WO2020215709A1 - Identity authentication method and system, computer device, and storage medium - Google Patents

Identity authentication method and system, computer device, and storage medium Download PDF

Info

Publication number
WO2020215709A1
WO2020215709A1 PCT/CN2019/119479 CN2019119479W WO2020215709A1 WO 2020215709 A1 WO2020215709 A1 WO 2020215709A1 CN 2019119479 W CN2019119479 W CN 2019119479W WO 2020215709 A1 WO2020215709 A1 WO 2020215709A1
Authority
WO
WIPO (PCT)
Prior art keywords
service
information
code
consumer
consumption
Prior art date
Application number
PCT/CN2019/119479
Other languages
French (fr)
Chinese (zh)
Inventor
王丽
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020215709A1 publication Critical patent/WO2020215709A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Definitions

  • This application relates to the field of computer technology, in particular to an identity authentication method, system, computer equipment and storage medium.
  • Internet services are inseparable from identity authentication.
  • server clusters or a cross-domain service-oriented architecture
  • consumers that is, consumers of services, such as application systems that call various service interfaces
  • service providers that is, service provision
  • the server needs to authenticate the consumer to determine whether it has access rights.
  • the service party needs to rely on a third-party authentication data source (that is, it needs to rely on a third-party authentication center for identity authentication) in the process of authenticating the consumer's identity, which greatly increases the consumption of network queries.
  • the main purpose of this application is to provide an identity authentication method, system, computer equipment, and storage medium, aiming to solve the problem of high network consumption during the process of identity authentication by the service party to the consumer.
  • This application proposes an identity authentication method, including:
  • the service party receives the service invocation request sent by the consumer, where the service invocation request includes the consumption code information of the consumer and the authorization relation encryption information pre-stored in the consumer, and the authorization relation encryption information contains consumption code-service code invocation relation information;
  • the consumption code information check whether the service key corresponding to the consumption code information is pre-stored
  • the service key is used to decrypt the authorization relationship encryption information to obtain the consumption code-service code call relationship information;
  • the consumption code information and the pre-stored service code information verify the consumption code-service code call relationship information, and determine whether the consumption code-service code call relationship information is legal;
  • the service call request is responded to and the corresponding service resource is returned to the consumer.
  • This application also proposes a permission application method, including:
  • the consumer sends a service registration request to the service registration center to register the service of the service party, where the service registration request includes the consumption code information of the consumer;
  • the receiving service registration center returns and saves the authorization relationship encryption information in response to the permission application request, wherein the authorization relationship encryption information contains consumption code-service code invocation relationship information.
  • This application also proposes an identity authentication system, including:
  • the service registration center is used to generate service key and authorization relationship encryption information, store service information of the service party, provide service key for the service party, and provide authorization relationship encryption information and service information for the consumer, where the authorization relationship encryption information Contains consumption code-service code call relationship information, and service information includes service code information;
  • Consumer used to generate consumption code-service code call relationship information based on service code information and its own consumption code information, obtain and save authorization relationship encryption information and service information from the service registry, and send service call requests to service providers , Where the service invocation request includes consumption encoding information and authorization relationship encryption information;
  • the service party is used to register its own service information to the service registration center, obtain and save the service key from the service registration center, and determine whether the consumer has the right to call its own service resources according to the service invocation request sent by the consumer.
  • This application also proposes a computer device, including a memory and a processor, the memory stores a computer program, and the processor implements the steps of the aforementioned identity authentication method when the computer program is executed.
  • This application also proposes a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of the aforementioned identity authentication method are realized.
  • This application also proposes an identity authentication device, including:
  • the first receiving module is used for the service party to receive the service invocation request sent by the consumer, wherein the service invocation request includes the consumption code information of the consumer and the authorization relationship encryption information pre-stored in the consumer.
