WO2018228199A1 - Authorization method and related device - Google Patents

Authorization method and related device Download PDF

Info

Publication number
WO2018228199A1
WO2018228199A1 PCT/CN2018/089039 CN2018089039W WO2018228199A1 WO 2018228199 A1 WO2018228199 A1 WO 2018228199A1 CN 2018089039 W CN2018089039 W CN 2018089039W WO 2018228199 A1 WO2018228199 A1 WO 2018228199A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
terminal device
signature information
information
temporary certificate
Prior art date
Application number
PCT/CN2018/089039
Other languages
French (fr)
Chinese (zh)
Inventor
袁哲
Original Assignee
腾讯科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 腾讯科技(深圳)有限公司 filed Critical 腾讯科技(深圳)有限公司
Publication of WO2018228199A1 publication Critical patent/WO2018228199A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Definitions

  • the present application relates to the field of communications technologies, and in particular, to an authorization method and related devices.
  • the resource owner needs to be authorized, and the terminal device can access the resource under the authorization of the resource owner.
  • the terminal device when the terminal device accesses the resource, it first sends a request message to the resource owner, and the resource owner sends the authorization code to the terminal device.
  • the terminal device requests the access token from the authorization server through the authorization code, and authorizes the server to the terminal.
  • the device performs verification. After the verification, the access token is returned to the terminal device, and the terminal device accesses the resource on the resource owner through the access token.
  • the specific process is shown in FIG. 1 .
  • the resource owner's authorization process for the terminal device is real-time authorization, and the refined permission requirement cannot be defined for the terminal device.
  • the rights are divided into coarse-grained categories, which cannot satisfy the cloud.
  • the fine-grained rights management requirements of the service, and the use of the access token as a credential for accessing the resource after authorization, are less secure.
  • the embodiment of the present application provides an authorization method and related equipment.
  • the first aspect of the application provides an authorization method, including:
  • a second aspect of the present application provides an authorization method, including:
  • the terminal device sends the first temporary certificate to the server, where the first temporary certificate is used to request access to resources on the server, so that the server determines the target authority corresponding to the terminal device according to the first temporary certificate,
  • the target authority is a right to access a target resource on the server;
  • the server is a server on a cloud service provider side, and the terminal device is a server on a third party service provider side;
  • the terminal device accesses the target resource by using the second temporary certificate.
  • a third aspect of the present application provides a server, including:
  • a receiving unit configured to receive a first temporary certificate sent by the terminal device, where the first temporary certificate is used to request access to resources on the server;
  • a determining unit configured to determine, according to the first temporary certificate, a target right corresponding to the terminal device, where the target right is a right to access a target resource on the server;
  • a sending unit configured to send the second temporary certificate corresponding to the target authority to the terminal device, so that the terminal device accesses the target resource by using the second temporary certificate.
  • a fourth aspect of the present application provides a terminal device, including:
  • a sending unit configured to send the first temporary certificate to the server, where the first temporary certificate is used to request access to resources on the server, so that the server determines, according to the first temporary certificate, the terminal device a target authority, the target authority being a right to access a target resource on the server;
  • a receiving unit configured to receive a second temporary certificate corresponding to the target authority sent by the server
  • An access unit configured to access the target resource by using the second temporary certificate.
  • a fifth aspect of the present application provides a server, including:
  • One or more central processing units a memory, a bus system, and one or more programs, the central processing unit and the memory being coupled by the bus system;
  • the one or more programs are stored in the memory, the one or more programs comprising instructions that, when executed by the server, cause the server to perform the first aspect as provided by the present application The authorization method described.
  • a sixth aspect of the present application provides a terminal device, including:
  • processor units One or more processor units, memory units, bus systems, and one or more programs, the processor units and the memory units being coupled by the bus system;
  • the one or more programs are stored in the storage unit, the one or more programs including instructions that, when executed by the terminal device, cause the terminal device to perform the second aspect of the present application The authorization method described.
  • a seventh aspect of the present application provides a computer storage medium comprising instructions which, when executed on a computer, cause the computer to perform the method of the first aspect of the application.
  • a seventh aspect of the present application provides a computer storage medium comprising instructions which, when run on a computer, cause the computer to perform the method of the second aspect of the present application.
  • the embodiments of the present application have the following advantages:
  • the server may implement refinement authority management on the terminal device by using the second temporary certificate, that is, the terminal device has only access to the target right to the server, and ensures that the terminal device accesses the The security and flexibility of the server's target resources.
  • 1 is a schematic flow chart of steps of an authorization method
  • FIG. 2 is a schematic structural diagram of an embodiment of a structure of a cloud service system provided by the present application
  • FIG. 3 is a schematic structural diagram of an embodiment of a cloud service provider side server provided by the present application.
  • FIG. 4 is a schematic structural diagram of an embodiment of a terminal device provided by the present application.
  • FIG. 5 is a flow chart of steps of an embodiment of an authorization method provided by the present application.
  • FIG. 6 is a flow chart of steps of another embodiment of the authorization method provided by the present application.
  • FIG. 7 is a flow chart of steps of another embodiment of the authorization method provided by the present application.
  • FIG. 8 is a schematic diagram of creating a pre-selected permission provided by the present application.
  • FIG. 9 is a schematic structural diagram of another embodiment of a cloud service provider side server provided by the present application.
  • FIG. 10 is a schematic structural diagram of another embodiment of a terminal device provided by the present application.
  • FIG. 11 is a schematic diagram of an application scenario provided by the present application.
  • the embodiment of the present application provides an authorization method for performing refined rights management on a terminal device.
  • the server in the embodiment of the present application may be a cloud service provider side server, and may be other types of servers.
  • the specific application is not limited.
  • the following embodiment uses a cloud service provider side server as an example to implement the present application.
  • the authorization method and related equipment in the example are introduced.
  • the authorization method shown in this embodiment may be based on a cloud service system.
  • the structure of the cloud service system shown in this embodiment may be as shown in FIG. 2, where the cloud service system includes a cloud service provider side server 201.
  • the cloud service provider side server shown in this embodiment is a server on the service platform side of the cloud service provider.
  • the cloud service system shown in this embodiment further includes at least one terminal device 202.
  • This embodiment is exemplified by taking the number of the terminal devices 202 as one.
  • the terminal device 202 shown in this embodiment is a device on the third party service provider side.
  • the third-party service provider provides a cloud computing product-based service platform established by the cloud service provider, and provides software, service, website construction, and enterprise application service to the cloud service developer to help the user to better use the service platform.
  • Cloud computing products and services are examples of Cloud computing products and services.
  • the cloud service provider side server shown in this embodiment may be a resource owner (RO), or the cloud service provider side server may be a resource server (Resource Server), or the cloud service is provided.
  • the vendor side server can be an Authorization Server (AS).
  • the terminal device 202 can request authorization from the cloud service provider side server through the OAUTH protocol.
  • the configuration of the cloud service provider side server 201 is optionally described below with reference to FIG. 3 . Specifically, the description of the cloud service provider side server structure in this embodiment is an optional example. It is defined that the cloud service provider side server 201 can implement authorization of the terminal device 202 to enable the terminal device 202 to access resources on the cloud service provider side server 201 according to authorization.
  • the cloud service provider side server may vary considerably depending on configuration or performance, and may include one or more central processing units (CPU) 301 (eg, one or more processors) and memory 302, one or more storage media 305 that store application 303 or data 304 (eg, one or one storage device in Shanghai).
  • the memory 302 and the storage medium 305 may be short-term storage or persistent storage.
  • the program stored on storage medium 305 can include one or more modules (not shown), each of which can include a series of instruction operations in the server.
  • the central processing unit 301 can be configured to communicate with the storage medium 305 to perform a series of instruction operations in the storage medium 305 on the cloud service provider side server.
  • the cloud service provider side server may also include one or more power sources 306, one or more wired or wireless network interfaces 307, one or more input and output interfaces 308, and/or one or more operating systems 309, such as Windows. ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM and more.
  • terminal device 202 The specific structure of the terminal device 202 shown in this embodiment is exemplarily described below with reference to FIG.
  • the terminal device includes components such as an input unit 405, a processor unit 403, an output unit 401, a communication unit 407, a storage unit 404, a radio frequency circuit 408, and the like.
  • the structure of the terminal device shown in FIG. 4 does not constitute a limitation of the present application, and it may be a bus-shaped structure or a star-shaped structure, and may include more or more than the illustration. There are few parts, or some parts are combined, or different parts are arranged.
  • the terminal device may be any mobile or portable electronic device, including but not limited to a smart phone, a mobile computer, a tablet computer, a personal digital assistant (PDA), a media player, a smart TV. Wait.
  • a smart phone a mobile computer
  • a tablet computer a personal digital assistant (PDA)
  • PDA personal digital assistant
  • media player a smart TV. Wait.
  • the terminal device includes:
  • the output unit 401 is configured to output an image to be displayed.
  • the output unit 401 includes but is not limited to the image output unit 4011 and the sound output unit 4012.
  • the image output unit 4011 is configured to output text, pictures, and/or video.
  • the image output unit 4011 may include a display panel, for example, a liquid crystal display (English name: Liquid Crystal Display, English abbreviation: LCD), an organic light emitting diode (English name: Organic Light-Emitting Diode, English abbreviation: OLED), field emission A display panel configured in the form of a display (English name: field emission display, FED for short).
  • the image output unit 4011 may include a reflective display, such as an electrophoretic display, or a display using an Interferometric Modulation of Light.
  • the image output unit 4011 may include a single display or a plurality of displays of different sizes.
  • the touch screen can also serve as a display panel of the output unit 401 at the same time.
  • the touch screen detects a touch or proximity gesture operation thereon, it is transmitted to the processor unit 403 to determine the type of the touch event, and then the processor unit 403 provides a corresponding visual output on the display panel according to the type of the touch event.
  • the input unit 405 and the output unit 401 are two independent components to implement the input and output functions of the terminal device, in some embodiments, the touch device may be integrated with the display panel to implement the terminal device. Input and output functions.
  • the image output unit 4011 can display various graphical user interfaces (English full name: Graphical User Interface, English abbreviated as GUI) as virtual control components, including but not limited to windows, scroll axes, icons, and scrapbooks. For users to operate by touch.
  • GUI Graphical User Interface
  • the image output unit 4011 includes a filter and an amplifier for filtering and amplifying the video output by the processor unit 403.
  • the sound output unit 4012 includes a digital to analog converter for converting the audio signal output by the processor unit 403 from a digital format to an analog format.
  • the processor unit 403 is configured to run a corresponding code to process the received information to generate and output a corresponding interface.
  • the processor unit 403 is a control center of the terminal device, and connects various parts of the entire terminal device by using various interfaces and lines, by running or executing software programs and/or modules stored in the storage unit, and calling the storage. Data within the storage unit to perform various functions of the terminal device and/or process data.
  • the processor unit 403 may be composed of an integrated circuit (English name: Integrated Circuit, English abbreviation: IC), for example, may be composed of a single packaged IC, or may be connected to a plurality of package ICs having the same function or different functions. composition.
  • the processor unit 403 may include only a central processing unit (English name: Central Processing Unit, English abbreviation: CPU), or may be a graphics processor (English name: Graphics Processing Unit, English abbreviation: GPU).
  • CPU Central Processing Unit
  • GPU Graphics Processing Unit
  • DSP Digital Signal Processor
  • the CPU may be a single operation core, and may also include a multi-operation core.
  • the storage unit 404 is configured to store code and data, and the code is run by the processor unit 403.
  • the storage unit 404 can be used to store software programs and modules, and the processor unit 403 executes various functional applications of the terminal device and implements data processing by running software programs and modules stored in the storage unit 404.
  • the storage unit 404 mainly includes a program storage area and a data storage area, wherein the program storage area can store an operating system, an application required for at least one function, such as a sound playing program, an image playing program, and the like; and the data storage area can be stored according to the terminal. Data created by the use of the device (such as audio data, phone book, etc.).
  • the storage unit 404 may include a volatile memory, such as non-volatile dynamic random access memory (Nonvolatile Random Access Memory, NVRAM for short), phase change random access memory (English full name) :Phase Change RAM (PRAM), magnetoresistive random access memory (English full name: Magetoresistive RAM, English abbreviation MRAM), etc., may also include non-volatile memory, such as at least one disk storage device, electronically erasable Programmable read-only memory (English full name: Electrically Erasable Programmable Read-Only Memory, EEPROM for short), flash memory devices, such as reverse or flash memory (English full name: NOR flash memory) or reverse flash memory (English full name: NAND flash memory) .
  • non-volatile dynamic random access memory Nonvolatile Random Access Memory
  • PRAM Phase Change RAM
  • MRAM Magnetoresistive random access memory
  • EEPROM electrically Erasable Programmable Read-Only Memory
  • flash memory devices such as reverse or flash memory (English full name: NOR flash
  • the non-volatile memory stores an operating system and applications executed by the processor unit 403.
  • the processor unit 403 loads the running program and data from the non-volatile memory into the memory and stores the digital content in a plurality of storage devices.
  • the operating system includes various components and/or drivers for controlling and managing conventional system tasks such as memory management, storage device control, power management, and the like, as well as facilitating communication between various hardware and software.
  • the operating system may be an Android system of Google, an iOS system developed by Apple, a Windows operating system developed by Microsoft, or an embedded operating system such as Vxworks.
  • the application includes any application installed on the terminal device, including but not limited to browsers, emails, instant messaging services, word processing, keyboard virtualization, widgets, encryption, digital rights management, voice recognition, Voice copying, positioning (such as those provided by GPS), music playback, and more.
  • the input unit 405 is configured to implement interaction between the user and the terminal device and/or information input into the terminal device.
  • the input unit 405 can receive numeric or character information input by a user to generate a signal input related to user settings or function control.
  • the input unit 405 may be a touch screen, or may be other human-computer interaction interfaces, such as physical input keys, microphones, etc., and may also be other external information capture devices, such as cameras.
  • the touch screen shown in the embodiment of the present application can collect an operation action touched or approached by the user.
  • the user uses an action of any suitable object or accessory such as a finger, a stylus, or the like on the touch screen or near the touch screen, and drives the corresponding connecting device according to a preset program.
  • the touch screen may include two parts: a touch detection device and a touch controller. Wherein the touch detection device detects a touch operation of the user, converts the detected touch operation into an electrical signal, and transmits the electrical signal to the touch controller; the touch controller receives the electrical signal from the touch detection device, and It is converted into contact coordinates and sent to the processor unit 403.
  • the touch controller can also receive commands from the processor unit 403 and execute them.
  • the touch screen can implement touch screens by using various types such as resistive, capacitive, infrared, and surface acoustic waves.
  • the physical input keys used by the input unit 405 may include, but are not limited to, a physical keyboard, function keys (such as a volume control button, a switch button, etc.), a trackball, a mouse, a joystick, and the like.
  • a physical keyboard such as a keyboard, function keys (such as a volume control button, a switch button, etc.), a trackball, a mouse, a joystick, and the like.
  • function keys such as a volume control button, a switch button, etc.
  • the input unit 405 in the form of a microphone can collect the voice input by the user or the environment and convert it into a command executable by the processor unit 403 in the form of an electrical signal.
  • the input unit 405 may also be various types of sensor components, such as Hall devices, for detecting physical quantities of the terminal device, such as force, moment, pressure, stress, position, displacement, Speed, acceleration, angle, angular velocity, number of revolutions, speed, and time when the operating state changes, etc., are converted into electricity for detection and control.
  • sensor components may also include gravity sensors, three-axis accelerometers, gyroscopes, electronic compasses, ambient light sensors, proximity sensors, temperature sensors, humidity sensors, pressure sensors, heart rate sensors, fingerprint readers, and the like.
  • the communication unit 407 is configured to establish a communication channel, enable the terminal device to connect to the remote server through the communication channel, and download media data from the remote server.
  • the communication unit 407 may include a wireless local area network (English name: Wireless Local Area Network, English short: wireless LAN) module, a Bluetooth module, a baseband module, and the like, and a radio frequency corresponding to the communication module (English name: Radio Frequency, English abbreviation: RF) circuit for wireless local area network communication, Bluetooth communication, infrared communication and/or cellular communication system communication, such as broadband code division multiple access (English full name: Wideband Code Division Multiple Access, English abbreviation: W -CDMA) and/or high speed downlink packet access (English full name: High Speed Downlink Packet Access, English abbreviation HSDPA).
  • the communication module is used to control communication of components in the terminal device and can support direct memory access.
  • various communication modules in the communication unit 407 generally appear in the form of an integrated circuit chip (English name: Integrated Circuit Chip), and can be selectively combined without including all communication modules. And the corresponding antenna group.
  • the communication unit 407 can include only a baseband chip, a radio frequency chip, and a corresponding antenna to provide communication functionality in a cellular communication system.
  • the wireless communication connection established via the communication unit 407 such as wireless local area network access or WCDMA access, may be connected to a cellular network (English name: Cellular Network) or the Internet.
  • a communication module, such as a baseband module, in the communication unit 407 can be integrated into the processor unit 403, typically an APQ+MDM series platform such as that provided by Qualcomm.
  • the radio frequency circuit 408 is used for receiving and transmitting signals during information transmission and reception or during a call. For example, after the downlink information of the base station is received, it is processed by the processor unit 403; in addition, the data for designing the uplink is transmitted to the base station.
  • the radio frequency circuit 408 includes well-known circuits for performing these functions, including but not limited to an antenna system, a radio frequency transceiver, one or more amplifiers, a tuner, one or more oscillators, a digital signal processor, A Codec chipset, a Subscriber Identity Module (SIM) card, a memory, and the like.
  • radio frequency circuitry 408 can also communicate with the network and other devices via wireless communication.
  • the wireless communication may use any communication standard or protocol, including but not limited to a global mobile communication system (English full name: Global System of Mobile communication, English abbreviation: GSM), general packet radio service (English full name: General Packet Radio Service, English abbreviation: GPRS), code division multiple access (English full name: Code Division Multiple Access, English abbreviation: CDMA), wideband code division multiple access (English full name: Wideband Code Division Multiple Access, English abbreviation: WCDMA), high-speed uplink chain Road packet access technology (English full name: High Speed Uplink Packet Access, English abbreviation: HSUPA), long-term evolution (English full name: Long Term Evolution, English abbreviation: LTE), e-mail, short message service (English full name: Short Messaging Service , English abbreviation: SMS) and so on.
  • GSM Global System of Mobile communication
  • GPRS General Packet Radio Service
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • HSUPA High Speed Up
  • a power source 409 is provided to power different components of the terminal device to maintain its operation.
  • the power source 409 may be a built-in battery, such as a conventional lithium ion battery, a nickel hydride battery, etc., and also includes an external power source that directly supplies power to the terminal device, such as an AC adapter.
  • the power supply 409 can also be more widely defined, for example, can also include a power management system, a charging system, a power failure detection circuit, a power converter or inverter, and a power status indicator. (such as light-emitting diodes), and any other components associated with the power generation, management, and distribution of the terminal equipment.
  • Step 501 The cloud service provider side server receives the first temporary certificate sent by the terminal device.
  • the first temporary certificate is used to request access to resources on the cloud service provider side server
  • the user may log in to the target website of the terminal device, where the target The website is a website for obtaining the authorization of the cloud service provider side server, and the website is enabled to enable the terminal device to send the first temporary certificate to the cloud service provider side server.
  • the terminal device may send the first temporary certificate to the cloud service provider side server.
  • Step 502 The cloud service provider side server determines, according to the first temporary certificate, a target authority corresponding to the terminal device.
  • the target authority is a right to access a target resource on the cloud service provider side server.
  • Step 503 The cloud service provider side server sends a second temporary certificate corresponding to the terminal device to the terminal device.
  • the second temporary certificate shown in this embodiment is a short-term certificate.
  • the effective time of the second temporary certificate can be configured from a few minutes to a few hours. Once the credentials of the second temporary certificate expire, the cloud service provider side server will no longer identify the second temporary certificate, thereby making the terminal device no longer able to access the cloud service provider through the second temporary certificate. The target resource on the side server.
  • the specific execution process of the authorization method performed by the cloud service provider side server shown in this embodiment is shown in the embodiment shown in FIG. 7 .
  • Step 601 The terminal device sends the first temporary certificate to the cloud service provider side server.
  • Step 602 The terminal device receives a second temporary certificate sent by the cloud service provider side server.
  • Step 603 The terminal device accesses the target resource on the cloud service provider side server by using the second temporary certificate.
  • the authorization method includes:
  • Step 701 The terminal device sends the request information to the cloud service provider side server.
  • the request information shown in this embodiment includes first token information that has been stored by the terminal device.
  • the first token information is used by the terminal device to perform authentication to the cloud service provider side server.
  • the type of the first token information may be multiple.
  • the type of the first token information is not limited in this embodiment.
  • the terminal device shown in this embodiment requests authentication from the cloud service provider side server by using the first token information, so that the cloud service provider side server can determine the location based on the first token information. Whether the terminal device is forged, whether it is unauthorized, whether it expires, etc.
  • the terminal device shown in this embodiment may store the uniform resource locator URL address of the cloud service provider side server, and the terminal device shown in this embodiment may be located according to the unified resource location.
  • the URL address is sent to the cloud service provider side server to send the request information.
  • the terminal device shown in this embodiment may send the request information to a website for authenticating the terminal device on the cloud service provider side server according to the URL address.
  • Step 702 The cloud service provider side server receives the request information sent by the terminal device.
