token root resource, where the access token resource creation request carries the permission description information of the requested access token;
    根据访问令牌授权策略和所述权限描述信息,为所述发起实体生成访问令牌,所述访问令牌中至少携带授权信息,在所述访问令牌根资源下创建生成的访问令牌的访问令牌资源,所述访问令牌资源中保存有所述访问令牌;Generating an access token for the initiating entity according to the access token authorization policy and the rights description information, where the access token carries at least authorization information, and the generated access token is created under the access token root resource. Accessing a token resource, where the access token is stored in the access token resource;
    将所述访问令牌或者所述访问令牌资源的地址信息通过收发机发送给所述发起实体。And transmitting, by the transceiver, the address information of the access token or the access token resource to the initiating entity.
  28. 一种发起实体,其特征在于,包括:处理器、收发机和存储器;An originating entity, comprising: a processor, a transceiver, and a memory;
    所述处理器,用于读取存储器中的程序,执行下列过程:The processor is configured to read a program in the memory and perform the following process:
    通过收发机向授权实体发送对访问令牌根资源下的访问令牌签发资源的访问令牌资源创建请求,所述访问令牌资源创建请求中携带请求的访问令牌的权限描述信息;Sending, by the transceiver, an access token resource creation request for the access token issuing resource under the access token root resource to the authorized entity, where the access token resource creation request carries the permission description information of the requested access token;
    通过收发机接收所述授权实体返回的访问令牌,或者接收所述授权实体在所述访问令牌根资源下创建的访问令牌资源的地址信息,所述访问令牌资源中保存有访问令牌,所述访问令牌中至少携带授权信息。 Receiving, by the transceiver, an access token returned by the authorized entity, or receiving address information of an access token resource created by the authorized entity under the access token root resource, where the access token resource has an access order Card, the access token carries at least authorization information.
PCT/CN2016/087973 2015-07-16 2016-06-30 Method for issuing access token and related device WO2017008640A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510419740.3A CN106358246B (en) 2015-07-16 2015-07-16 Access token issuing method and related equipment
CN201510419740.3 2015-07-16

Publications (1)

Publication Number Publication Date
WO2017008640A1 true WO2017008640A1 (en) 2017-01-19

Family

ID=57757803

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/087973 WO2017008640A1 (en) 2015-07-16 2016-06-30 Method for issuing access token and related device

Country Status (2)

Country Link
CN (1) CN106358246B (en)
WO (1) WO2017008640A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108667791B (en) * 2017-12-18 2021-01-01 中国石油天然气股份有限公司 Identity authentication method
CN110197075B (en) * 2018-04-11 2023-03-17 腾讯科技(深圳)有限公司 Resource access method, device, computing equipment and storage medium
CN110858833B (en) 2018-08-22 2022-09-30 京东方科技集团股份有限公司 Access control policy configuration method, device and system and storage medium
CN109902499A (en) * 2019-03-13 2019-06-18 广州市网星信息技术有限公司 A kind of resource authorization and access method, device, system, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546648A (en) * 2012-01-18 2012-07-04 Ut斯达康通讯有限公司 Resource access authorization method
CN103188229A (en) * 2011-12-30 2013-07-03 上海贝尔股份有限公司 Method and equipment for secure content access
EP2890073A1 (en) * 2013-12-31 2015-07-01 Gemalto SA System and method for securing machine-to-machine communications

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104093118A (en) * 2014-03-05 2014-10-08 中兴通讯股份有限公司 Resource notification method, machine-to-machine nodes and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103188229A (en) * 2011-12-30 2013-07-03 上海贝尔股份有限公司 Method and equipment for secure content access
CN102546648A (en) * 2012-01-18 2012-07-04 Ut斯达康通讯有限公司 Resource access authorization method
EP2890073A1 (en) * 2013-12-31 2015-07-01 Gemalto SA System and method for securing machine-to-machine communications

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"Functional Architecture, TS-001-V1.6.1", ONEM2M TECHNICAL SPECIFICATION, 30 January 2015 (2015-01-30), XP055344950 *

Also Published As

Publication number Publication date
CN106358246B (en) 2020-01-24
CN106358246A (en) 2017-01-25

Similar Documents

Publication Publication Date Title
CN109144961B (en) Authorization file sharing method and device
US11405395B2 (en) Accessing an internet of things device using blockchain metadata
WO2020143470A1 (en) Method for issuing digital certificate, digital certificate issuing center, and medium
US8843415B2 (en) Secure software service systems and methods
CN110535833B (en) Data sharing control method based on block chain
WO2018076761A1 (en) Block chain-based transaction permission control method and system, electronic device, and storage medium
EP2915279B1 (en) Method and system for protected exchange of data
CN108768933B (en) Autonomous supervision digital identity authentication system on block chain platform
KR102307574B1 (en) Cloud data storage system based on blockchain and method for storing in cloud
US20120036360A1 (en) System and method establishing trusted relationships to enable secure exchange of private information
US11757639B2 (en) Method, apparatus, and computer-readable medium for secured data transfer over a decentrlaized computer network
CN109450843B (en) SSL certificate management method and system based on block chain
TW200828944A (en) Simplified management of authentication credientials for unattended applications
US11595398B1 (en) Access control for named domain networking
JP5992535B2 (en) Apparatus and method for performing wireless ID provisioning
WO2017008640A1 (en) Method for issuing access token and related device
CN110619222A (en) Authorization processing method, device, system and medium based on block chain
CN111010430A (en) Cloud computing security data sharing method based on double-chain structure
EP4169208A1 (en) Authentication system and method
WO2012120313A1 (en) A cryptographic system and method
US10015143B1 (en) Methods for securing one or more license entitlement grants and devices thereof
CN114598463A (en) Data authentication system
CN115694838A (en) Anonymous trusted access control method based on verifiable certificate and zero-knowledge proof
US20230421543A1 (en) Method, apparatus, and computer-readable medium for secured data transfer over a decentrlaized computer network
US20220318356A1 (en) User registration method, user login method and corresponding device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16823787

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16823787

Country of ref document: EP

Kind code of ref document: A1