  • the authorization relationship encryption information contains consumer code-service code call relationship information
  • the checking module is configured to check whether the service key corresponding to the consumption coding information is pre-stored in itself according to the consumption coding information;
  • the decryption module is configured to, if it is checked that the service key corresponding to the consumption code information is pre-stored, the service key is used to decrypt the authorization relationship encryption information to obtain the consumption code-service code call relationship information ;
  • the verification module is configured to verify the consumption code-service code invocation relationship information according to the consumption code information and prestored service code information, and determine whether the consumption code-service code invocation relationship information is legal;
  • the return module is configured to respond to the service invocation request and return the corresponding service resource to the consumer if the consumption code-service code invocation relationship information is legal.
  • This application also provides a permission application device, including:
  • the sending module is used for the consumer to send a service registration request to the service registration center to register the service of the service party, wherein the service registration request includes the consumption code information of the consumer;
  • the second receiving module is configured to receive the service information of the service party returned by the service registration center in response to the service registration request, wherein the service information includes service code information;
  • a generating module configured to generate consumption code-service code invocation relationship information according to the service code information and the prestored consumption code information
  • the request module is configured to send a permission application request to the service registration center, where the permission application request includes the consumption code-service code invocation relationship information;
  • the saving module is configured to receive and save the authorization relationship encryption information returned by the service registration center in response to the authorization request request, wherein the authorization relationship encryption information contains the consumption code-service code invocation relationship information.
  • the beneficial effects of this application are: in the identity authentication method provided by the embodiments of this application, the service party’s identity verification of the consumer is achieved through algorithms, except for the first identity authentication process, the consumer needs to obtain information from the service registration center The authorization relationship encryption information, the server needs to obtain the service key from the service registration center, and every time after that, when the server authenticates the consumer, it only needs to decrypt and verify the authorization relationship encryption information sent by the consumer. , Without relying on third-party authentication data sources, which can reduce the consumption of network queries.
  • Figure 1 is a schematic flow diagram of an identity authentication method in an implementation of this application.
  • Figure 2 is a schematic flow diagram of a permission application method in the implementation of this application.
  • FIG. 3 is a schematic diagram of the structure of an identity authentication system in an implementation of this application.
  • Fig. 4 is a schematic diagram of the structure of a computer device in an implementation of the present application.
  • an embodiment of the present application provides an identity authentication method, which is applied to an identity authentication system, the identity authentication system includes a consumer, a server, and a service registry, and the consumer, a server, and a service registry They can communicate with each other in the form of a network.
  • the identity authentication method includes:
  • the service party receives the service invocation request sent by the consumer, where the service invocation request includes the consumption code information of the consumer and the authorization relationship encryption information pre-stored in the consumer, and the authorization relationship encryption information contains the consumption code-service code invocation relationship information;
  • S13 is executed to decrypt the authorization relationship encrypted information using the service key to obtain consumption code-service code call relationship information
  • S14 Verify the consumption code-service code call relationship information according to the consumption code information and the pre-stored service code information, and determine whether the consumption code-service code call relationship information is legal;
  • the consumption code information is the unique identity of the consumer, and different consumers have different consumption code information
  • the authorization relationship encryption information is the consumption code-service code invocation relationship information encrypted by the service key , Used to realize the security authentication of the identity of the consumer by the service party, where the specific expression form of the consumer code-service code call relationship information can be represented by Cn-Pn, where Cn is the consumer code information corresponding to the consumer n, Pn Is the service code information corresponding to the service party n (the service code information is the unique identity of the service party, and different service parties have different service code information).
  • the consumption code-service code call relationship information can be C1-P1 Means
  • the server will register its own service information in the service registry, where the service information of the server includes the name of the server, the service code information of the server, The server’s IP address and port, the server’s request address, etc.; when the consumer first calls the server’s service resources, the consumer first needs to register the server’s service. Specifically, the consumer receives the account and password entered by the user Log in to the service registration center.
  • the consumer After the login is successful, the consumer sends a service registration request to the service registration center for registering the service side service, where the service registration request includes the consumer's consumption code information, when the service registration center receives the service registration
  • the service registration center When requested, the service registration center will respond to the service registration request, randomly generate and save a service key corresponding to the consumption code information, and return the service information of the service to the consumer.