  • Step 703 The cloud service provider side server generates fourth signature information.
  • the cloud service provider side server shown in this embodiment may identify the first key, the first token information, and the cloud service provider side.
  • the random reply information (echoInfo) generated by the server performs encryption calculation to generate fourth signature information.
  • the cloud service provider side server shown in this embodiment generates the first key identifier, the first token information, and the cloud service provider side server according to the stored long-term key.
  • the random reply information is subjected to an encryption calculation to generate fourth signature information.
  • Step 704 The cloud service provider side server sends the fourth signature information to the terminal device.
  • Step 705 The terminal device determines whether the fourth signature information meets the first condition, and if yes, performs step 706.
  • the fourth signature information may be decrypted and calculated to obtain the first key identifier included in the fourth signature information, and the first a token information and random reply information generated by the cloud service provider side server.
  • the first condition shown in this embodiment is that the first token information included in the fourth signature information is the same as the first token information that is stored by the terminal device.
  • step 706 may continue to be performed.
  • Step 706 The terminal device sends the fifth signature information to the cloud service provider side server.
  • the terminal device shown in this embodiment sends the random reply information included in the fourth signature information to the cloud service provider side server.
  • the specific sending manner is that the terminal device performs encryption calculation on the received random reply information to generate the fifth signature information, that is, the fifth signature information generated by the terminal device includes the random reply message.
  • the terminal device shown in this embodiment may send the random reply information to the cloud service provider side server by using the fifth signature information.
  • the terminal device may invoke a target interface of the cloud service provider side server to implement data interaction between the terminal device and the cloud service provider side server.
  • the target interface of the cloud service provider side server may be an Application Programming Interface (API) of the Open Service Auhorization of the cloud service provider side server.
  • API Application Programming Interface
  • the terminal device shown in this embodiment invokes the target interface of the cloud service provider side server by using the fifth signature information.
  • Step 707 The cloud service provider side server acquires the random reply information included in the fifth signature information.
  • the cloud service provider side server performs decryption calculation on the fifth signature information to obtain the random reply information included in the fifth signature information.
  • Step 708 The cloud service provider side server determines whether the fifth signature information satisfies the second condition, and if yes, performs step 709.
  • the cloud service provider side server may determine whether the fifth signature information satisfies the second condition.
  • the second condition is that the random reply information included in the fifth signature information is the same as the random reply information generated by the cloud service provider side server.
  • the cloud service provider side server Determining, by the cloud service provider side server, that the random reply information included in the fifth signature information is the same as the random reply information generated by the cloud service provider side server, that is, the fifth signature If the information satisfies the second condition, the cloud service provider side server and the terminal device complete the URL confirmation, and the cloud service provider side server and the terminal device that complete the URL confirmation are completed. Data interaction is possible between.
  • the target interface of the cloud service provider side server is successfully invoked by the terminal device.
  • Step 709 The cloud service provider side server generates first signature information.
  • the cloud service provider side server shown in this embodiment performs encryption calculation on the encrypted ticket to generate first signature information, where the encrypted ticket is used to authenticate the terminal device.
  • Step 710 The cloud service provider side server sends the first signature information to the terminal device.
  • the generated first signature information may be sent to the cloud service provider side server.
  • Step 711 The terminal device sends the second signature information to the cloud service provider side server.
  • the terminal device shown in this embodiment may perform decryption calculation on the first signature information to obtain the encryption included in the first signature information. bill.
  • the terminal device performs an encryption calculation on the encrypted ticket to generate the second signature information, and the second signature information generated by the terminal device includes the encrypted ticket.
  • Step 712 The cloud service provider side server acquires the encrypted ticket included in the second signature information.
  • the cloud service provider side server shown in this embodiment may receive the second signature information sent by the terminal device, and perform decryption calculation on the second signature information to obtain the second The encrypted ticket included in the signature information.
  • Step 713 The cloud service provider side server acquires third signature information.
  • the cloud service provider side server may perform encryption calculation on the encrypted ticket included in the second signature information to generate The third signature information.
  • Step 714 The cloud service provider side server sends the first temporary certificate to the terminal device if it is determined that the third condition is met.
  • the cloud service provider side server shown in this embodiment determines whether the second signature information and the third signature information are the same. If the second signature information and the third signature information are the same, Then, the cloud service provider side server can determine that the third condition is met, that is, the third condition shown in this embodiment is: the third signature information is the same as the second signature information.
  • the terminal device may perform encryption calculation on the encrypted ticket by using a long-term key of the terminal device, and request the first temporary to the cloud service provider side server by encrypting the calculated encrypted ticket.
  • a certificate after the terminal device obtains the first temporary certificate, the terminal device can complete an authentication link with the cloud service provider side server by using the first temporary certificate, and mutual authentication
  • the terminal device and the cloud service provider side server can perform a real-time authorization process.
  • the basis of the real-time authorization process shown in this embodiment is the oAuth2.0 protocol real-time authorization process. Shown.
  • Step 715 The first temporary certificate sent by the terminal device to the cloud service provider side server.
  • the first temporary certificate is used to request access to resources on the cloud service provider side server.
  • the first temporary certificate shown in this embodiment requests a pre-authorization code (precode) from the target interface that has been called by the terminal device.
  • precode pre-authorization code
  • the pre-authorization code shown in this embodiment can effectively prevent malicious or fake terminal devices from obtaining authorization from the cloud service provider side server, thereby effectively improving the security of the real-time authorization process.
  • Step 716 The cloud service provider side server sends a pre-authorization code to the terminal device.
  • the cloud service provider side server shown in this embodiment may determine the first temporary certificate stored by the cloud service provider side server and the currently received Whether the first temporary certificate is the same, and if yes, the cloud service provider side server can send the pre-authorization code to the terminal device.
  • Step 717 The terminal device acquires authentication information submitted by the user.
  • the terminal device shown in this embodiment may perform a jump to the target website, so that the target website jumps to include the pre-authorization code.
  • the login page shown in this embodiment further includes a key identifier.
  • the login page shown in this embodiment can receive the user name and password input by the user for login for identity authentication.
  • the authentication information includes the user name and password of the user as an example for example.
  • the authentication information may further include other information for authentication, specifically in the implementation. There is no limit in the example.
  • the cloud service provider side server may pre-store a plurality of user names and passwords corresponding to the user names, and the user may use the terminal device to the cloud service provider side server. Entering the authentication information, if the cloud service provider side server determines that the authentication information currently input by the user is stored on the cloud service provider side server, determining that the user passes the Certified.
  • Step 718 The cloud service provider side server acquires the selected permission.
  • the cloud service provider side server may provide a permission list to the user. .
  • the permission list includes a plurality of permissions to be selected.
  • the user can select a required authority among the plurality of to-be-selected rights through the permission list.
  • the cloud service provider side server receives the selected operation input by the user through the permission list.
  • the cloud service provider side server determines that the selected rights are at least one of the plurality of to-be-selected rights selected by the selected operation in the permission list.
  • the cloud service provider side server is It can be determined that the permission to log in to Weibo through QQ is the selected permission.
  • the selected permission can be bound to the authentication information of the user, and when the subsequent user logs in through the authentication information, The selected permissions bound to the authentication information can be obtained, thereby avoiding repeated selection by the user.
  • Step 719 The cloud service provider side server determines the preselected authority.
  • the pre-selected authority is a permission that the terminal device has selected on the cloud service provider side server.
  • the pre-selected authority shown in this embodiment is a user-defined policy
  • the policy is a resource that the terminal device can access on the cloud service provider side server.
  • the policy includes a privilege and an authorization object
  • the privilege includes a privilege, a resource, an authorization interface, an authorization condition, and the like
  • the authorization object is a user corresponding to the privilege, that is, the cloud service provided in this embodiment.
  • the cloud service provider side server may implement the configuration of the pre-selected authority by using the authority and the authorization object.
  • the cloud service provider side server may create the policy according to an industry domain or a service domain registered by the terminal device.
  • the terminal device can execute the resources described in the pre-authorization policy by default.
  • Step 720 The cloud service provider side server determines a target right corresponding to the terminal device.
  • the cloud service provider side server determines that the intersection of the selected authority and the pre-selected authority is the target authority.
  • the target permission shown in this embodiment is the pre-selected permission.
  • the default authorization policy of the cloud service provider side server is given according to the registered industry domain or service domain.
  • the terminal is allowed to use the default pre-selected permission to restrict the access of the terminal device to the resource of the cloud service provider side server by default.
  • the target permission shown in this embodiment is an intersection of the selected permission and the pre-selected permission.
  • the target rights are included in the selected rights and the pre-selected rights at the same time.
  • the user using the terminal device can be granted the target authority by the cloud service provider side server, so that the cloud service provider side server controls the terminal device. Accessing the cloud service provider side server such that the terminal device can only access the target resource on the cloud service provider side server, and the cloud service provider side server is further capable of controlling user access to the The access mode and the timing of the target resource are not limited in this embodiment.
  • the pre-selected permission shown in this embodiment is “cloud host management authority (cloud host restart, application, viewing, etc.)”, that is, the pre-selected permission shown in this embodiment is a cloud service provider side server.
  • the selected permission shown in FIG. 11 is “developer custom third-party role”, and the cloud service provider side server performs refined rights management on the terminal device by using the selected permission.
  • the terminal device can log in to the public comment network through WeChat under the operation of the user, and the cloud service provider side server can log in to the public comment network through WeChat through the target authority.
  • the time, the number of times, and the like, which are logged into the public commenting network by means of the WeChat may be limited, which is not limited in this embodiment.
  • Step 721 The cloud service provider side server sends an authorization code to the terminal device.
  • the cloud service provider side server determines the target authority
  • the cloud service provider side server sends the authorization code stored by the cloud service provider side server. To the terminal device.
  • Step 722 The terminal device sends the sixth signature information to the cloud service provider side server.
  • the terminal device may perform encryption calculation on the authorization code and the first temporary certificate to generate the sixth signature information after receiving the authorization code sent by the cloud service provider side server.
  • Step 723 The cloud service provider side server determines whether the sixth signature information satisfies the fourth condition, and if yes, sends the target access parameter to the terminal device.
  • the cloud service provider side server may perform decryption calculation on the sixth signature information to obtain the sixth The authorization code included in the signature information and the first temporary certificate.
  • the fourth condition is that the authorization code included in the sixth signature information is the same as the authorization code already stored by the cloud service provider side server.
  • the fourth condition may be that the first temporary certificate included in the sixth signature information is the same as the first temporary certificate that is stored by the cloud service provider side server.
  • the cloud service provider side server may send a target access parameter for accessing the target resource. To the terminal device.
  • the target access parameter includes second token information, a second key identifier, and a second temporary certificate.
  • the second temporary certificate shown in this embodiment is a short-term certificate.
  • the effective time of the second temporary certificate can be configured from a few minutes to a few hours. Once the credentials of the second temporary certificate expire, the cloud service provider side server will no longer identify the second temporary certificate, thereby making the terminal device no longer able to access the cloud service provider through the second temporary certificate. The target resource on the side server.
  • Step 724 The cloud service provider side server sends the target access parameter to the terminal device.
  • the terminal device may access the target resource on the cloud service provider side server by using the received target access parameter, and the specific access process is as follows:
  • Step 725 The terminal device sends the seventh signature information to the cloud service provider side server.
  • the terminal device may perform encryption calculation on the target access parameter to generate the seventh signature information when the terminal device receives the target access parameter.
  • Step 726 The cloud service provider side server generates eighth signature information.
  • the cloud service provider side server performs encryption calculation on the target access parameter generated by the cloud service provider side server to generate eighth signature information.
  • Step 727 The cloud service provider side server determines that the terminal device has the right to access the target resource.
  • the cloud service provider side server determines that the seventh signature information is the same as the eighth signature information, the cloud service provider side server determines that the terminal device has access to the target resource. Permissions, that is, the terminal device has target permissions.
  • the terminal device After the cloud service provider side server determines that the terminal device has the target authority, the terminal device can access the target resource on the cloud service provider side server.
  • the cloud service provider side server can perform refined rights management on the terminal device, so that the cloud service provider side server can be used to the terminal.
  • the device has the capability of open access, and at the same time ensures the security and flexibility of the target device accessing the target resource of the cloud service provider side server, and the signature information is passed between the cloud service provider side server and the terminal device. Data interaction is performed to improve security during data interaction.
  • the cloud service provider side server shown in this embodiment is used to perform the authorization method shown in FIG. 9.
  • the specific implementation process is shown in FIG. 9, which is not specifically described in this embodiment.
  • the first processing unit 901 is configured to perform encryption calculation on the encrypted ticket to generate first signature information, send the first signature information to the terminal device, and receive second signature information sent by the terminal device, where the The second signature information includes the encrypted ticket obtained by the terminal device performing decryption calculation on the first signature information, and performing decryption calculation on the second signature information to obtain the foregoing information included in the second signature information. Encrypting the ticket, performing encryption calculation on the encrypted ticket to generate third signature information, and if it is determined that the third signature information is the same as the second signature information, sending the first temporary certificate to the terminal device .
  • the first processing unit 901 Before the first processing unit 901 sends the first signature information to the terminal device, the first processing unit is specifically configured to receive request information sent by the terminal device, where the request information includes the terminal The first token information that has been stored by the device, the first key identifier, the first token information, and the random reply information generated by the cloud service provider side server are encrypted and calculated to generate fourth signature information, and Sending, to the terminal device, the fourth signature information, so that the first token information included in the fourth signature information and the first stored by the terminal device are determined by the terminal device If the token information is the same, the terminal device sends the fifth signature information to the cloud service provider side server, and the fifth signature information includes the random reply information, and the fifth signature information is decrypted. Calculating to obtain the random reply information included in the fifth signature information, and determining the random reply information included in the fifth signature information and the cloud service Case provider side server generated random reply the same information, the terminal device triggers execution of the step of sending the first information to the signature.
  • the receiving unit 902 is configured to receive a first temporary certificate sent by the terminal device, where the first temporary certificate is used to request access to a resource on the cloud service provider side server;
  • a determining unit 903 configured to determine, according to the first temporary certificate, a target right corresponding to the terminal device, where the target right is a right to access a target resource on the cloud service provider side server;
  • the determining unit 903 is configured to generate a permission list according to the first temporary certificate, where the permission list includes a plurality of to-be-selected rights, and the selected operation input by the user is received through the permission list, and the selected permission is determined. Determining, by the selected authority, at least one of the plurality of to-be-selected rights selected by the selected operation in the permission list, the pre-selected authority being the terminal device And the selected permission on the cloud service provider side server determines that the intersection of the selected authority and the preselected authority is the target authority.
  • the sending unit 904 is configured to send the second temporary certificate corresponding to the target authority to the terminal device, so that the terminal device accesses the target resource by using the second temporary certificate.
  • the sending unit 904 is configured to send the authorization code that has been stored by the cloud service provider side server to the terminal device, and receive the sixth device to send the sixth signature information, where the sixth signature information is
  • the terminal device performs encryption calculation on the authorization code and the first temporary certificate to generate signature information, and if the authorization code included in the sixth signature information is determined, and the cloud service provider side server has stored And the target access parameter used to access the target resource is sent to the terminal device, where the target access parameter includes second token information, a second key identifier, and the second temporary certificate.
  • the second processing unit 905 is configured to receive seventh signature information that is sent by the terminal device to access the target resource, where the seventh signature information is that the terminal device performs encryption calculation on the target access parameter to generate The signature information, the target access parameter generated by the cloud service provider side server is encrypted and calculated to generate eighth signature information, and if it is determined that the seventh signature information is the same as the eighth signature information, Determining that the terminal device has permission to access the target resource.
  • the cloud service provider side server shown in this embodiment is used to perform the authorization method shown in FIG. 5, and the specific implementation process is shown in FIG. 5, which is not specifically described in this embodiment.
  • the first processing unit 1001 is configured to receive first signature information that is sent by the cloud service provider side server, where the first signature information is signature information that is generated by the cloud service provider side server to perform encryption calculation on the encrypted ticket. Decrypting the first signature information to obtain the encrypted ticket, performing encryption calculation on the encrypted ticket to obtain second signature information, and sending the second signature information to the cloud service provider side server.
  • the cloud service provider side server sends the first temporary certificate to the terminal device, where the cloud service provider side server determines that the third signature information and the second signature information are the same.
  • the third signature information includes the encrypted ticket, and the first temporary certificate sent by the cloud service provider side server is received.
  • the first processing unit 1001 is specifically configured to send request information to the cloud service provider side server, where the request information includes the The first token information that has been stored by the terminal device, so that the cloud service provider side server sends the fourth signature information to the terminal device, where the fourth signature information includes the first key identifier, the first Receiving, by the token information and the random reply information generated by the cloud service provider side server, the fourth signature information, if the first token information included in the fourth signature information is determined, If the first token information that is stored by the terminal device is the same, the random reply information is encrypted and calculated to generate fifth signature information, and the fifth signature information is sent to the cloud service provider side.
  • a server configured to determine, at the cloud service provider side server, the random reply information included in the fifth signature information and the cloud service provider side server When the generated random reply information is the same, the first signature information is transmitted to the terminal device.
  • the sending unit 1002 is configured to send the first temporary certificate to the cloud service provider side server, where the first temporary certificate is used to request access to resources on the cloud service provider side server;
  • the sending unit 1002 is configured to receive an authorization code that is stored by the cloud service provider side server that is sent by the cloud service provider side server, and perform encryption calculation on the authorization code and the first temporary certificate. Sending, by the generated sixth signature information, the sixth signature information to the cloud service provider side server, so that if the cloud service provider side server determines that the sixth signature information is included And the authorization code is the same as the authorization code stored by the cloud service provider side server, and the target access parameter used to access the target resource is sent to the terminal device, where the target access parameter includes the second token.
  • the information, the second key identifier, and the second temporary certificate receive the target access parameter.
  • the receiving unit 1003 is configured to receive, by the cloud service provider side server, a second temporary certificate corresponding to the target right.
  • the access unit 1004 is configured to access the target resource on the cloud service provider side server by using the second temporary certificate.
  • the second processing unit 1005 is configured to perform encryption calculation on the target access parameter to generate seventh signature information, and send the seventh signature information to the cloud service provider side server, so that if the cloud service is provided
  • the MME determines that the seventh signature information is the same as the eighth signature information, and determines that the terminal device has the right to access the target resource, where the eighth signature information is the cloud service provider side server
  • the target access parameter generated by the cloud service provider side server is encrypted and calculated to generate signature information.
  • the cloud service provider side server includes:
  • the one or more programs are stored in the memory 302, the one or more programs including instructions that, when executed by the cloud service provider side server, cause the cloud service provider side
  • the server performs the method shown in FIG. 5, FIG. 6, or FIG. 7. The specific execution process is not described in this embodiment.
  • the terminal device includes one or more processor units 403, a storage unit 404, a bus system, and one or more programs, the processor unit 403 and the storage unit 404. Connected by the bus system;
  • the one or more programs are stored in the storage unit 404, the one or more programs including instructions that, when executed by the terminal device, cause the terminal device to perform as shown in FIG.
  • the specific implementation process is not described in this embodiment.
  • the disclosed system, apparatus, and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • a computer readable storage medium A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .

Abstract

Disclosed are an authorization method and a related device. The method in the embodiments of the present application comprises: a server receiving a first temporary certificate sent by a terminal device; the server determining a target authority according to the first temporary certificate; and the server sending a second temporary certificate to the terminal device, wherein the second temporary certificate is used to indicate the target authority, such that the terminal device accesses the target resource on the server by means of the second temporary certificate. It can be seen that the server can implement the refined authority management of the terminal device by means of the second temporary certificate, that is, the terminal device only has access to a target authority for the server, thereby guaranteeing the security and flexibility of the terminal device accessing the target resource on the server.

Description

一种授权方法以及相关设备Authorization method and related equipment
本申请要求于2017年06月14日提交中国专利局、申请号为2017104477070、发明名称为“一种授权方法以及相关设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims the priority of the Chinese Patent Application, filed on Jun. 14, 2017, the application Serial No. .
技术领域Technical field
本申请涉及通信技术领域,尤其涉及的是一种授权方法以及相关设备。The present application relates to the field of communications technologies, and in particular, to an authorization method and related devices.
背景技术Background technique
终端设备在访问资源时,需要资源拥有者的授权,终端设备在资源拥有者的授权下,即可进行资源的访问。When the terminal device accesses the resource, the resource owner needs to be authorized, and the terminal device can access the resource under the authorization of the resource owner.
一般情况下,终端设备要访问资源时,会先向资源所有者发送请求消息,资源所有者将授权码发送给终端设备,终端设备通过该授权码向授权服务器请求访问令牌,授权服务器对终端设备进行验证,验证通过后向终端设备返回访问令牌,终端设备通过该访问令牌访问资源所有者上的资源,具体流程如图1所示。In general, when the terminal device accesses the resource, it first sends a request message to the resource owner, and the resource owner sends the authorization code to the terminal device. The terminal device requests the access token from the authorization server through the authorization code, and authorizes the server to the terminal. The device performs verification. After the verification, the access token is returned to the terminal device, and the terminal device accesses the resource on the resource owner through the access token. The specific process is shown in FIG. 1 .
上述方案中,所述资源所有者对所述终端设备的授权过程为实时授权,无法对终端设备定义精细化的权限需求,一般是把权限分成粗粒度的些类别,这种方式是无法满足云服务的精细化权限管理需求,而且以访问令牌来作为授权后访问资源的凭证,安全性较低。In the above solution, the resource owner's authorization process for the terminal device is real-time authorization, and the refined permission requirement cannot be defined for the terminal device. Generally, the rights are divided into coarse-grained categories, which cannot satisfy the cloud. The fine-grained rights management requirements of the service, and the use of the access token as a credential for accessing the resource after authorization, are less secure.
发明内容Summary of the invention
本申请实施例提供了一种授权方法以及相关设备。The embodiment of the present application provides an authorization method and related equipment.
本申请第一方面提供了一种授权方法,包括:The first aspect of the application provides an authorization method, including:
服务器接收终端设备发送的第一临时证书,所述第一临时证书用于请求访问所述服务器上的资源;Receiving, by the server, a first temporary certificate sent by the terminal device, where the first temporary certificate is used to request access to resources on the server;
所述服务器根据所述第一临时证书确定所述终端对应的目标权限,所述目标权限为访问所述服务器上的目标资源的权限;Determining, by the server, a target authority corresponding to the terminal according to the first temporary certificate, where the target authority is a right to access a target resource on the server;
所述服务器将第二临时证书发送给所述终端设备,以使所述终端设备通过所述第二临时证书访问所述目标资源。Sending, by the server, the second temporary certificate to the terminal device, so that the terminal device accesses the target resource by using the second temporary certificate.
本申请第二方面提供了一种授权方法,包括:A second aspect of the present application provides an authorization method, including:
终端设备将第一临时证书发送给服务器,所述第一临时证书用于请求访问所述服务器上的资源,以使得所述服务器根据所述第一临时证书确定所述终端设备对应的目标权限,所述目标权限为访问所述服务器上的目标资源的权限;所述服务器为云服务提供商侧的服务器,所述终端设备为第三方服务商侧的服务器;The terminal device sends the first temporary certificate to the server, where the first temporary certificate is used to request access to resources on the server, so that the server determines the target authority corresponding to the terminal device according to the first temporary certificate, The target authority is a right to access a target resource on the server; the server is a server on a cloud service provider side, and the terminal device is a server on a third party service provider side;
所述终端设备接收所述服务器发送的所述目标权限对应的第二临时证书;Receiving, by the terminal device, a second temporary certificate corresponding to the target authority sent by the server;
所述终端设备通过所述第二临时证书访问所述目标资源。The terminal device accesses the target resource by using the second temporary certificate.
本申请第三方面提供了一种服务器,包括:A third aspect of the present application provides a server, including:
接收单元,用于接收终端设备发送的第一临时证书,所述第一临时证书用于请求访问所述服务器上的资源;a receiving unit, configured to receive a first temporary certificate sent by the terminal device, where the first temporary certificate is used to request access to resources on the server;
确定单元,用于根据所述第一临时证书确定所述终端设备对应的目标权限,所述目标权限为访问所述服务器上的目标资源的权限;a determining unit, configured to determine, according to the first temporary certificate, a target right corresponding to the terminal device, where the target right is a right to access a target resource on the server;
发送单元,用于将所述目标权限对应的第二临时证书发送给所述终端设备,以使所述终端设备通过所述第二临时证书访问所述目标资源。And a sending unit, configured to send the second temporary certificate corresponding to the target authority to the terminal device, so that the terminal device accesses the target resource by using the second temporary certificate.
本申请第四方面提供了一种终端设备,包括:A fourth aspect of the present application provides a terminal device, including:
发送单元,用于将第一临时证书发送给服务器,所述第一临时证书用于请求访问所述服务器上的资源,以使得所述服务器根据所述第一临时证书确定所述终端设备对应的目标权限,所述目标权限为访问所述服务器上的目标资源的权限;a sending unit, configured to send the first temporary certificate to the server, where the first temporary certificate is used to request access to resources on the server, so that the server determines, according to the first temporary certificate, the terminal device a target authority, the target authority being a right to access a target resource on the server;
接收单元,用于接收所述服务器发送的所述目标权限对应的第二临时证书;a receiving unit, configured to receive a second temporary certificate corresponding to the target authority sent by the server;
访问单元,用于通过所述第二临时证书访问所述目标资源。And an access unit, configured to access the target resource by using the second temporary certificate.
本申请第五方面提供了一种服务器,包括:A fifth aspect of the present application provides a server, including:
一个或多个中央处理器、存储器、总线系统、以及一个或多个程序,所述中央处理器和所述存储器通过所述总线系统相连;One or more central processing units, a memory, a bus system, and one or more programs, the central processing unit and the memory being coupled by the bus system;
其中所述一个或多个程序被存储在所述存储器中,所述一个或多个程序包括指令,所述指令当被所述服务器执行时使所述服务器执行如本申请第一方面所提供的所述的授权方法。Wherein the one or more programs are stored in the memory, the one or more programs comprising instructions that, when executed by the server, cause the server to perform the first aspect as provided by the present application The authorization method described.
本申请第六方面提供了一种终端设备,包括:A sixth aspect of the present application provides a terminal device, including:
一个或多个处理器单元、存储单元、总线系统、以及一个或多个程序,所述处理器单元和所述存储单元通过所述总线系统相连;One or more processor units, memory units, bus systems, and one or more programs, the processor units and the memory units being coupled by the bus system;
其中所述一个或多个程序被存储在所述存储单元中,所述一个或多个程序包括指令,所述指令当被所述终端设备执行时使所述终端设备执行如本申请第二方面所示的所述的授权方法。Wherein the one or more programs are stored in the storage unit, the one or more programs including instructions that, when executed by the terminal device, cause the terminal device to perform the second aspect of the present application The authorization method described.
本申请第七方面提供了一种计算机存储介质,包括指令,当其在计算机上运行时,使得计算机执行如本申请第一方面所述的方法。A seventh aspect of the present application provides a computer storage medium comprising instructions which, when executed on a computer, cause the computer to perform the method of the first aspect of the application.
本申请第七方面提供了一种计算机存储介质,包括指令,当其在计算机上运行时,使得计算机执行如本申请第二方面所述的方法。A seventh aspect of the present application provides a computer storage medium comprising instructions which, when run on a computer, cause the computer to perform the method of the second aspect of the present application.
从以上技术方案可以看出,本申请实施例具有以下优点:As can be seen from the above technical solutions, the embodiments of the present application have the following advantages:
所述服务器可通过所述第二临时证书实现对所述终端设备进行精细化的权限管理,即使得所述终端设备对所述服务器仅具有目标权项的访问,同时保证了终端设备访问所述服务器的目标资源的安全性和灵活性。The server may implement refinement authority management on the terminal device by using the second temporary certificate, that is, the terminal device has only access to the target right to the server, and ensures that the terminal device accesses the The security and flexibility of the server's target resources.
附图说明DRAWINGS
图1为一种授权方法的步骤流程示意图;1 is a schematic flow chart of steps of an authorization method;
图2为本申请所提供的云服务系统的结构的一种实施例结构示意图;2 is a schematic structural diagram of an embodiment of a structure of a cloud service system provided by the present application;
图3为本申请所提供的云服务提供商侧服务器的一种实施例结构示意图;3 is a schematic structural diagram of an embodiment of a cloud service provider side server provided by the present application;
图4为本申请所提供的终端设备的一种实施例结构示意图;4 is a schematic structural diagram of an embodiment of a terminal device provided by the present application;
图5为本申请所提供的授权方法的一种实施例步骤流程图;FIG. 5 is a flow chart of steps of an embodiment of an authorization method provided by the present application;
图6为本申请所提供的授权方法的另一种实施例步骤流程图;6 is a flow chart of steps of another embodiment of the authorization method provided by the present application;
图7为本申请所提供的授权方法的另一种实施例步骤流程图;FIG. 7 is a flow chart of steps of another embodiment of the authorization method provided by the present application;
图8为本申请所提供的预选权限的创建示意图;FIG. 8 is a schematic diagram of creating a pre-selected permission provided by the present application;
图9为本申请所提供的云服务提供商侧服务器另一种实施例结构示意图;9 is a schematic structural diagram of another embodiment of a cloud service provider side server provided by the present application;
图10为本申请所提供的终端设备的另一种实施例结构示意图;FIG. 10 is a schematic structural diagram of another embodiment of a terminal device provided by the present application;
图11为本申请所提供的应用场景的一种示例图。FIG. 11 is a schematic diagram of an application scenario provided by the present application.
具体实施方式detailed description
本申请实施例提供了一种授权方法,用于对终端设备进行精细化的权限管理。应理解,本申请实施例中的服务器具体可以是云服务提供商侧服务器,还可以是其他类型的服务器,具体本申请不作限定,下面实施例将以云服务提供商侧服务器为例对本申请实施例中的授权方法和相关设备进行介绍。The embodiment of the present application provides an authorization method for performing refined rights management on a terminal device. It should be understood that the server in the embodiment of the present application may be a cloud service provider side server, and may be other types of servers. The specific application is not limited. The following embodiment uses a cloud service provider side server as an example to implement the present application. The authorization method and related equipment in the example are introduced.
应理解,本实施例所示的授权方法可以基于云服务系统,本实施例所示的云服务系统的结构可参见图2所示,其中,所述云服务系统包括云服务提供商侧服务器201。且本实施例所示的云服务提供商侧服务器为云服务提供商的服务平台侧的服务器。It should be understood that the authorization method shown in this embodiment may be based on a cloud service system. The structure of the cloud service system shown in this embodiment may be as shown in FIG. 2, where the cloud service system includes a cloud service provider side server 201. . The cloud service provider side server shown in this embodiment is a server on the service platform side of the cloud service provider.
本实施例所示的所述云服务系统还包括至少一个终端设备202,本实施例以所述终端设备202的数目为一个为例进行示例性说明。The cloud service system shown in this embodiment further includes at least one terminal device 202. This embodiment is exemplified by taking the number of the terminal devices 202 as one.
本实施例所示的终端设备202为第三方服务商侧的设备。The terminal device 202 shown in this embodiment is a device on the third party service provider side.
其中,所述第三方服务商为入驻云服务提供商建立的以云计算产品为基础的服务平台,提供给云服务开发商的软件、服务、建站、企业应用服务,以帮助用户更好的使用云计算产品和服务。The third-party service provider provides a cloud computing product-based service platform established by the cloud service provider, and provides software, service, website construction, and enterprise application service to the cloud service developer to help the user to better use the service platform. Cloud computing products and services.
本实施例所示的所述云服务提供商侧服务器可为资源所有者(Resource Owner,RO),或所述云服务提供商侧服务器可为资源服务器(Resource Server),或所述云服务提供商侧服务器可为授权服务器(Authorization Server, AS)。The cloud service provider side server shown in this embodiment may be a resource owner (RO), or the cloud service provider side server may be a resource server (Resource Server), or the cloud service is provided. The vendor side server can be an Authorization Server (AS).
本实施例中,所述终端设备202即可通过OAUTH协议向所述云服务提供商侧服务器请求授权。In this embodiment, the terminal device 202 can request authorization from the cloud service provider side server through the OAUTH protocol.
以下结合图3所示对所述云服务提供商侧服务器201的结构进行可选的说明,具体的,本实施例对所述云服务提供商侧服务器结构的说明为可选的示例,不做限定,只要所述云服务提供商侧服务器201能够实现对所述终端设备202的授权,以使所述终端设备202能够根据授权访问所述云服务提供商侧服务器201上的资源即可。The configuration of the cloud service provider side server 201 is optionally described below with reference to FIG. 3 . Specifically, the description of the cloud service provider side server structure in this embodiment is an optional example. It is defined that the cloud service provider side server 201 can implement authorization of the terminal device 202 to enable the terminal device 202 to access resources on the cloud service provider side server 201 according to authorization.
所述云服务提供商侧服务器可因配置或性能不同而产生比较大的差异,可以包括一个或一个以上中央处理器(central processing units,CPU)301(例如,一个或一个以上处理器)和存储器302,一个或一个以上存储应用程序303或数据304的存储介质305(例如一个或一个以上海量存储设备)。其中,存储器302和存储介质305可以是短暂存储或持久存储。存储在存储介质305的程序可以包括一个或一个以上模块(图示没标出),每个模块可以包括对服务器中的一系列指令操作。更进一步地,中央处理器301可以设置为与存储介质305通信,在云服务提供商侧服务器上执行存储介质305中的一系列指令操作。The cloud service provider side server may vary considerably depending on configuration or performance, and may include one or more central processing units (CPU) 301 (eg, one or more processors) and memory 302, one or more storage media 305 that store application 303 or data 304 (eg, one or one storage device in Shanghai). The memory 302 and the storage medium 305 may be short-term storage or persistent storage. The program stored on storage medium 305 can include one or more modules (not shown), each of which can include a series of instruction operations in the server. Still further, the central processing unit 301 can be configured to communicate with the storage medium 305 to perform a series of instruction operations in the storage medium 305 on the cloud service provider side server.
云服务提供商侧服务器还可以包括一个或一个以上电源306,一个或一个以上有线或无线网络接口307,一个或一个以上输入输出接口308,和/或,一个或一个以上操作系统309,例如Windows ServerTM,Mac OS XTM,UnixTM,LinuxTM,FreeBSDTM等等。The cloud service provider side server may also include one or more power sources 306, one or more wired or wireless network interfaces 307, one or more input and output interfaces 308, and/or one or more operating systems 309, such as Windows. ServerTM, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM and more.
以下结合图4所示对本实施例所示的终端设备202的具体结构进行示例性说明。The specific structure of the terminal device 202 shown in this embodiment is exemplarily described below with reference to FIG.
所述终端设备包括输入单元405、处理器单元403、输出单元401、通信单元407、存储单元404、射频电路408等组件。The terminal device includes components such as an input unit 405, a processor unit 403, an output unit 401, a communication unit 407, a storage unit 404, a radio frequency circuit 408, and the like.
这些组件通过一条或多条总线进行通信。本领域技术人员可以理解,图4 中示出的终端设备的结构并不构成对本申请的限定,它既可以是总线形结构,也可以是星型结构,还可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。These components communicate over one or more buses. It will be understood by those skilled in the art that the structure of the terminal device shown in FIG. 4 does not constitute a limitation of the present application, and it may be a bus-shaped structure or a star-shaped structure, and may include more or more than the illustration. There are few parts, or some parts are combined, or different parts are arranged.
在本申请实施方式中,所述终端设备可以是任何移动或便携式电子设备,包括但不限于智能手机、移动电脑、平板电脑、个人数字助理(Personal Digital Assistant,PDA)、媒体播放器、智能电视等。In the embodiment of the present application, the terminal device may be any mobile or portable electronic device, including but not limited to a smart phone, a mobile computer, a tablet computer, a personal digital assistant (PDA), a media player, a smart TV. Wait.
所述终端设备包括:The terminal device includes:
输出单元401,用于输出待显示的图像。The output unit 401 is configured to output an image to be displayed.
具体的,所述输出单元401包括但不限于影像输出单元4011和声音输出单元4012。Specifically, the output unit 401 includes but is not limited to the image output unit 4011 and the sound output unit 4012.
所述影像输出单元4011用于输出文字、图片和/或视频。所述影像输出单元4011可包括显示面板,例如采用液晶显示器(英文全称:Liquid Crystal Display,英文简称:LCD)、有机发光二极管(英文全称:Organic Light-Emitting Diode,英文简称:OLED)、场发射显示器(英文全称:field emission display,英文简称FED)等形式来配置的显示面板。或者所述影像输出单元4011可以包括反射式显示器,例如电泳式(electrophoretic)显示器,或利用光干涉调变技术(英文全称:Interferometric Modulation of Light)的显示器。The image output unit 4011 is configured to output text, pictures, and/or video. The image output unit 4011 may include a display panel, for example, a liquid crystal display (English name: Liquid Crystal Display, English abbreviation: LCD), an organic light emitting diode (English name: Organic Light-Emitting Diode, English abbreviation: OLED), field emission A display panel configured in the form of a display (English name: field emission display, FED for short). Alternatively, the image output unit 4011 may include a reflective display, such as an electrophoretic display, or a display using an Interferometric Modulation of Light.
所述影像输出单元4011可以包括单个显示器或不同尺寸的多个显示器。在本申请的具体实施方式中,触摸屏亦可同时作为输出单元401的显示面板。The image output unit 4011 may include a single display or a plurality of displays of different sizes. In a specific embodiment of the present application, the touch screen can also serve as a display panel of the output unit 401 at the same time.
例如,当触摸屏检测到在其上的触摸或接近的手势操作后,传送给处理器单元403以确定触摸事件的类型,随后处理器单元403根据触摸事件的类型在显示面板上提供相应的视觉输出。虽然在图4中,输入单元405与输出单元401是作为两个独立的部件来实现终端设备的输入和输出功能,但是在某些实施例中,可以将触摸屏与显示面板集成一体而实现终端设备的输入和输出功能。例如,所述影像输出单元4011可以显示各种图形化用户接口(英文全称: Graphical User Interface,英文简称GUI)以作为虚拟控制组件,包括但不限于窗口、卷动轴、图标及剪贴簿,以供用户通过触控方式进行操作。For example, when the touch screen detects a touch or proximity gesture operation thereon, it is transmitted to the processor unit 403 to determine the type of the touch event, and then the processor unit 403 provides a corresponding visual output on the display panel according to the type of the touch event. . Although in FIG. 4, the input unit 405 and the output unit 401 are two independent components to implement the input and output functions of the terminal device, in some embodiments, the touch device may be integrated with the display panel to implement the terminal device. Input and output functions. For example, the image output unit 4011 can display various graphical user interfaces (English full name: Graphical User Interface, English abbreviated as GUI) as virtual control components, including but not limited to windows, scroll axes, icons, and scrapbooks. For users to operate by touch.
在本申请具体实施方式中,所述影像输出单元4011包括滤波器及放大器,用来将处理器单元403所输出的视频滤波及放大。声音输出单元4012包括数字模拟转换器,用来将处理器单元403所输出的音频信号从数字格式转换为模拟格式。In the specific implementation of the present application, the image output unit 4011 includes a filter and an amplifier for filtering and amplifying the video output by the processor unit 403. The sound output unit 4012 includes a digital to analog converter for converting the audio signal output by the processor unit 403 from a digital format to an analog format.
处理器单元403,用于运行相应的代码,对接收信息进行处理,以生成并输出相应的界面。The processor unit 403 is configured to run a corresponding code to process the received information to generate and output a corresponding interface.
具体的,所述处理器单元403为终端设备的控制中心,利用各种接口和线路连接整个终端设备的各个部分,通过运行或执行存储在存储单元内的软件程序和/或模块,以及调用存储在存储单元内的数据,以执行终端设备的各种功能和/或处理数据。所述处理器单元403可以由集成电路(英文全称:Integrated Circuit,英文简称:IC)组成,例如可以由单颗封装的IC所组成,也可以由连接多颗相同功能或不同功能的封装IC而组成。Specifically, the processor unit 403 is a control center of the terminal device, and connects various parts of the entire terminal device by using various interfaces and lines, by running or executing software programs and/or modules stored in the storage unit, and calling the storage. Data within the storage unit to perform various functions of the terminal device and/or process data. The processor unit 403 may be composed of an integrated circuit (English name: Integrated Circuit, English abbreviation: IC), for example, may be composed of a single packaged IC, or may be connected to a plurality of package ICs having the same function or different functions. composition.