  • the consumer When the consumer receives the service information, the consumer The party will generate consumption code-service code call relationship information based on the service code information in the service information and its own consumption code information, and then the consumer will send a permission request for applying for access to the service party to the service registration center, where the permission The application request includes consumption code-service code call relationship information, consumer IP address information and the above consumption code information.
  • the service registration center When the service registration center receives the permission application request, the service registration center will respond to the permission application request based on the consumption code information Find the previously generated service key corresponding to the consumption code information, and use the service key to encrypt the consumption code-service code call relationship information, thereby generating the above-mentioned authorization relationship encryption information, and then returning the authorization relationship encryption information to the consumer
  • the consumer receives the encrypted information of the authorization relationship and saves it.
  • the consumer calls the service resource of the server, the consumer finds the request address of the server from the service information saved by itself, and then sends a request address to the server via http A service call request, where the authorization relationship encryption information and the consumer's consumption code information are placed in the http request header for subsequent related operations.
  • step S12 specifically, when the server receives the authorization relationship encryption information and the consumption code information sent by the consumer, in order to verify whether the current consumer has access rights, the server needs to check the consumption code-service code call relationship The legitimacy of the information, therefore, it is necessary to decrypt the encrypted information of the authorization relationship first to obtain the consumption code-service code call relationship information, and decrypt the encrypted information of the authorization relationship requires a service key, so it is necessary to check whether it is pre-stored according to the consumption code information There is a corresponding service key for subsequent related operations.
  • step S13 if the service party checks that it has a corresponding service key pre-stored, it can directly use the service key to decrypt the authorization relationship encryption information to obtain consumption code-service code call relationship information for subsequent correlation Operation, and if the service party checks that it does not have the corresponding service key pre-stored, it indicates that the service party authenticates the current consumer for the first time. Therefore, it needs to obtain the corresponding service key from the service registry first. Specifically, When the service party checks that it does not have the corresponding service key pre-stored, the service party sends a key acquisition request to the service registration center, where the key acquisition request includes the consumption code information of the current consumer.
  • the service registration center When receiving the key acquisition request, the service registration center will obtain multiple service keys from the saved service keys according to the consumption code information (when different consumers register the services of different service parties through the service registration center, the service registration center will The service registration request of the party generates and saves different service keys. Therefore, there are multiple service keys stored in the service registry).
  • the service key corresponding to the consumption code information is searched out and returned to the service party, and the service party receives the service.
  • the key is saved, and the service key is used to decrypt the encrypted information of the authorization relationship to obtain the consumption code-service code call relationship information.
  • the subsequent service party needs to authenticate the current consumer again, it only needs to be based on The current consumption code information of the consumer can find the corresponding service key from the multiple pre-stored service keys, without obtaining the corresponding service key from the service registration center again.
  • step S14 after using the corresponding service key to decrypt the consumption code-service code invocation relationship information from the authorization relationship encryption information, then further use its own service code information and the received consumption code information to determine the consumption code-service
  • the code call relationship information is verified to determine whether the consumption code-service code call relationship information is legal. For example, suppose the consumption code information sent by the current consumer to the server is C1 (that is, the current consumer is consumer 1), The service code information of the server is P1, and the consumer code-service code call relationship information obtained by decryption is C1-P1.
  • the server will match P1 and C1 with C1-P1 to determine whether there is a match , If there is only one of the matching items (C1 or P1) or there is no matching item (that is, neither C1 nor P1 match), it means that the consumption code-service code call relationship information provided by the current consumer is illegal, and the current consumption The party does not have the authority to access the service resources of the service party 1. On the contrary, if there are matching items C1 and P1 at the same time, it means that the consumption code-service code call relationship information provided by the current consumer is legal, and the current consumer has access to the service party 1.
  • the server 1 can determine that the current consumer 1 has the right to access its own service resources, and in other examples, such as the consumption code information sent by the current consumer to the server Is C1, the service code information of the server is P1, and the consumer code-service code call relationship information obtained by decryption is C2-P1.