举例来说,所述处理器单元403可以仅包括中央处理器(英文全称:Central Processing Unit,英文简称:CPU),也可以是图形处理器(英文全称:Graphics Processing Unit,英文简称:GPU),数字信号处理器(英文全称:Digital Signal Processor,英文简称:DSP)、及通信单元中的控制芯片(例如基带芯片)的组合。在本申请实施方式中,CPU可以是单运算核心,也可以包括多运算核心。For example, the processor unit 403 may include only a central processing unit (English name: Central Processing Unit, English abbreviation: CPU), or may be a graphics processor (English name: Graphics Processing Unit, English abbreviation: GPU). A combination of a digital signal processor (English name: Digital Signal Processor, English abbreviation: DSP) and a control chip (for example, a baseband chip) in a communication unit. In the embodiment of the present application, the CPU may be a single operation core, and may also include a multi-operation core.
存储单元404,用于存储代码和数据,代码供处理器单元403运行。The storage unit 404 is configured to store code and data, and the code is run by the processor unit 403.
具体的,存储单元404可用于存储软件程序以及模块,处理器单元403通过运行存储在存储单元404的软件程序以及模块,从而执行终端设备的各种功能应用以及实现数据处理。存储单元404主要包括程序存储区和数据存储区,其中,程序存储区可存储操作系统、至少一个功能所需的应用程序,比如 声音播放程序、图像播放程序等等;数据存储区可存储根据终端设备的使用所创建的数据(比如音频数据、电话本等)等。Specifically, the storage unit 404 can be used to store software programs and modules, and the processor unit 403 executes various functional applications of the terminal device and implements data processing by running software programs and modules stored in the storage unit 404. The storage unit 404 mainly includes a program storage area and a data storage area, wherein the program storage area can store an operating system, an application required for at least one function, such as a sound playing program, an image playing program, and the like; and the data storage area can be stored according to the terminal. Data created by the use of the device (such as audio data, phone book, etc.).
在本申请具体实施方式中,存储单元404可以包括易失性存储器,例如非挥发性动态随机存取内存(英文全称:Nonvolatile Random Access Memory,英文简称NVRAM)、相变化随机存取内存(英文全称:Phase Change RAM,英文简称PRAM)、磁阻式随机存取内存(英文全称:Magetoresistive RAM,英文简称MRAM)等,还可以包括非易失性存储器,例如至少一个磁盘存储器件、电子可擦除可编程只读存储器(英文全称:Electrically Erasable Programmable Read-Only Memory,英文简称EEPROM)、闪存器件,例如反或闪存(英文全称:NOR flash memory)或是反及闪存(英文全称:NAND flash memory)。In the specific implementation of the present application, the storage unit 404 may include a volatile memory, such as non-volatile dynamic random access memory (Nonvolatile Random Access Memory, NVRAM for short), phase change random access memory (English full name) :Phase Change RAM (PRAM), magnetoresistive random access memory (English full name: Magetoresistive RAM, English abbreviation MRAM), etc., may also include non-volatile memory, such as at least one disk storage device, electronically erasable Programmable read-only memory (English full name: Electrically Erasable Programmable Read-Only Memory, EEPROM for short), flash memory devices, such as reverse or flash memory (English full name: NOR flash memory) or reverse flash memory (English full name: NAND flash memory) .
非易失存储器储存处理器单元403所执行的操作系统及应用程序。所述处理器单元403从所述非易失存储器加载运行程序与数据到内存并将数字内容储存于大量储存装置中。所述操作系统包括用于控制和管理常规系统任务,例如内存管理、存储设备控制、电源管理等,以及有助于各种软硬件之间通信的各种组件和/或驱动器。The non-volatile memory stores an operating system and applications executed by the processor unit 403. The processor unit 403 loads the running program and data from the non-volatile memory into the memory and stores the digital content in a plurality of storage devices. The operating system includes various components and/or drivers for controlling and managing conventional system tasks such as memory management, storage device control, power management, and the like, as well as facilitating communication between various hardware and software.
在本申请实施方式中,所述操作系统可以是Google公司的Android系统、Apple公司开发的iOS系统或Microsoft公司开发的Windows操作系统等,或者是Vxworks这类的嵌入式操作系统。In the embodiment of the present application, the operating system may be an Android system of Google, an iOS system developed by Apple, a Windows operating system developed by Microsoft, or an embedded operating system such as Vxworks.
所述应用程序包括安装在终端设备上的任何应用,包括但不限于浏览器、电子邮件、即时消息服务、文字处理、键盘虚拟、窗口小部件(Widget)、加密、数字版权管理、语音识别、语音复制、定位(例如由全球定位系统提供的功能)、音乐播放等等。The application includes any application installed on the terminal device, including but not limited to browsers, emails, instant messaging services, word processing, keyboard virtualization, widgets, encryption, digital rights management, voice recognition, Voice copying, positioning (such as those provided by GPS), music playback, and more.
输入单元405,用于实现用户与终端设备的交互和/或信息输入到终端设备中。The input unit 405 is configured to implement interaction between the user and the terminal device and/or information input into the terminal device.
例如,所述输入单元405可以接收用户输入的数字或字符信息,以产生与用户设置或功能控制有关的信号输入。在本申请具体实施方式中,输入单元405可以是触摸屏,也可以是其他人机交互界面,例如实体输入键、麦克风等,还可是其他外部信息撷取装置,例如摄像头等。For example, the input unit 405 can receive numeric or character information input by a user to generate a signal input related to user settings or function control. In the specific implementation of the present application, the input unit 405 may be a touch screen, or may be other human-computer interaction interfaces, such as physical input keys, microphones, etc., and may also be other external information capture devices, such as cameras.
本申请实施例所示的触摸屏,可收集用户在其上触摸或接近的操作动作。比如用户使用手指、触笔等任何适合的物体或附件在触摸屏上或接近触摸屏的位置的操作动作,并根据预先设定的程式驱动相应的连接装置。可选的,触摸屏可包括触摸检测装置和触摸控制器两个部分。其中,触摸检测装置检测用户的触摸操作,并将检测到的触摸操作转换为电信号,以及将所述电信号传送给触摸控制器;触摸控制器从触摸检测装置上接收所述电信号,并将它转换成触点坐标,再送给所述处理器单元403。The touch screen shown in the embodiment of the present application can collect an operation action touched or approached by the user. For example, the user uses an action of any suitable object or accessory such as a finger, a stylus, or the like on the touch screen or near the touch screen, and drives the corresponding connecting device according to a preset program. Optionally, the touch screen may include two parts: a touch detection device and a touch controller. Wherein the touch detection device detects a touch operation of the user, converts the detected touch operation into an electrical signal, and transmits the electrical signal to the touch controller; the touch controller receives the electrical signal from the touch detection device, and It is converted into contact coordinates and sent to the processor unit 403.
所述触摸控制器还可以接收处理器单元403发来的命令并执行。此外,所述触摸屏可以采用电阻式、电容式、红外线以及表面声波等多种类型实现触摸屏。The touch controller can also receive commands from the processor unit 403 and execute them. In addition, the touch screen can implement touch screens by using various types such as resistive, capacitive, infrared, and surface acoustic waves.
在本申请的其他实施方式中,所述输入单元405所采用的实体输入键可以包括但不限于物理键盘、功能键(比如音量控制按键、开关按键等)、轨迹球、鼠标、操作杆等中的一种或多种。麦克风形式的输入单元405可以收集用户或环境输入的语音并将其转换成电信号形式的、处理器单元403可执行的命令。In other implementations of the present application, the physical input keys used by the input unit 405 may include, but are not limited to, a physical keyboard, function keys (such as a volume control button, a switch button, etc.), a trackball, a mouse, a joystick, and the like. One or more. The input unit 405 in the form of a microphone can collect the voice input by the user or the environment and convert it into a command executable by the processor unit 403 in the form of an electrical signal.
在本申请的其他一些实施方式中,所述输入单元405还可以是各类传感器件,例如霍尔器件,用于侦测终端设备的物理量,例如力、力矩、压力、应力、位置、位移、速度、加速度、角度、角速度、转数、转速以及工作状态发生变化的时间等,转变成电量来进行检测和控制。其他的一些传感器件还可以包括重力感应计、三轴加速计、陀螺仪、电子罗盘、环境光传感器、接近传感器、温度传感器、湿度传感器、压力传感器、心率传感器、指纹识别器等。In some other implementations of the present application, the input unit 405 may also be various types of sensor components, such as Hall devices, for detecting physical quantities of the terminal device, such as force, moment, pressure, stress, position, displacement, Speed, acceleration, angle, angular velocity, number of revolutions, speed, and time when the operating state changes, etc., are converted into electricity for detection and control. Other sensor components may also include gravity sensors, three-axis accelerometers, gyroscopes, electronic compasses, ambient light sensors, proximity sensors, temperature sensors, humidity sensors, pressure sensors, heart rate sensors, fingerprint readers, and the like.
通信单元407,用于建立通信信道,使终端设备通过所述通信信道以连接 至远程服务器,并从所述远程服务器下媒体数据。所述通信单元407可以包括无线局域网(英文全称:Wireless Local Area Network,英文简称:wireless LAN)模块、蓝牙模块、基带模块等通信模块,以及所述通信模块对应的射频(英文全称:Radio Frequency,英文简称:RF)电路,用于进行无线局域网络通信、蓝牙通信、红外线通信及/或蜂窝式通信系统通信,例如宽带码分多重接入(英文全称:Wideband Code Division Multiple Access,英文简称:W-CDMA)及/或高速下行封包存取(英文全称:High Speed Downlink Packet Access,英文简称HSDPA)。所述通信模块用于控制终端设备中的各组件的通信,并且可以支持直接内存存取。The communication unit 407 is configured to establish a communication channel, enable the terminal device to connect to the remote server through the communication channel, and download media data from the remote server. The communication unit 407 may include a wireless local area network (English name: Wireless Local Area Network, English short: wireless LAN) module, a Bluetooth module, a baseband module, and the like, and a radio frequency corresponding to the communication module (English name: Radio Frequency, English abbreviation: RF) circuit for wireless local area network communication, Bluetooth communication, infrared communication and/or cellular communication system communication, such as broadband code division multiple access (English full name: Wideband Code Division Multiple Access, English abbreviation: W -CDMA) and/or high speed downlink packet access (English full name: High Speed Downlink Packet Access, English abbreviation HSDPA). The communication module is used to control communication of components in the terminal device and can support direct memory access.
在本申请的不同实施方式中,所述通信单元407中的各种通信模块一般以集成电路芯片(英文全称:Integrated Circuit Chip)的形式出现,并可进行选择性组合,而不必包括所有通信模块及对应的天线组。例如,所述通信单元407可以仅包括基带芯片、射频芯片以及相应的天线以在一个蜂窝通信系统中提供通信功能。经由所述通信单元407建立的无线通信连接,例如无线局域网接入或WCDMA接入,所述终端设备可以连接至蜂窝网(英文全称:Cellular Network)或因特网。在本申请的一些可选实施方式中,所述通信单元407中的通信模块,例如基带模块可以集成到处理器单元403中,典型的如高通(Qualcomm)公司提供的APQ+MDM系列平台。In various implementation manners of the present application, various communication modules in the communication unit 407 generally appear in the form of an integrated circuit chip (English name: Integrated Circuit Chip), and can be selectively combined without including all communication modules. And the corresponding antenna group. For example, the communication unit 407 can include only a baseband chip, a radio frequency chip, and a corresponding antenna to provide communication functionality in a cellular communication system. The wireless communication connection established via the communication unit 407, such as wireless local area network access or WCDMA access, may be connected to a cellular network (English name: Cellular Network) or the Internet. In some optional implementations of the present application, a communication module, such as a baseband module, in the communication unit 407 can be integrated into the processor unit 403, typically an APQ+MDM series platform such as that provided by Qualcomm.
射频电路408,用于信息收发或通话过程中接收和发送信号。例如,将基站的下行信息接收后,给处理器单元403处理;另外,将设计上行的数据发送给基站。通常,所述射频电路408包括用于执行这些功能的公知电路,包括但不限于天线系统、射频收发机、一个或多个放大器、调谐器、一个或多个振荡器、数字信号处理器、编解码(Codec)芯片组、用户身份模块(SIM)卡、存储器等等。此外,射频电路408还可以通过无线通信与网络和其他设备通信。The radio frequency circuit 408 is used for receiving and transmitting signals during information transmission and reception or during a call. For example, after the downlink information of the base station is received, it is processed by the processor unit 403; in addition, the data for designing the uplink is transmitted to the base station. Generally, the radio frequency circuit 408 includes well-known circuits for performing these functions, including but not limited to an antenna system, a radio frequency transceiver, one or more amplifiers, a tuner, one or more oscillators, a digital signal processor, A Codec chipset, a Subscriber Identity Module (SIM) card, a memory, and the like. In addition, radio frequency circuitry 408 can also communicate with the network and other devices via wireless communication.
所述无线通信可以使用任一通信标准或协议,包括但不限于全球移动通讯 系统(英文全称:Global System of Mobile communication,英文简称:GSM)、通用分组无线服务(英文全称:General Packet Radio Service,英文简称:GPRS)、码分多址(英文全称:Code Division Multiple Access,英文简称:CDMA)、宽带码分多址(英文全称:Wideband Code Division Multiple Access,英文简称:WCDMA)、高速上行行链路分组接入技术(英文全称:High Speed Uplink Packet Access,英文简称:HSUPA)、长期演进(英文全称:Long Term Evolution,英文简称:LTE)、电子邮件、短消息服务(英文全称:Short Messaging Service,英文简称:SMS)等。The wireless communication may use any communication standard or protocol, including but not limited to a global mobile communication system (English full name: Global System of Mobile communication, English abbreviation: GSM), general packet radio service (English full name: General Packet Radio Service, English abbreviation: GPRS), code division multiple access (English full name: Code Division Multiple Access, English abbreviation: CDMA), wideband code division multiple access (English full name: Wideband Code Division Multiple Access, English abbreviation: WCDMA), high-speed uplink chain Road packet access technology (English full name: High Speed Uplink Packet Access, English abbreviation: HSUPA), long-term evolution (English full name: Long Term Evolution, English abbreviation: LTE), e-mail, short message service (English full name: Short Messaging Service , English abbreviation: SMS) and so on.
电源409,用于给终端设备的不同部件进行供电以维持其运行。作为一般性理解,所述电源409可以是内置的电池,例如常见的锂离子电池、镍氢电池等,也包括直接向终端设备供电的外接电源,例如AC适配器等。在本申请的一些实施方式中,所述电源409还可以作更为广泛的定义,例如还可以包括电源管理系统、充电系统、电源故障检测电路、电源转换器或逆变器、电源状态指示器(如发光二极管),以及与终端设备的电能生成、管理及分布相关联的其他任何组件。A power source 409 is provided to power different components of the terminal device to maintain its operation. As a general understanding, the power source 409 may be a built-in battery, such as a conventional lithium ion battery, a nickel hydride battery, etc., and also includes an external power source that directly supplies power to the terminal device, such as an AC adapter. In some implementations of the present application, the power supply 409 can also be more widely defined, for example, can also include a power management system, a charging system, a power failure detection circuit, a power converter or inverter, and a power status indicator. (such as light-emitting diodes), and any other components associated with the power generation, management, and distribution of the terminal equipment.
基于图1至图4所示,以下结合图5所示以云服务提供商侧服务器为执行主体对本申请实施例所提供的授权方法进行详细说明:As shown in FIG. 1 to FIG. 4 , the authorization method provided by the embodiment of the present application is described in detail below with reference to FIG.
步骤501、云服务提供商侧服务器接收终端设备发送的第一临时证书。Step 501: The cloud service provider side server receives the first temporary certificate sent by the terminal device.
所述第一临时证书用于请求访问所述云服务提供商侧服务器上的资源;The first temporary certificate is used to request access to resources on the cloud service provider side server;
具体的,在所述终端设备需要向所述云服务提供商侧服务器请求访问所述云服务提供商侧服务器上的资源的情况下,用户即可登录所述终端设备的目标网站,所述目标网站为用于获取所述云服务提供商侧服务器授权的网站,通过登录所述网站以使所述终端设备能够将所述第一临时证书发送给所述云服务提供商侧服务器。Specifically, in a case that the terminal device needs to request the cloud service provider side server to access resources on the cloud service provider side server, the user may log in to the target website of the terminal device, where the target The website is a website for obtaining the authorization of the cloud service provider side server, and the website is enabled to enable the terminal device to send the first temporary certificate to the cloud service provider side server.
在终端设备需要获取所述云服务提供商侧服务器授权的情况下,所述终端 设备即可向所述云服务提供商侧服务器发送所述第一临时证书。In the case that the terminal device needs to obtain the authorization of the cloud service provider side server, the terminal device may send the first temporary certificate to the cloud service provider side server.
步骤502、所述云服务提供商侧服务器根据所述第一临时证书确定终端设备对应的目标权限。Step 502: The cloud service provider side server determines, according to the first temporary certificate, a target authority corresponding to the terminal device.
其中,所述目标权限为访问所述云服务提供商侧服务器上的目标资源的权限。The target authority is a right to access a target resource on the cloud service provider side server.
步骤503、所述云服务提供商侧服务器将终端设备对应的第二临时证书发送给所述终端设备。Step 503: The cloud service provider side server sends a second temporary certificate corresponding to the terminal device to the terminal device.
本实施例所示的所述第二临时证书是短期凭证。可将所述第二临时证书的有效时间配置几分钟到几小时。一旦第二临时证书的凭证到期,则云服务提供商侧服务器将不再识别所述第二临时证书,从而使得所述终端设备无法再通过所述第二临时证书访问所述云服务提供商侧服务器上的目标资源。The second temporary certificate shown in this embodiment is a short-term certificate. The effective time of the second temporary certificate can be configured from a few minutes to a few hours. Once the credentials of the second temporary certificate expire, the cloud service provider side server will no longer identify the second temporary certificate, thereby making the terminal device no longer able to access the cloud service provider through the second temporary certificate. The target resource on the side server.
本实施例所示的云服务提供商侧服务器执行授权方法的具体执行过程,请详见图7所示的实施例。The specific execution process of the authorization method performed by the cloud service provider side server shown in this embodiment is shown in the embodiment shown in FIG. 7 .
基于图1至图4所示,以下结合图6所示以终端设备为执行主体对本申请实施例所提供的授权方法进行详细说明:Based on FIG. 1 to FIG. 4 , the authorization method provided by the embodiment of the present application is described in detail below with reference to FIG. 6 .
步骤601、终端设备将第一临时证书发送给云服务提供商侧服务器。Step 601: The terminal device sends the first temporary certificate to the cloud service provider side server.
所述第一临时证书的说明可参见图5所示的实施例,具体在本实施例中不做赘述。For the description of the first temporary certificate, refer to the embodiment shown in FIG. 5, which is not specifically described in this embodiment.
步骤602、所述终端设备接收所述云服务提供商侧服务器发送的第二临时证书。Step 602: The terminal device receives a second temporary certificate sent by the cloud service provider side server.
所述第二临时证书的说明可参见图5所示的实施例,具体在本实施例中不做赘述。For the description of the second temporary certificate, refer to the embodiment shown in FIG. 5, which is not specifically described in this embodiment.
步骤603、所述终端设备通过所述第二临时证书访问所述云服务提供商侧服务器上的所述目标资源。Step 603: The terminal device accesses the target resource on the cloud service provider side server by using the second temporary certificate.
本实施例所示的终端设备执行授权方法的具体执行过程,请详见图7所示 的实施例。The specific execution process of the authorization method performed by the terminal device shown in this embodiment is shown in the embodiment shown in FIG.
以下结合图7所示对图5和图6所示的授权方法的执行流程进行具体的详细说明:The execution flow of the authorization method shown in FIG. 5 and FIG. 6 is specifically described in detail below with reference to FIG. 7:
如图7所示,所述授权方法包括:As shown in FIG. 7, the authorization method includes:
步骤701、所述终端设备将请求信息发送给云服务提供商侧服务器。Step 701: The terminal device sends the request information to the cloud service provider side server.
本实施例所示的所述终端设备的具体说明,请详见上述实施例所示,具体在本实施例中不做赘述。For the detailed description of the terminal device shown in this embodiment, please refer to the foregoing embodiment, which is not specifically described in this embodiment.
具体的,本实施例所示的所述请求信息包括所述终端设备已存储的第一令牌(Token)信息。Specifically, the request information shown in this embodiment includes first token information that has been stored by the terminal device.
其中,所述第一令牌信息用于所述终端设备向所述云服务提供商侧服务器进行认证。The first token information is used by the terminal device to perform authentication to the cloud service provider side server.
本实施例对所述第一令牌信息的类型可为多种,本实施例对所述第一令牌信息的类型不做限定。In this embodiment, the type of the first token information may be multiple. The type of the first token information is not limited in this embodiment.
本实施例所示的终端设备通过所述第一令牌信息向所述云服务提供商侧服务器请求认证,从而使得所述云服务提供商侧服务器能够基于所述第一令牌信息判断出所述终端设备是否伪造,是否越权,是否过期等。The terminal device shown in this embodiment requests authentication from the cloud service provider side server by using the first token information, so that the cloud service provider side server can determine the location based on the first token information. Whether the terminal device is forged, whether it is unauthorized, whether it expires, etc.
更具体的,本实施例所示的所述终端设备可存储有云服务提供商侧服务器的统一资源定位符URL地址,则本实施例所示的所述终端设备即可根据所述统一资源定位符URL地址向所述云服务提供商侧服务器发送所述请求信息。More specifically, the terminal device shown in this embodiment may store the uniform resource locator URL address of the cloud service provider side server, and the terminal device shown in this embodiment may be located according to the unified resource location. The URL address is sent to the cloud service provider side server to send the request information.
更具体的,本实施例所示的终端设备可根据所述URL地址将所述请求信息发送至所述云服务提供商侧服务器上用于对终端设备进行认证的网站。More specifically, the terminal device shown in this embodiment may send the request information to a website for authenticating the terminal device on the cloud service provider side server according to the URL address.
步骤702、所述云服务提供商侧服务器接收所述终端设备发送的请求信息。Step 702: The cloud service provider side server receives the request information sent by the terminal device.
具体的,所述云服务提供商侧服务器的具体说明请详见上述实施例所示,具体在本实施例中不做赘述。Specifically, the specific description of the cloud service provider side server is shown in the above embodiment, and is not described in detail in this embodiment.
步骤703、所述云服务提供商侧服务器生成第四签名信息。Step 703: The cloud service provider side server generates fourth signature information.
具体的,本实施例所示的所述云服务提供商侧服务器在接收到所述请求信息后,即可对第一密钥标识、所述第一令牌信息以及所述云服务提供商侧服务器所生成的随机回复信息(echoInfo)进行加密计算以生成第四签名信息。Specifically, after receiving the request information, the cloud service provider side server shown in this embodiment may identify the first key, the first token information, and the cloud service provider side. The random reply information (echoInfo) generated by the server performs encryption calculation to generate fourth signature information.
具体的,本实施例所示的所述云服务提供商侧服务器根据已存储的长期密钥对第一密钥标识、所述第一令牌信息以及所述云服务提供商侧服务器所生成的随机回复信息进行加密计算以生成第四签名信息。Specifically, the cloud service provider side server shown in this embodiment generates the first key identifier, the first token information, and the cloud service provider side server according to the stored long-term key. The random reply information is subjected to an encryption calculation to generate fourth signature information.
步骤704、所述云服务提供商侧服务器将所述第四签名信息发送给所述终端设备。Step 704: The cloud service provider side server sends the fourth signature information to the terminal device.
步骤705、所述终端设备判断所述第四签名信息是否满足第一条件,若是,则执行步骤706。Step 705: The terminal device determines whether the fourth signature information meets the first condition, and if yes, performs step 706.
本实施例中,在终端设备接收到所述第四签名信息后,即可对所述第四签名信息进行解密计算以获取所述第四签名信息所包含的第一密钥标识、所述第一令牌信息以及所述云服务提供商侧服务器所生成的随机回复信息。In this embodiment, after the terminal device receives the fourth signature information, the fourth signature information may be decrypted and calculated to obtain the first key identifier included in the fourth signature information, and the first a token information and random reply information generated by the cloud service provider side server.
本实施例所示的所述第一条件为:所述第四签名信息所包括的所述第一令牌信息与所述终端设备已存储的所述第一令牌信息相同。The first condition shown in this embodiment is that the first token information included in the fourth signature information is the same as the first token information that is stored by the terminal device.
本实施例中,若所述终端设备判断出所述第四签名信息所包括的所述第一令牌信息与所述终端设备已存储的所述第一令牌信息相同的情况下,即所述终端设备确定出所述第四签名信息满足所述第一条件的情况下,则可继续执行步骤706。In this embodiment, if the terminal device determines that the first token information included in the fourth signature information is the same as the first token information that is stored by the terminal device, If the terminal device determines that the fourth signature information meets the first condition, step 706 may continue to be performed.
步骤706、所述终端设备将第五签名信息发送给所述云服务提供商侧服务器。Step 706: The terminal device sends the fifth signature information to the cloud service provider side server.
具体的,本实施例所示的终端设备将所述第四签名信息所包括的所述随机回复信息发送给所述云服务提供商侧服务器。Specifically, the terminal device shown in this embodiment sends the random reply information included in the fourth signature information to the cloud service provider side server.
具体发送方式为,所述终端设备对所接收到的所述随机回复信息进行加密 计算以生成所述第五签名信息,即所述终端设备所生成的所述第五签名信息包括有所述随机回复信息。The specific sending manner is that the terminal device performs encryption calculation on the received random reply information to generate the fifth signature information, that is, the fifth signature information generated by the terminal device includes the random reply message.
本实施例所示的所述终端设备即可通过所述第五签名信息将所述随机回复信息发送给所述云服务提供商侧服务器。The terminal device shown in this embodiment may send the random reply information to the cloud service provider side server by using the fifth signature information.
本实施例中,所述终端设备可调用所述云服务提供商侧服务器的目标接口以实现所述终端设备与所述云服务提供商侧服务器之间的数据交互。In this embodiment, the terminal device may invoke a target interface of the cloud service provider side server to implement data interaction between the terminal device and the cloud service provider side server.
具体的,所述云服务提供商侧服务器的目标接口可为所述云服务提供商侧服务器的开放服务器授权(Open Service Auhorization)的应用程序编程接口(Application Programming Interface,API)。Specifically, the target interface of the cloud service provider side server may be an Application Programming Interface (API) of the Open Service Auhorization of the cloud service provider side server.
本实施例所示的终端设备通过所述第五签名信息调用所述云服务提供商侧服务器的目标接口。The terminal device shown in this embodiment invokes the target interface of the cloud service provider side server by using the fifth signature information.
步骤707、所述云服务提供商侧服务器获取第五签名信息所包括的所述随机回复信息。Step 707: The cloud service provider side server acquires the random reply information included in the fifth signature information.
具体的,所述云服务提供商侧服务器对所述第五签名信息进行解密计算以获取所述第五签名信息所包括的所述随机回复信息。Specifically, the cloud service provider side server performs decryption calculation on the fifth signature information to obtain the random reply information included in the fifth signature information.
步骤708、所述云服务提供商侧服务器判断所述第五签名信息是否满足第二条件,若是,则执行步骤709。Step 708: The cloud service provider side server determines whether the fifth signature information satisfies the second condition, and if yes, performs step 709.
本实施例中,所述云服务提供商侧服务器在获取到所述第五签名信息所包括的所述随机回复信息后,即可判断所述第五签名信息是否满足第二条件。In this embodiment, after the cloud service provider side server obtains the random reply information included in the fifth signature information, it may determine whether the fifth signature information satisfies the second condition.
其中,所述第二条件为:所述第五签名信息所包括的所述随机回复信息与所述云服务提供商侧服务器所生成的所述随机回复信息相同。The second condition is that the random reply information included in the fifth signature information is the same as the random reply information generated by the cloud service provider side server.
在所述云服务提供商侧服务器判断出所述第五签名信息所包括的所述随机回复信息与所述云服务提供商侧服务器所生成的所述随机回复信息相同,即所述第五签名信息满足所述第二条件的情况下,则所述云服务提供商侧服务器与所述终端设备之间完成URL确认,则完成URL确认的所述云服务提供商侧 服务器与所述终端设备之间即可进行数据交互。Determining, by the cloud service provider side server, that the random reply information included in the fifth signature information is the same as the random reply information generated by the cloud service provider side server, that is, the fifth signature If the information satisfies the second condition, the cloud service provider side server and the terminal device complete the URL confirmation, and the cloud service provider side server and the terminal device that complete the URL confirmation are completed. Data interaction is possible between.
具体的,所述云服务提供商侧服务器与所述终端设备之间完成URL确认后,所述云服务提供商侧服务器的所述目标接口被所述终端设备成功调用。Specifically, after the URL confirmation is completed between the cloud service provider side server and the terminal device, the target interface of the cloud service provider side server is successfully invoked by the terminal device.
步骤709、所述云服务提供商侧服务器生成第一签名信息。Step 709: The cloud service provider side server generates first signature information.
具体的,本实施例所示的所述云服务提供商侧服务器对加密票据进行加密计算以生成第一签名信息,其中,所述加密票据用于对所述终端设备进行认证。Specifically, the cloud service provider side server shown in this embodiment performs encryption calculation on the encrypted ticket to generate first signature information, where the encrypted ticket is used to authenticate the terminal device.
步骤710、所述云服务提供商侧服务器将所述第一签名信息发送给所述终端设备。Step 710: The cloud service provider side server sends the first signature information to the terminal device.
本实施例中,在所述云服务提供商侧服务器生成所述第一签名信息后,即可将已生成的所述第一签名信息发送给所述云服务提供商侧服务器。In this embodiment, after the first signature information is generated by the cloud service provider side server, the generated first signature information may be sent to the cloud service provider side server.
步骤711、所述终端设备将第二签名信息发送给所述云服务提供商侧服务器。Step 711: The terminal device sends the second signature information to the cloud service provider side server.
具体的,本实施例所示的所述终端设备在接收到所述第一签名信息后,即可对所述第一签名信息进行解密计算以获取所述第一签名信息所包括的所述加密票据。Specifically, after receiving the first signature information, the terminal device shown in this embodiment may perform decryption calculation on the first signature information to obtain the encryption included in the first signature information. bill.
更具体的,所述终端设备对所述加密票据进行加密计算以生成所述第二签名信息,可见,所述终端设备所生成的所述第二签名信息中包括所述加密票据。More specifically, the terminal device performs an encryption calculation on the encrypted ticket to generate the second signature information, and the second signature information generated by the terminal device includes the encrypted ticket.
步骤712、所述云服务提供商侧服务器获取所述第二签名信息所包括的所述加密票据。Step 712: The cloud service provider side server acquires the encrypted ticket included in the second signature information.
具体的,本实施例所示的所述云服务提供商侧服务器可接收所述终端设备所发送的所述第二签名信息,并对所述第二签名信息进行解密计算以获取所述第二签名信息所包括的所述加密票据。Specifically, the cloud service provider side server shown in this embodiment may receive the second signature information sent by the terminal device, and perform decryption calculation on the second signature information to obtain the second The encrypted ticket included in the signature information.
步骤713、所述云服务提供商侧服务器获取第三签名信息。Step 713: The cloud service provider side server acquires third signature information.
具体的,所述云服务提供商侧服务器在获取到所述第二签名信息所包括的所述加密票据后,即可对所述第二签名信息所包括的所述加密票据进行加密计 算以生成所述第三签名信息。Specifically, after obtaining the encrypted ticket included in the second signature information, the cloud service provider side server may perform encryption calculation on the encrypted ticket included in the second signature information to generate The third signature information.
步骤714、所述云服务提供商侧服务器在确定满足第三条件的情况下,将第一临时证书发送给所述终端设备。Step 714: The cloud service provider side server sends the first temporary certificate to the terminal device if it is determined that the third condition is met.
具体的,本实施例所示的所述云服务提供商侧服务器判断所述第二签名信息和所述第三签名信息是否相同,若所述第二签名信息和所述第三签名信息相同,则所述云服务提供商侧服务器即可确定出满足所述第三条件,即本实施例所示的所述第三条件为:所述第三签名信息与所述第二签名信息相同。Specifically, the cloud service provider side server shown in this embodiment determines whether the second signature information and the third signature information are the same. If the second signature information and the third signature information are the same, Then, the cloud service provider side server can determine that the third condition is met, that is, the third condition shown in this embodiment is: the third signature information is the same as the second signature information.
可选的,所述终端设备可通过所述终端设备的长期密钥对所述加密票据进行加密计算,并通过加密计算后的加密票据向所述云服务提供商侧服务器请求所述第一临时证书,在所述终端设备获取到所述第一临时证书后,所述终端设备即可通过所述第一临时证书完成与所述云服务提供商侧服务器之间的认证环节,相互认证后的所述终端设备和所述云服务提供商侧服务器即可进行实时授权流程,其中,本实施例所示的所述实时授权流程的基础是oAuth2.0协议实时授权流程请详见下述实施例所示。Optionally, the terminal device may perform encryption calculation on the encrypted ticket by using a long-term key of the terminal device, and request the first temporary to the cloud service provider side server by encrypting the calculated encrypted ticket. a certificate, after the terminal device obtains the first temporary certificate, the terminal device can complete an authentication link with the cloud service provider side server by using the first temporary certificate, and mutual authentication The terminal device and the cloud service provider side server can perform a real-time authorization process. The basis of the real-time authorization process shown in this embodiment is the oAuth2.0 protocol real-time authorization process. Shown.
步骤715、所述终端设备向所述云服务提供商侧服务器发送的第一临时证书。Step 715: The first temporary certificate sent by the terminal device to the cloud service provider side server.
其中,所述第一临时证书用于请求访问所述云服务提供商侧服务器上的资源。The first temporary certificate is used to request access to resources on the cloud service provider side server.
本实施例所示的所述第一临时证书向所述终端设备已调用的目标接口请求获取预授权码(precode)。The first temporary certificate shown in this embodiment requests a pre-authorization code (precode) from the target interface that has been called by the terminal device.
通过本实施例所示的所述预授权码能够有效的防止恶意或假冒的终端设备向所述云服务提供商侧服务器获取授权,从而有效的提升了实时授权过程的安全。The pre-authorization code shown in this embodiment can effectively prevent malicious or fake terminal devices from obtaining authorization from the cloud service provider side server, thereby effectively improving the security of the real-time authorization process.
步骤716、所述云服务提供商侧服务器将预授权码发送给所述终端设备。Step 716: The cloud service provider side server sends a pre-authorization code to the terminal device.
具体的,本实施例所示的所述云服务提供商侧服务器在获取到所述第一临 时证书后,即可判断所述云服务提供商侧服务器所存储的第一临时证书和当前所接收到的所述第一临时证书是否相同,若是,则所述云服务提供商侧服务器即可将所述预授权码发送给所述终端设备。Specifically, after obtaining the first temporary certificate, the cloud service provider side server shown in this embodiment may determine the first temporary certificate stored by the cloud service provider side server and the currently received Whether the first temporary certificate is the same, and if yes, the cloud service provider side server can send the pre-authorization code to the terminal device.
步骤717、所述终端设备获取用户提交的认证信息。Step 717: The terminal device acquires authentication information submitted by the user.
具体的,本实施例所示的所述终端设备在接收到所述预授权码后,即可将所述目标网站进行跳转,从而使得所述目标网站跳转到包含有所述预授权码的所述云服务提供商侧服务器的登录页面中。Specifically, after receiving the pre-authorization code, the terminal device shown in this embodiment may perform a jump to the target website, so that the target website jumps to include the pre-authorization code. The login page of the cloud service provider side server.
具体的,本实施例所示的所述登录页面中还包括有密钥标识。Specifically, the login page shown in this embodiment further includes a key identifier.
本实施例所示的所述登录页面即可接收用户输入的用于进行登录的用户名和密码以进行身份认证。The login page shown in this embodiment can receive the user name and password input by the user for login for identity authentication.
具体的,本实施例以所述认证信息包括所述用户的用户名和密码为例进行示例性的说明,在具体应用中,所述认证信息还可包括用于认证的其他信息,具体在本实施例中不做限定。Specifically, in this embodiment, the authentication information includes the user name and password of the user as an example for example. In a specific application, the authentication information may further include other information for authentication, specifically in the implementation. There is no limit in the example.
本实施例中,所述云服务提供商侧服务器可预先存储有多个用户名以及与各所述用户名对应的密码,所述用户可通过所述终端设备向所述云服务提供商侧服务器的登录页面输入所述认证信息,若所述云服务提供商侧服务器确定出所述用户当前所输入的所述认证信息已存储在所述云服务提供商侧服务器上,则确定所述用户经过了认证。In this embodiment, the cloud service provider side server may pre-store a plurality of user names and passwords corresponding to the user names, and the user may use the terminal device to the cloud service provider side server. Entering the authentication information, if the cloud service provider side server determines that the authentication information currently input by the user is stored on the cloud service provider side server, determining that the user passes the Certified.
步骤718、所述云服务提供商侧服务器获取已选定权限。Step 718: The cloud service provider side server acquires the selected permission.
本实施例中,在所述云服务提供商侧服务器根据所述用户所提交的所述认证信息确定出所述用户已经过认证,则所述云服务提供商侧服务器即可向用户提供权限列表。In this embodiment, when the cloud service provider side server determines, according to the authentication information submitted by the user, that the user has been authenticated, the cloud service provider side server may provide a permission list to the user. .
具体的,所述权限列表包括多个待选定权限。Specifically, the permission list includes a plurality of permissions to be selected.
所述用户通过所述权限列表即可在所述多个待选定权限中选定需要的权限。The user can select a required authority among the plurality of to-be-selected rights through the permission list.
具体的,所述云服务提供商侧服务器通过所述权限列表接收用户输入的选定操作。Specifically, the cloud service provider side server receives the selected operation input by the user through the permission list.
所述云服务提供商侧服务器确定已选定权限,所述已选定权限为所述选定操作在所述权限列表中所选定的所述多个待选定权限中的至少一个权限。The cloud service provider side server determines that the selected rights are at least one of the plurality of to-be-selected rights selected by the selected operation in the permission list.
例如,在所述权限列表中有一个待选定权限为通过QQ登录微博,若用户在所述权限列表中选定了通过QQ登录微博的权限,则所述云服务提供商侧服务器即可确定通过QQ登录微博的权限为已选定权限。For example, if there is a permission to be selected in the permission list to log in to the microblog through QQ, if the user selects the permission to log in to the microblog through QQ in the permission list, the cloud service provider side server is It can be determined that the permission to log in to Weibo through QQ is the selected permission.
具体的,在所述云服务提供商侧服务器获取到所述已选定权限后,即可将已选定权限与用户的认证信息进行绑定,则在后续用户通过该认证信息进行登录时,可获取到与认证信息绑定的所述已选定权限,从而避免了用户的重复选定。Specifically, after the cloud service provider side server obtains the selected permission, the selected permission can be bound to the authentication information of the user, and when the subsequent user logs in through the authentication information, The selected permissions bound to the authentication information can be obtained, thereby avoiding repeated selection by the user.
步骤719、所述云服务提供商侧服务器确定预选权限。Step 719: The cloud service provider side server determines the preselected authority.
所述预选权限为所述终端设备在所述云服务提供商侧服务器上已选定的权限。The pre-selected authority is a permission that the terminal device has selected on the cloud service provider side server.
具体的,本实施例所示的预选权限为用户实现定义好策略,所述策略为所述终端设备在所述云服务提供商侧服务器上所能够访问的资源。Specifically, the pre-selected authority shown in this embodiment is a user-defined policy, and the policy is a resource that the terminal device can access on the cloud service provider side server.
如图8所示,所述策略为包括权限和授权对象,权限包括效力、资源、授权接口、授权条件等,授权对象为权限所对应的用户,即本实施例所示的所述云服务提供商侧服务器在确定所述预选权限的过程中,所述云服务提供商侧服务器可通过权限和授权对象实现对预选权限的配置。As shown in FIG. 8 , the policy includes a privilege and an authorization object, and the privilege includes a privilege, a resource, an authorization interface, an authorization condition, and the like, and the authorization object is a user corresponding to the privilege, that is, the cloud service provided in this embodiment. In the process of determining the pre-selected authority, the cloud service provider side server may implement the configuration of the pre-selected authority by using the authority and the authorization object.
具体的,所述云服务提供商侧服务器可根据终端设备所注册的行业领域或服务领域对所述策略进行创建。Specifically, the cloud service provider side server may create the policy according to an industry domain or a service domain registered by the terminal device.
具体的,所述云服务提供商侧服务器创建好策略之后,所述终端设备就默认可以执行预授权策略里描述的资源了。Specifically, after the cloud service provider side server creates the policy, the terminal device can execute the resources described in the pre-authorization policy by default.
步骤720、所述云服务提供商侧服务器确定所述终端设备对应的目标权 限。Step 720: The cloud service provider side server determines a target right corresponding to the terminal device.
具体的,所述云服务提供商侧服务器确定所述已选定权限和所述预选权限的交集为所述目标权限。Specifically, the cloud service provider side server determines that the intersection of the selected authority and the pre-selected authority is the target authority.
在实施例中,若本实施例中所述终端设备没有经由所述权限列表获取已选定权限,则本实施例所示的所述目标权限为所述预选权限。In the embodiment, if the terminal device in the embodiment does not obtain the selected permission through the permission list, the target permission shown in this embodiment is the pre-selected permission.
具体的,所述终端设备在注册后,会根据所注册的行业领域或服务领域,给与云服务提供商侧服务器的默认授权策略。这样用户进入终端设备的站点后,在不选择其他策略的情况下,将默认允许终端使用默认的预选权限约束所述终端设备访问所述云服务提供商侧服务器的资源。Specifically, after the terminal device registers, the default authorization policy of the cloud service provider side server is given according to the registered industry domain or service domain. After the user enters the site of the terminal device, the terminal is allowed to use the default pre-selected permission to restrict the access of the terminal device to the resource of the cloud service provider side server by default.
在实施例中,若所述终端设备经由所述权限列表获取已选定权限,则本实施例所示的所述目标权限为所述已选定权限和所述预选权限的交集。In an embodiment, if the terminal device acquires the selected permission via the permission list, the target permission shown in this embodiment is an intersection of the selected permission and the pre-selected permission.
即所述目标权限同时包括在所述已选定权限和所述预选权限中。That is, the target rights are included in the selected rights and the pre-selected rights at the same time.
通过本实施例所示的实时授权流程,能够使得使用所述终端设备的用户被所述云服务提供商侧服务器授予所述目标权限,从而使得所述云服务提供商侧服务器控制所述终端设备对所述云服务提供商侧服务器访问,使得所述终端设备只能够访问所述云服务提供商侧服务器上的所述目标资源,且所述云服务提供商侧服务器还能够控制用户访问所述目标资源的访问方式以及时机等,具体在本实施例中不做限定。With the real-time authorization process shown in this embodiment, the user using the terminal device can be granted the target authority by the cloud service provider side server, so that the cloud service provider side server controls the terminal device. Accessing the cloud service provider side server such that the terminal device can only access the target resource on the cloud service provider side server, and the cloud service provider side server is further capable of controlling user access to the The access mode and the timing of the target resource are not limited in this embodiment.
以下结合图11所示结合具体应用场景对目标权限进行说明:The following describes the target rights in combination with the specific application scenarios as shown in FIG. 11:
如图11所示,本实施例所示的预选权限为“云主机管理权限(云主机重启、申请、查看等)”,即本实施例所示的所述预选权限为云服务提供商侧服务器默认委托给所述终端设备的权限。As shown in FIG. 11 , the pre-selected permission shown in this embodiment is “cloud host management authority (cloud host restart, application, viewing, etc.)”, that is, the pre-selected permission shown in this embodiment is a cloud service provider side server. The authority delegated to the terminal device by default.
图11所示的已选定权限为“开发商自定义第三方角色”,云服务提供商侧服务器通过所述已选定权限对所述终端设备进行精细化的权限管理。The selected permission shown in FIG. 11 is “developer custom third-party role”, and the cloud service provider side server performs refined rights management on the terminal device by using the selected permission.
采用如图11所示的应用场景,所述终端设备能够在用户的操作下,通过 微信登录大众点评网,而且所述云服务提供商侧服务器能够通过目标权限对通过微信登录大众点评网的权限进行限定,例如,可限定通过微信登录所述大众点评网的时间,次数等,具体在本实施例中不做限定。According to the application scenario shown in FIG. 11, the terminal device can log in to the public comment network through WeChat under the operation of the user, and the cloud service provider side server can log in to the public comment network through WeChat through the target authority. For example, the time, the number of times, and the like, which are logged into the public commenting network by means of the WeChat, may be limited, which is not limited in this embodiment.
步骤721、所述云服务提供商侧服务器将授权码发送给所述终端设备。Step 721: The cloud service provider side server sends an authorization code to the terminal device.
具体的,本实施例中,在所述云服务提供商侧服务器确定出所述目标权限的情况下,所述云服务提供商侧服务器将所述云服务提供商侧服务器已存储的授权码发送给所述终端设备。Specifically, in this embodiment, in a case that the cloud service provider side server determines the target authority, the cloud service provider side server sends the authorization code stored by the cloud service provider side server. To the terminal device.
步骤722、所述终端设备将第六签名信息发送给所述云服务提供商侧服务器。Step 722: The terminal device sends the sixth signature information to the cloud service provider side server.
其中,所述终端设备接收到所述云服务提供商侧服务器发送的所述授权码后,即可对所述授权码和所述第一临时证书进行加密计算以生成的第六签名信息。The terminal device may perform encryption calculation on the authorization code and the first temporary certificate to generate the sixth signature information after receiving the authorization code sent by the cloud service provider side server.
步骤723、所述云服务提供商侧服务器判断所述第六签名信息是否满足第四条件,若是,则将目标访问参数发送给所述终端设备。Step 723: The cloud service provider side server determines whether the sixth signature information satisfies the fourth condition, and if yes, sends the target access parameter to the terminal device.
具体的,所述云服务提供商侧服务器在接收到所述第六签名信息的情况下,所述云服务提供商侧服务器即可对所述第六签名信息进行解密计算以获取所述第六签名信息所包括的所述授权码和所述第一临时证书。Specifically, in a case that the cloud service provider side server receives the sixth signature information, the cloud service provider side server may perform decryption calculation on the sixth signature information to obtain the sixth The authorization code included in the signature information and the first temporary certificate.
所述第四条件为:所述第六签名信息所包括的所述授权码和所述云服务提供商侧服务器已存储的所述授权码相同。The fourth condition is that the authorization code included in the sixth signature information is the same as the authorization code already stored by the cloud service provider side server.
所述第四条件还可为,所述第六签名信息所包括的所述第一临时证书和所述云服务提供商侧服务器已存储的所述第一临时证书相同。The fourth condition may be that the first temporary certificate included in the sixth signature information is the same as the first temporary certificate that is stored by the cloud service provider side server.
在所述云服务提供商侧服务器判断出所述第六签名信息满足所述第四条件的情况下,所述云服务提供商侧服务器即可将用于访问所述目标资源的目标访问参数发送给所述终端设备。When the cloud service provider side server determines that the sixth signature information satisfies the fourth condition, the cloud service provider side server may send a target access parameter for accessing the target resource. To the terminal device.
所述目标访问参数包括第二令牌信息、第二密钥标识以及第二临时证书。The target access parameter includes second token information, a second key identifier, and a second temporary certificate.
本实施例所示的所述第二临时证书是短期凭证。可将所述第二临时证书的有效时间配置几分钟到几小时。一旦第二临时证书的凭证到期,则云服务提供商侧服务器将不再识别所述第二临时证书,从而使得所述终端设备无法再通过所述第二临时证书访问所述云服务提供商侧服务器上的目标资源。The second temporary certificate shown in this embodiment is a short-term certificate. The effective time of the second temporary certificate can be configured from a few minutes to a few hours. Once the credentials of the second temporary certificate expire, the cloud service provider side server will no longer identify the second temporary certificate, thereby making the terminal device no longer able to access the cloud service provider through the second temporary certificate. The target resource on the side server.
步骤724、所述云服务提供商侧服务器将所述目标访问参数发送给所述终端设备。Step 724: The cloud service provider side server sends the target access parameter to the terminal device.
本实施例中,所述终端设备即可通过已接收到的所述目标访问参数对所述云服务提供商侧服务器上的目标资源进行访问,具体的访问过程如下:In this embodiment, the terminal device may access the target resource on the cloud service provider side server by using the received target access parameter, and the specific access process is as follows:
步骤725、所述终端设备将第七签名信息发送给所述云服务提供商侧服务器。Step 725: The terminal device sends the seventh signature information to the cloud service provider side server.
其中,所述终端设备在接收到所述目标访问参数的情况下,所述终端设备即可对所述目标访问参数进行加密计算以生成的第七签名信息。The terminal device may perform encryption calculation on the target access parameter to generate the seventh signature information when the terminal device receives the target access parameter.
步骤726、所述云服务提供商侧服务器生成第八签名信息。Step 726: The cloud service provider side server generates eighth signature information.
其中,所述云服务提供商侧服务器对所述云服务提供商侧服务器所生成的所述目标访问参数进行加密计算以生成第八签名信息。The cloud service provider side server performs encryption calculation on the target access parameter generated by the cloud service provider side server to generate eighth signature information.
步骤727、所述云服务提供商侧服务器确定所述终端设备具有访问所述目标资源的权限。Step 727: The cloud service provider side server determines that the terminal device has the right to access the target resource.
具体的,若所述云服务提供商侧服务器确定出所述第七签名信息与所述第八签名信息相同,则所述云服务提供商侧服务器确定所述终端设备具有访问所述目标资源的权限,即终端设备具有目标权限。Specifically, if the cloud service provider side server determines that the seventh signature information is the same as the eighth signature information, the cloud service provider side server determines that the terminal device has access to the target resource. Permissions, that is, the terminal device has target permissions.
所述云服务提供商侧服务器根据确定所述终端设备具有目标权限后,所述终端设备即可访问所述云服务提供商侧服务器上的目标资源。After the cloud service provider side server determines that the terminal device has the target authority, the terminal device can access the target resource on the cloud service provider side server.
可见,采用本实施例所示的授权方法,则所述云服务提供商侧服务器可对所述终端设备进行精细化的权限管理,从而使得所述云服务提供商侧服务器即可向所述终端设备开放接入的能力,同时保证了终端设备访问所述云服务提供 商侧服务器的目标资源的安全性和灵活性,而且所述云服务提供商侧服务器与所述终端设备之间通过签名信息进行数据交互,从而提升了数据交互过程中的安全。It can be seen that, by using the authorization method shown in this embodiment, the cloud service provider side server can perform refined rights management on the terminal device, so that the cloud service provider side server can be used to the terminal. The device has the capability of open access, and at the same time ensures the security and flexibility of the target device accessing the target resource of the cloud service provider side server, and the signature information is passed between the cloud service provider side server and the terminal device. Data interaction is performed to improve security during data interaction.
以下结合图9所示对本申请实施例所提供的云服务提供商侧服务器的具体结构进行详细说明:The specific structure of the cloud service provider side server provided by the embodiment of the present application is described in detail below with reference to FIG. 9 :
本实施例所示的所述云服务提供商侧服务器用于执行图9所示的授权方法,具体执行过程请详见图9所示,具体在本实施例中不做赘述。The cloud service provider side server shown in this embodiment is used to perform the authorization method shown in FIG. 9. The specific implementation process is shown in FIG. 9, which is not specifically described in this embodiment.
本实施例所示的所述云服务提供商侧服务器包括:The cloud service provider side server shown in this embodiment includes:
第一处理单元901,用于对加密票据进行加密计算以生成第一签名信息,将所述第一签名信息发送给所述终端设备,接收所述终端设备发送的第二签名信息,所述第二签名信息包括所述终端设备对所述第一签名信息进行解密计算以获取到的所述加密票据,对所述第二签名信息进行解密计算以获取所述第二签名信息所包括的所述加密票据,对所述加密票据进行加密计算以生成第三签名信息,若确定出所述第三签名信息与所述第二签名信息相同,则将所述第一临时证书发送给所述终端设备。The first processing unit 901 is configured to perform encryption calculation on the encrypted ticket to generate first signature information, send the first signature information to the terminal device, and receive second signature information sent by the terminal device, where the The second signature information includes the encrypted ticket obtained by the terminal device performing decryption calculation on the first signature information, and performing decryption calculation on the second signature information to obtain the foregoing information included in the second signature information. Encrypting the ticket, performing encryption calculation on the encrypted ticket to generate third signature information, and if it is determined that the third signature information is the same as the second signature information, sending the first temporary certificate to the terminal device .
所述第一处理单元901将所述第一签名信息发送给所述终端设备之前,所述第一处理单元具体用于,接收所述终端设备发送的请求信息,所述请求信息包括所述终端设备已存储的第一令牌信息,对第一密钥标识、所述第一令牌信息以及所述云服务提供商侧服务器所生成的随机回复信息进行加密计算以生成第四签名信息,将所述第四签名信息发送给所述终端设备,以使在所述终端设备确定出所述第四签名信息所包括的所述第一令牌信息与所述终端设备已存储的所述第一令牌信息相同的情况下,所述终端设备将第五签名信息发送给所述云服务提供商侧服务器,所述第五签名信息包括所述随机回复信息,对所述第五签名信息进行解密计算以获取所述第五签名信息所包括的所述随机回复信息,确定出所述第五签名信息所包括的所述随机回复信息与所述云服务提 供商侧服务器所生成的所述随机回复信息相同的情况下,则触发执行将所述第一签名信息发送给所述终端设备步骤。Before the first processing unit 901 sends the first signature information to the terminal device, the first processing unit is specifically configured to receive request information sent by the terminal device, where the request information includes the terminal The first token information that has been stored by the device, the first key identifier, the first token information, and the random reply information generated by the cloud service provider side server are encrypted and calculated to generate fourth signature information, and Sending, to the terminal device, the fourth signature information, so that the first token information included in the fourth signature information and the first stored by the terminal device are determined by the terminal device If the token information is the same, the terminal device sends the fifth signature information to the cloud service provider side server, and the fifth signature information includes the random reply information, and the fifth signature information is decrypted. Calculating to obtain the random reply information included in the fifth signature information, and determining the random reply information included in the fifth signature information and the cloud service Case provider side server generated random reply the same information, the terminal device triggers execution of the step of sending the first information to the signature.
接收单元902,用于接收终端设备发送的第一临时证书,所述第一临时证书用于请求访问所述云服务提供商侧服务器上的资源;The receiving unit 902 is configured to receive a first temporary certificate sent by the terminal device, where the first temporary certificate is used to request access to a resource on the cloud service provider side server;
确定单元903,用于根据所述第一临时证书确定所述终端设备对应的目标权限,所述目标权限为访问所述云服务提供商侧服务器上的目标资源的权限;a determining unit 903, configured to determine, according to the first temporary certificate, a target right corresponding to the terminal device, where the target right is a right to access a target resource on the cloud service provider side server;
其中,所述确定单元903用于根据所述第一临时证书生成权限列表,所述权限列表包括多个待选定权限,通过所述权限列表接收用户输入的选定操作,确定已选定权限,所述已选定权限为所述选定操作在所述权限列表中所选定的所述多个待选定权限中的至少一个权限,确定预选权限,所述预选权限为所述终端设备在所述云服务提供商侧服务器上已选定的权限,确定所述已选定权限和所述预选权限的交集为所述目标权限。The determining unit 903 is configured to generate a permission list according to the first temporary certificate, where the permission list includes a plurality of to-be-selected rights, and the selected operation input by the user is received through the permission list, and the selected permission is determined. Determining, by the selected authority, at least one of the plurality of to-be-selected rights selected by the selected operation in the permission list, the pre-selected authority being the terminal device And the selected permission on the cloud service provider side server determines that the intersection of the selected authority and the preselected authority is the target authority.
发送单元904,用于将所述目标权限对应的第二临时证书发送给所述终端设备,以使所述终端设备通过所述第二临时证书访问所述目标资源。The sending unit 904 is configured to send the second temporary certificate corresponding to the target authority to the terminal device, so that the terminal device accesses the target resource by using the second temporary certificate.
其中,所述发送单元904用于将所述云服务提供商侧服务器已存储的授权码发送给所述终端设备,接收所述终端设备发送第六签名信息,所述第六签名信息为所述终端设备对所述授权码和所述第一临时证书进行加密计算以生成的签名信息,若判断所述第六签名信息所包括的所述授权码和所述云服务提供商侧服务器已存储的所述授权码相同,则将用于访问所述目标资源的目标访问参数发送给所述终端设备,所述目标访问参数包括第二令牌信息、第二密钥标识以及所述第二临时证书。The sending unit 904 is configured to send the authorization code that has been stored by the cloud service provider side server to the terminal device, and receive the sixth device to send the sixth signature information, where the sixth signature information is The terminal device performs encryption calculation on the authorization code and the first temporary certificate to generate signature information, and if the authorization code included in the sixth signature information is determined, and the cloud service provider side server has stored And the target access parameter used to access the target resource is sent to the terminal device, where the target access parameter includes second token information, a second key identifier, and the second temporary certificate. .
第二处理单元905,用于接收所述终端设备发送的用于访问所述目标资源的第七签名信息,所述第七签名信息为所述终端设备对所述目标访问参数进行加密计算以生成的签名信息,对所述云服务提供商侧服务器所生成的所述目标访问参数进行加密计算以生成第八签名信息,若确定出所述第七签名信息与所 述第八签名信息相同,则确定所述终端设备具有访问所述目标资源的权限。The second processing unit 905 is configured to receive seventh signature information that is sent by the terminal device to access the target resource, where the seventh signature information is that the terminal device performs encryption calculation on the target access parameter to generate The signature information, the target access parameter generated by the cloud service provider side server is encrypted and calculated to generate eighth signature information, and if it is determined that the seventh signature information is the same as the eighth signature information, Determining that the terminal device has permission to access the target resource.
以下结合图10所示对本申请实施例所提供的终端设备的具体结构进行详细说明:The specific structure of the terminal device provided by the embodiment of the present application is described in detail below with reference to FIG. 10:
本实施例所示的所述云服务提供商侧服务器用于执行图5所示的授权方法,具体执行过程请详见图5所示,具体在本实施例中不做赘述。The cloud service provider side server shown in this embodiment is used to perform the authorization method shown in FIG. 5, and the specific implementation process is shown in FIG. 5, which is not specifically described in this embodiment.
本实施例所示的所述终端设备包括:The terminal device shown in this embodiment includes:
第一处理单元1001,用于接收所述云服务提供商侧服务器发送的第一签名信息,所述第一签名信息为所述云服务提供商侧服务器对加密票据进行加密计算以生成的签名信息,对所述第一签名信息进行解密计算以获取所述加密票据,对所述加密票据进行加密计算以获取第二签名信息,将所述第二签名信息发送给所述云服务提供商侧服务器,以使所述云服务提供商侧服务器在确定出第三签名信息和第二签名信息相同的情况下,所述云服务提供商侧服务器将所述第一临时证书发送给所述终端设备,所述第三签名信息包括所述加密票据,接收所述云服务提供商侧服务器发送的所述第一临时证书。The first processing unit 1001 is configured to receive first signature information that is sent by the cloud service provider side server, where the first signature information is signature information that is generated by the cloud service provider side server to perform encryption calculation on the encrypted ticket. Decrypting the first signature information to obtain the encrypted ticket, performing encryption calculation on the encrypted ticket to obtain second signature information, and sending the second signature information to the cloud service provider side server The cloud service provider side server sends the first temporary certificate to the terminal device, where the cloud service provider side server determines that the third signature information and the second signature information are the same. The third signature information includes the encrypted ticket, and the first temporary certificate sent by the cloud service provider side server is received.
所述第一处理单元1001在接收所述云服务提供商侧服务器发送的第一签名信息的过程中,具体用于向所述云服务提供商侧服务器发送请求信息,所述请求信息包括所述终端设备已存储的第一令牌信息,以使所述云服务提供商侧服务器向所述终端设备发送第四签名信息,其中,所述第四签名信息包括第一密钥标识、所述第一令牌信息以及所述云服务提供商侧服务器所生成的随机回复信息,接收所述第四签名信息,若确定出所述第四签名信息所包括的所述第一令牌信息与所述终端设备已存储的所述第一令牌信息相同的情况下,则对所述随机回复信息进行加密计算以生成第五签名信息,将所述第五签名信息发送给所述云服务提供商侧服务器,以使在所述云服务提供商侧服务器确定出所述第五签名信息所包括的所述随机回复信息与所述云服务提供商侧服务器所生成的所述随机回复信息相同的情况下,将所述第一签名信息发送给所述终端设 备。In the process of receiving the first signature information sent by the cloud service provider side server, the first processing unit 1001 is specifically configured to send request information to the cloud service provider side server, where the request information includes the The first token information that has been stored by the terminal device, so that the cloud service provider side server sends the fourth signature information to the terminal device, where the fourth signature information includes the first key identifier, the first Receiving, by the token information and the random reply information generated by the cloud service provider side server, the fourth signature information, if the first token information included in the fourth signature information is determined, If the first token information that is stored by the terminal device is the same, the random reply information is encrypted and calculated to generate fifth signature information, and the fifth signature information is sent to the cloud service provider side. a server, configured to determine, at the cloud service provider side server, the random reply information included in the fifth signature information and the cloud service provider side server When the generated random reply information is the same, the first signature information is transmitted to the terminal device.
发送单元1002,用于将第一临时证书发送给云服务提供商侧服务器,所述第一临时证书用于请求访问所述云服务提供商侧服务器上的资源;The sending unit 1002 is configured to send the first temporary certificate to the cloud service provider side server, where the first temporary certificate is used to request access to resources on the cloud service provider side server;
其中,所述发送单元1002用于,接收所述云服务提供商侧服务器发送的所述云服务提供商侧服务器已存储的授权码,对所述授权码和所述第一临时证书进行加密计算以生成的第六签名信息,将所述第六签名信息发送给所述云服务提供商侧服务器,以使若所述云服务提供商侧服务器判断出所述第六签名信息所包括的所述授权码和所述云服务提供商侧服务器已存储的所述授权码相同,则将用于访问所述目标资源的目标访问参数发送给所述终端设备,所述目标访问参数包括第二令牌信息、第二密钥标识以及所述第二临时证书,接收所述目标访问参数。The sending unit 1002 is configured to receive an authorization code that is stored by the cloud service provider side server that is sent by the cloud service provider side server, and perform encryption calculation on the authorization code and the first temporary certificate. Sending, by the generated sixth signature information, the sixth signature information to the cloud service provider side server, so that if the cloud service provider side server determines that the sixth signature information is included And the authorization code is the same as the authorization code stored by the cloud service provider side server, and the target access parameter used to access the target resource is sent to the terminal device, where the target access parameter includes the second token. The information, the second key identifier, and the second temporary certificate receive the target access parameter.
接收单元1003,用于接收所述云服务提供商侧服务器发送所述目标权限对应的第二临时证书;The receiving unit 1003 is configured to receive, by the cloud service provider side server, a second temporary certificate corresponding to the target right.
访问单元1004,用于通过所述第二临时证书访问所述云服务提供商侧服务器上的所述目标资源。The access unit 1004 is configured to access the target resource on the cloud service provider side server by using the second temporary certificate.
第二处理单元1005,用于对所述目标访问参数进行加密计算以生成第七签名信息,将所述第七签名信息发送给所述云服务提供商侧服务器,以使若所述云服务提供商侧服务器确定出所述第七签名信息与第八签名信息相同,则确定所述终端设备具有访问所述目标资源的权限,所述第八签名信息为所述云服务提供商侧服务器对所述云服务提供商侧服务器所生成的所述目标访问参数进行加密计算以生成的签名信息。The second processing unit 1005 is configured to perform encryption calculation on the target access parameter to generate seventh signature information, and send the seventh signature information to the cloud service provider side server, so that if the cloud service is provided The MME determines that the seventh signature information is the same as the eighth signature information, and determines that the terminal device has the right to access the target resource, where the eighth signature information is the cloud service provider side server The target access parameter generated by the cloud service provider side server is encrypted and calculated to generate signature information.
基于图3所示的云服务提供商侧服务器可知,所述云服务提供商侧服务器包括:Based on the cloud service provider side server shown in FIG. 3, the cloud service provider side server includes:
一个或多个所述中央处理器301、存储器302、总线系统、以及一个或多个程序,所述中央处理器301和所述存储器302通过所述总线系统相连。One or more of the central processing unit 301, the memory 302, the bus system, and one or more programs, the central processing unit 301 and the memory 302 being connected by the bus system.
其中所述一个或多个程序被存储在所述存储器302中,所述一个或多个程序包括指令,所述指令当被所述云服务提供商侧服务器执行时使所述云服务提供商侧服务器执行如图5、图6或图7所示的方法,具体执行流程在本实施例中不做赘述。Wherein the one or more programs are stored in the memory 302, the one or more programs including instructions that, when executed by the cloud service provider side server, cause the cloud service provider side The server performs the method shown in FIG. 5, FIG. 6, or FIG. 7. The specific execution process is not described in this embodiment.
基于图4所示的终端设备可知,所述终端设备包括一个或多个处理器单元403、存储单元404、总线系统、以及一个或多个程序,所述处理器单元403和所述存储单元404通过所述总线系统相连;Based on the terminal device shown in FIG. 4, the terminal device includes one or more processor units 403, a storage unit 404, a bus system, and one or more programs, the processor unit 403 and the storage unit 404. Connected by the bus system;
其中所述一个或多个程序被存储在所述存储单元404中,所述一个或多个程序包括指令,所述指令当被所述终端设备执行时使所述终端设备执行如图5所示的方法,具体执行过程在本实施例中不做赘述。Wherein the one or more programs are stored in the storage unit 404, the one or more programs including instructions that, when executed by the terminal device, cause the terminal device to perform as shown in FIG. The specific implementation process is not described in this embodiment.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中, 也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application, in essence or the contribution to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .
以上所述,以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。The above embodiments are only used to explain the technical solutions of the present application, and are not limited thereto; although the present application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that they can still The technical solutions described in the embodiments are modified, or the equivalents of the technical features are replaced by the equivalents. The modifications and substitutions of the embodiments do not depart from the spirit and scope of the technical solutions of the embodiments of the present application.

Claims (17)

  1. 一种授权方法,其特征在于,包括:An authorization method, comprising:
    服务器接收终端设备发送的第一临时证书,所述第一临时证书用于请求访问所述服务器上的资源;Receiving, by the server, a first temporary certificate sent by the terminal device, where the first temporary certificate is used to request access to resources on the server;
    所述服务器根据所述第一临时证书确定所述终端设备对应的目标权限,所述目标权限为访问所述服务器上的目标资源的权限;Determining, by the server, a target authority corresponding to the terminal device according to the first temporary certificate, where the target authority is a right to access a target resource on the server;
    所述服务器将所述目标权限对应的第二临时证书发送给所述终端设备,以使所述终端设备通过所述第二临时证书访问所述目标资源。Sending, by the server, the second temporary certificate corresponding to the target authority to the terminal device, so that the terminal device accesses the target resource by using the second temporary certificate.
  2. 根据权利要求1所述的授权方法,其特征在于,所述服务器接收终端设备发送的第一临时证书之前,所述方法还包括:The authorization method according to claim 1, wherein before the server receives the first temporary certificate sent by the terminal device, the method further includes:
    所述服务器对加密票据进行加密计算以生成第一签名信息;The server performs encryption calculation on the encrypted ticket to generate first signature information;
    所述服务器将所述第一签名信息发送给所述终端设备;Sending, by the server, the first signature information to the terminal device;
    所述服务器接收所述终端设备发送的第二签名信息,所述第二签名信息包括所述终端设备对所述第一签名信息进行解密计算以获取到的所述加密票据;Receiving, by the server, second signature information that is sent by the terminal device, where the second signature information includes the encrypted ticket that is obtained by the terminal device to perform decryption calculation on the first signature information;
    所述服务器对所述第二签名信息进行解密计算以获取所述第二签名信息所包括的所述加密票据;Decrypting the second signature information by the server to obtain the encrypted ticket included in the second signature information;
    所述服务器对所述加密票据进行加密计算以生成第三签名信息;The server performs encryption calculation on the encrypted ticket to generate third signature information;
    若所述服务器确定出所述第三签名信息与所述第二签名信息相同,则所述服务器将所述第一临时证书发送给所述终端设备。And if the server determines that the third signature information is the same as the second signature information, the server sends the first temporary certificate to the terminal device.
  3. 根据权利要求2所述的授权方法,其特征在于,所述服务器将所述第一签名信息发送给所述终端设备之前,所述方法还包括:The authorization method according to claim 2, wherein before the server sends the first signature information to the terminal device, the method further includes:
    所述服务器接收所述终端设备发送的请求信息,所述请求信息包括所述终端设备已存储的第一令牌信息;Receiving, by the server, request information sent by the terminal device, where the request information includes first token information that is stored by the terminal device;
    所述服务器对第一密钥标识、所述第一令牌信息以及所述服务器所生成的随机回复信息进行加密计算以生成第四签名信息;The server performs encryption calculation on the first key identifier, the first token information, and the random reply information generated by the server to generate fourth signature information;
    所述服务器将所述第四签名信息发送给所述终端设备,以使在所述终端设备确定出所述第四签名信息所包括的所述第一令牌信息与所述终端设备已存储的所述第一令牌信息相同的情况下,所述终端设备将第五签名信息发送给所述服务器,所述第五签名信息包括所述随机回复信息;Sending, by the server, the fourth signature information to the terminal device, so that the terminal device determines, in the terminal device, that the first token information included in the fourth signature information is stored by the terminal device When the first token information is the same, the terminal device sends the fifth signature information to the server, and the fifth signature information includes the random reply information;
    所述服务器对所述第五签名信息进行解密计算以获取所述第五签名信息所包括的所述随机回复信息;Decrypting the fifth signature information by the server to obtain the random reply information included in the fifth signature information;
    若所述服务器确定出所述第五签名信息所包括的所述随机回复信息与所述服务器所生成的所述随机回复信息相同的情况下,触发执行所述服务器将所述第一签名信息发送给所述终端设备步骤。If the server determines that the random reply information included in the fifth signature information is the same as the random reply information generated by the server, triggering execution by the server to send the first signature information Steps to the terminal device.
  4. 根据权利要求1至3任一项所述的授权方法,其特征在于,所述服务器根据所述第一临时证书确定目标权限包括:The authorization method according to any one of claims 1 to 3, wherein the determining, by the server, the target authority according to the first temporary certificate comprises:
    所述服务器根据所述第一临时证书生成权限列表,所述权限列表包括多个待选定权限;The server generates a permission list according to the first temporary certificate, where the permission list includes a plurality of to-be-selected rights;
    所述服务器通过所述权限列表接收用户输入的选定操作;Receiving, by the server, the selected operation input by the user through the permission list;
    所述服务器确定已选定权限,所述已选定权限为所述选定操作在所述权限列表中所选定的所述多个待选定权限中的至少一个权限;Determining, by the server, that the selected permission is at least one of the plurality of to-be-selected rights selected by the selected operation in the permission list;
    所述服务器确定所述已选定权限和所述预选权限的交集为所述目标权限,所述预选权限为默认授权策略对应的权限。The server determines that the intersection of the selected authority and the pre-selected authority is the target authority, and the pre-selected permission is a permission corresponding to the default authorization policy.
  5. 根据权利要求1所述的授权方法,其特征在于,所述服务器将第二临时证书发送给所述终端设备包括:The authorization method according to claim 1, wherein the sending, by the server, the second temporary certificate to the terminal device comprises:
    所述服务器将所述服务器已存储的授权码发送给所述终端设备;Sending, by the server, an authorization code stored by the server to the terminal device;
    所述服务器接收所述终端设备发送第六签名信息,所述第六签名信息为所述终端设备对所述授权码和所述第一临时证书进行加密计算以生成的签名信息;Receiving, by the server, the sixth device, the sixth signature information, where the sixth signature information is signature information that is generated by the terminal device to perform encryption calculation on the authorization code and the first temporary certificate;
    若所述服务器判断所述第六签名信息所包括的所述授权码和所述服务器 已存储的所述授权码相同,则所述服务器将用于访问所述目标资源的目标访问参数发送给所述终端设备,所述目标访问参数包括第二令牌信息、第二密钥标识以及所述第二临时证书。And if the server determines that the authorization code included in the sixth signature information is the same as the authorization code stored by the server, the server sends a target access parameter for accessing the target resource to the The terminal device, the target access parameter includes a second token information, a second key identifier, and the second temporary certificate.
  6. 根据权利要求5所述的授权方法,其特征在于,所述方法还包括:The authorization method according to claim 5, wherein the method further comprises:
    所述服务器接收所述终端设备发送的用于访问所述目标资源的第七签名信息,所述第七签名信息为所述终端设备对所述目标访问参数进行加密计算以生成的签名信息;The server receives the seventh signature information that is sent by the terminal device to access the target resource, where the seventh signature information is signature information that is generated by the terminal device to perform encryption calculation on the target access parameter.
    所述服务器对所述服务器所生成的所述目标访问参数进行加密计算以生成第八签名信息;The server performs encryption calculation on the target access parameter generated by the server to generate eighth signature information;
    若所述服务器确定出所述第七签名信息与所述第八签名信息相同,则所述服务器确定所述终端设备具有访问所述目标资源的权限。If the server determines that the seventh signature information is the same as the eighth signature information, the server determines that the terminal device has the right to access the target resource.
  7. 一种授权方法,其特征在于,包括:An authorization method, comprising:
    终端设备将第一临时证书发送给服务器,所述第一临时证书用于请求访问所述服务器上的资源,以使得所述服务器根据所述第一临时证书确定所述终端设备对应的目标权限,所述目标权限为访问所述服务器上的目标资源的权限;The terminal device sends the first temporary certificate to the server, where the first temporary certificate is used to request access to resources on the server, so that the server determines the target authority corresponding to the terminal device according to the first temporary certificate, The target authority is a right to access a target resource on the server;
    所述终端设备接收所述服务器发送的所述目标权限对应的第二临时证书,所述第二临时证书用于指示目标权限,所述目标权限用于指示具有访问所述服务器上的目标资源的权限;Receiving, by the terminal device, a second temporary certificate corresponding to the target authority sent by the server, where the second temporary certificate is used to indicate a target authority, where the target authority is used to indicate that the target resource on the server is accessed Permission
    所述终端设备通过所述第二临时证书访问所述目标资源。The terminal device accesses the target resource by using the second temporary certificate.
  8. 根据权利要求7所述的授权方法,其特征在于,所述终端设备将第一临时证书发送给服务器之前,所述方法还包括:The authorization method according to claim 7, wherein the method further includes: before the terminal device sends the first temporary certificate to the server, the method further includes:
    所述终端设备接收所述服务器发送的第一签名信息,所述第一签名信息为所述服务器对加密票据进行加密计算以生成的签名信息;Receiving, by the terminal device, first signature information sent by the server, where the first signature information is signature information generated by the server to perform encryption calculation on the encrypted ticket;
    所述终端设备对所述第一签名信息进行解密计算以获取所述加密票据;Determining, by the terminal device, the first signature information to obtain the encrypted ticket;
    所述终端设备对所述加密票据进行加密计算以获取第二签名信息;The terminal device performs encryption calculation on the encrypted ticket to obtain second signature information;
    所述终端设备将所述第二签名信息发送给所述服务器,以使所述服务器在确定出第三签名信息和第二签名信息相同的情况下,所述服务器将所述第一临时证书发送给所述终端设备,所述第三签名信息包括所述加密票据;Sending, by the terminal device, the second signature information to the server, so that the server sends the first temporary certificate, if the server determines that the third signature information and the second signature information are the same Giving the terminal device, the third signature information includes the encrypted ticket;
    所述终端设备接收所述服务器发送的所述第一临时证书。The terminal device receives the first temporary certificate sent by the server.
  9. 根据权利要求8所述的授权方法,其特征在于,所述终端设备接收所述服务器发送的第一签名信息之前,所述方法还包括:The authorization method according to claim 8, wherein before the receiving, by the terminal device, the first signature information sent by the server, the method further comprises:
    所述终端设备向所述服务器发送请求信息,所述请求信息包括所述终端设备已存储的第一令牌信息,以使所述服务器向所述终端设备发送第四签名信息,其中,所述第四签名信息包括第一密钥标识、所述第一令牌信息以及所述服务器所生成的随机回复信息;The terminal device sends request information to the server, where the request information includes first token information that has been stored by the terminal device, so that the server sends fourth signature information to the terminal device, where the The fourth signature information includes a first key identifier, the first token information, and random reply information generated by the server;
    所述终端设备接收所述第四签名信息;Receiving, by the terminal device, the fourth signature information;
    若所述终端设备确定出所述第四签名信息所包括的所述第一令牌信息与所述终端设备已存储的所述第一令牌信息相同的情况下,则所述终端设备对所述随机回复信息进行加密计算以生成第五签名信息;If the terminal device determines that the first token information included in the fourth signature information is the same as the first token information that is stored by the terminal device, the terminal device The random reply information is subjected to encryption calculation to generate fifth signature information;
    所述终端设备将所述第五签名信息发送给所述服务器,以使在所述服务器确定出所述第五签名信息所包括的所述随机回复信息与所述服务器所生成的所述随机回复信息相同的情况下,将所述第一签名信息发送给所述终端设备。Transmitting, by the terminal device, the fifth signature information to the server, to determine, at the server, the random reply information included in the fifth signature information and the random reply generated by the server When the information is the same, the first signature information is sent to the terminal device.
  10. 根据权利要求7所述的授权方法,其特征在于,所述终端设备接收所述服务器发送的第二临时证书包括:The authorization method according to claim 7, wherein the receiving, by the terminal device, the second temporary certificate sent by the server comprises:
    所述终端设备接收所述服务器发送的所述服务器已存储的授权码;Receiving, by the terminal device, an authorization code that is stored by the server and stored by the server;
    所述终端设备对所述授权码和所述第一临时证书进行加密计算以生成的第六签名信息;And the sixth signature information generated by the terminal device to perform encryption calculation on the authorization code and the first temporary certificate;
    所述终端设备将所述第六签名信息发送给所述服务器,以使若所述服务器判断出所述第六签名信息所包括的所述授权码和所述服务器已存储的所述授权码相同,则将用于访问所述目标资源的目标访问参数发送给所述终端设备, 所述目标访问参数包括第二令牌信息、第二密钥标识以及所述第二临时证书;Transmitting, by the terminal device, the sixth signature information to the server, so that if the server determines that the authorization code included in the sixth signature information is the same as the authorization code stored by the server Transmitting, to the terminal device, the target access parameter used to access the target resource, where the target access parameter includes a second token information, a second key identifier, and the second temporary certificate;
    所述终端设备接收所述目标访问参数。The terminal device receives the target access parameter.
  11. 根据权利要求10所述的授权方法,其特征在于,所述方法还包括:The authorization method according to claim 10, wherein the method further comprises:
    所述终端设备对所述目标访问参数进行加密计算以生成第七签名信息;The terminal device performs encryption calculation on the target access parameter to generate seventh signature information;
    所述终端设备将所述第七签名信息发送给所述服务器,以使若所述服务器确定出所述第七签名信息与第八签名信息相同,则确定所述终端设备具有访问所述目标资源的所述目标权限,所述第八签名信息为所述服务器对所述服务器所生成的所述目标访问参数进行加密计算以生成的签名信息。Sending, by the terminal device, the seventh signature information to the server, so that if the server determines that the seventh signature information is the same as the eighth signature information, determining that the terminal device has access to the target resource The target authority, the eighth signature information is signature information generated by the server to perform encryption calculation on the target access parameter generated by the server.
  12. 一种服务器,其特征在于,包括:A server, comprising:
    接收单元,用于接收终端设备发送的第一临时证书,所述第一临时证书用于请求访问所述服务器上的资源;a receiving unit, configured to receive a first temporary certificate sent by the terminal device, where the first temporary certificate is used to request access to resources on the server;
    确定单元,用于根据所述第一临时证书确定所述终端设备对应的目标权限,所述目标权限为访问所述服务器上的目标资源的权限;a determining unit, configured to determine, according to the first temporary certificate, a target right corresponding to the terminal device, where the target right is a right to access a target resource on the server;
    发送单元,用于将所述目标权限对应的第二临时证书发送给所述终端设备,以使所述终端设备通过所述第二临时证书访问所述目标资源。And a sending unit, configured to send the second temporary certificate corresponding to the target authority to the terminal device, so that the terminal device accesses the target resource by using the second temporary certificate.
  13. 一种终端设备,其特征在于,包括:A terminal device, comprising:
    发送单元,用于将第一临时证书发送给服务器,所述第一临时证书用于请求访问所述服务器上的资源,以使得所述服务器根据所述第一临时证书确定所述终端设备对应的目标权限,所述目标权限为访问所述服务器上的目标资源的权限;a sending unit, configured to send the first temporary certificate to the server, where the first temporary certificate is used to request access to resources on the server, so that the server determines, according to the first temporary certificate, the terminal device a target authority, the target authority being a right to access a target resource on the server;
    接收单元,用于接收所述服务器发送的所述目标权限对应的第二临时证书;a receiving unit, configured to receive a second temporary certificate corresponding to the target authority sent by the server;
    访问单元,用于通过所述第二临时证书访问所述目标资源。And an access unit, configured to access the target resource by using the second temporary certificate.
  14. 一种服务器,其特征在于,包括:A server, comprising:
    一个或多个中央处理器、存储器、总线系统、以及一个或多个程序,所述 中央处理器和所述存储器通过所述总线系统相连;One or more central processors, memories, bus systems, and one or more programs, the central processor and the memory being coupled by the bus system;
    其中所述一个或多个程序被存储在所述存储器中,所述一个或多个程序包括指令,所述指令当被所述服务器执行时使所述服务器执行如权利要求1至6任一项所述的授权方法。Wherein the one or more programs are stored in the memory, the one or more programs comprising instructions that, when executed by the server, cause the server to perform any of claims 1 to 6 The authorization method described.
  15. 一种终端设备,其特征在于,包括:A terminal device, comprising:
    一个或多个处理器单元、存储单元、总线系统、以及一个或多个程序,所述处理器单元和所述存储单元通过所述总线系统相连;One or more processor units, memory units, bus systems, and one or more programs, the processor units and the memory units being coupled by the bus system;
    其中所述一个或多个程序被存储在所述存储单元中,所述一个或多个程序包括指令,所述指令当被所述终端设备执行时使所述终端设备执行如权利要求7至11任一项所述的授权方法。Wherein the one or more programs are stored in the storage unit, the one or more programs comprising instructions that, when executed by the terminal device, cause the terminal device to perform as claimed in claims 7 to 11 The authorization method described in any one of the above.
  16. 一种计算机存储介质,包括指令,当其在计算机上运行时,使得计算机执行如权利要求1至6任意一项所述的方法。A computer storage medium comprising instructions which, when executed on a computer, cause the computer to perform the method of any one of claims 1 to 6.
  17. 一种计算机存储介质,包括指令,当其在计算机上运行时,使得计算机执行如权利要求7至11任意一项所述的方法。A computer storage medium comprising instructions which, when executed on a computer, cause the computer to perform the method of any one of claims 7 to 11.
PCT/CN2018/089039 2017-06-14 2018-05-30 Authorization method and related device WO2018228199A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710447707.0 2017-06-14
CN201710447707.0A CN107222485B (en) 2017-06-14 2017-06-14 Authorization method and related equipment

Publications (1)

Publication Number Publication Date
WO2018228199A1 true WO2018228199A1 (en) 2018-12-20

Family

ID=59948556

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/089039 WO2018228199A1 (en) 2017-06-14 2018-05-30 Authorization method and related device

Country Status (2)

Country Link
CN (1) CN107222485B (en)
WO (1) WO2018228199A1 (en)

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107222485B (en) * 2017-06-14 2020-08-21 腾讯科技(深圳)有限公司 Authorization method and related equipment
CN110798434B (en) * 2018-08-03 2022-04-08 Emc Ip控股有限公司 Computer system, method performed by computing device, and storage medium
CN110839005B (en) * 2018-08-17 2023-08-01 恩智浦美国有限公司 Secure registration of devices with cloud platform
CN109450984B (en) * 2018-10-16 2021-12-21 深信服科技股份有限公司 Cloud architecture management method and device and computer readable storage medium
SG11202104548SA (en) * 2018-11-06 2021-05-28 Visa Int Service Ass Systems and methods for managing a transaction state object
CN109547444B (en) * 2018-11-28 2021-01-05 腾讯科技(深圳)有限公司 Virtual object acquisition method and device and electronic equipment
GB2579590B (en) 2018-12-04 2021-10-13 Imagination Tech Ltd Workload repetition redundancy
GB2579591B (en) * 2018-12-04 2022-10-26 Imagination Tech Ltd Buffer checker
CN111159736B (en) * 2019-12-25 2022-03-25 联通(广东)产业互联网有限公司 Application control method and system of block chain
CN113553600A (en) * 2020-04-23 2021-10-26 华为技术有限公司 Resource acquisition method, system, server and storage medium
CN112364307B (en) * 2020-09-30 2024-03-12 深圳市为汉科技有限公司 Software authorization method and related equipment
CN112000942B (en) * 2020-10-30 2021-01-22 成都掌控者网络科技有限公司 Authority list matching method, device, equipment and medium based on authorization behavior
CN113794673B (en) * 2021-01-29 2024-02-09 北京京东拓先科技有限公司 Data sharing method and device
CN113438314B (en) * 2021-06-29 2023-10-24 青岛海尔科技有限公司 Equipment control method and device, storage medium and electronic device
CN113779516B (en) * 2021-06-29 2023-08-18 青岛海尔科技有限公司 Equipment control method and device, storage medium and electronic device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030125012A1 (en) * 2001-12-28 2003-07-03 Allen Lee S. Micro-credit certificate for access to services on heterogeneous access networks
CN101043403A (en) * 2007-03-15 2007-09-26 西安电子科技大学 Field based digital copyright protecting family network system
CN102057382A (en) * 2008-06-06 2011-05-11 微软公司 Temporary domain membership for content sharing
CN107222485A (en) * 2017-06-14 2017-09-29 腾讯科技(深圳)有限公司 A kind of authorization method and relevant device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014059604A1 (en) * 2012-10-16 2014-04-24 华为技术有限公司 Method and device for secure access to resource
CN103685267B (en) * 2013-12-10 2017-04-12 小米科技有限责任公司 Data access method and device
CN106487765B (en) * 2015-08-31 2021-10-29 索尼公司 Authorized access method and device using the same
CN105208042A (en) * 2015-10-15 2015-12-30 黄云鸿 Resource safety access method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030125012A1 (en) * 2001-12-28 2003-07-03 Allen Lee S. Micro-credit certificate for access to services on heterogeneous access networks
CN101043403A (en) * 2007-03-15 2007-09-26 西安电子科技大学 Field based digital copyright protecting family network system
CN102057382A (en) * 2008-06-06 2011-05-11 微软公司 Temporary domain membership for content sharing
CN107222485A (en) * 2017-06-14 2017-09-29 腾讯科技(深圳)有限公司 A kind of authorization method and relevant device

Also Published As

Publication number Publication date
CN107222485A (en) 2017-09-29
CN107222485B (en) 2020-08-21

Similar Documents

Publication Publication Date Title
WO2018228199A1 (en) Authorization method and related device
EP2875463B1 (en) Method and system for browser identity
US10073985B2 (en) Apparatus and method for trusted execution environment file protection
JP5596785B2 (en) Virtual mobile device
US10078599B2 (en) Application access control method and electronic apparatus implementing the same
JP5570593B2 (en) Functional migration of virtual mobile devices
WO2019072039A1 (en) Service certificate management method, terminal, and server
WO2018223797A1 (en) Data response method, terminal apparatus, and server
WO2017211205A1 (en) Method and device for updating whitelist
WO2019047745A1 (en) Data sharing method, terminal apparatus and storage medium
WO2017206833A1 (en) Payment method, payment apparatus, and payment server
KR20170096117A (en) Security and permission architecture in a multi-tenant computing system
WO2017147890A1 (en) Verification code short message display method and mobile terminal
WO2020024929A1 (en) Method for upgrading service application range of electronic identity card, and terminal device
WO2018000370A1 (en) Mobile terminal authentication method and mobile terminal
US11017066B2 (en) Method for associating application program with biometric feature, apparatus, and mobile terminal
CN106815518B (en) Application installation method and electronic equipment
WO2014000652A1 (en) Browser plug-in installation method, device and terminal
JP2018512106A (en) Method and system for anti-phishing using smart images
CN110474864B (en) Method for registering and logging in mobile application program and electronic equipment
EP3764258B1 (en) Constructing common trusted application for a plurality of applications
WO2019184631A1 (en) Information processing method and apparatus, computer-readable storage medium, and terminal
KR102180529B1 (en) Application access control method and electronic device implementing the same
US20230161885A1 (en) Security architecture system, cryptographic operation method for security architecture system, and computing device
EP4187420A1 (en) Resource management method, computing device, computing equipment, and readable storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18817302

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18817302

Country of ref document: EP

Kind code of ref document: A1