  • the matching result that there is only one matching item P1 will eventually be obtained, and then the server 1 Based on this, it can be judged that the current consumer 1 does not have the authority to access its own service resources. At the same time, this also shows that the consumer 2 has the authority to access the service resources of the server 1, and the authorization relationship encryption information of the consumer 2 is likely to be Misappropriated by consumer 1.
  • step S15 if the consumer code-service code call relationship information is legal, the service party can determine that the current consumer has the right to access its own service resources, and then respond to the service call request sent by the current consumer to the consumer Return the corresponding service resource.
  • the identity verification of the consumer by the service party is implemented through an algorithm. Except in the first identity authentication process, the consumer needs to obtain the authorization relationship encryption information from the service registry, and the service party needs to obtain the encryption information from the service registry. Obtain the service key. After that, every time the service party authenticates the consumer, it only needs to decrypt and verify the authorization relationship encrypted information sent by the consumer, instead of relying on a third-party authentication data source. Reduce the consumption of network queries, and the service party’s authentication of the consumer’s identity is achieved through a symmetric encryption algorithm.
  • the consumer when the consumer has the consumption code-service code call relationship information, the consumer does not have the right to access the service party at this time, and only after obtaining the authorization relationship encrypted information (ie The consumer code-service code call relationship information needs to be encrypted by the service key), so that the consumer has the authority to access the service party.
  • the encrypted information of the authorization relationship is accompanied by a timestamp, and after the step of receiving the service invocation request sent by the consumer, the method further includes:
  • S11A Determine whether the encrypted information of the authorization relationship expires according to the timestamp
  • the above S12 is executed to check whether the service key corresponding to the consumption code information is pre-stored according to the consumption code information.
  • the service registry can put a time stamp on the encrypted information of the authorization relationship when it generates the encrypted information of the authorization relationship, so that the encrypted information of the authorization relationship has timeliness.
  • the consumer needs to use the authorization relationship to encrypt the information within the valid time to obtain the service resource of the service party. In this way, the security of the service resource acquisition can be guaranteed to a certain extent.
  • the timestamp can uniquely identify a certain The time of the time, and the timeliness of the time stamp and the encrypted information of the authorization relationship are the time attributes of the message.
  • the time indicated by the timestamp is 13:14:52 on January 1, 2019 (that is, the generation time of the authorization relationship encrypted information + the preset effective time, if the preset effective time is 7 days, the authorization relationship encrypted information is generated
  • the time is 13:14:52 on December 25, 2019, where the preset effective time can be determined according to the needs of use)
  • the time when the encrypted information of the authorization relationship reaches the service party is 13:14:50 on January 1, 2019 Since 13:14:50 on January 1, 2019 is before 13:14:52 on January 1, 2019, the service party can determine that the encrypted information of the authorization relationship has not expired.
  • the time stamp The time of identification is 13:14:52 on January 1, 2019, and the time at which the encrypted information of the authorization relationship reaches the service party is 13:14:56 on January 1, 2019, due to 13:14 on January 1, 2019 Minutes and 56 seconds are after 13:14:52 on January 1, 2019, so the service party can determine that the encryption information of the authorization relationship has expired; if the encryption information of the authorization relationship has not expired, the above step S12 can be performed at this time; and If the encrypted information of the authorization relationship has expired, step S11B can be executed at this time.
  • the method further includes:
  • S14B Send the MD5 value to the consumer for storage.
  • the consumption code-service code call relationship information is legal, it indicates that the current consumer has the right to access the service resource of the service party.
  • the service party can respond to the service call request sent by the current consumer to the consumer Return the corresponding service resource.
  • the service party can use the preset MD5 algorithm to calculate the consumption code-service code call relationship information, obtain and save the corresponding MD5 value, and send the MD5 value to the consumer, and the consumer receives Save the MD5 value after reaching the MD5 value.
  • the MD5 value is unique (one-to-one correspondence with the consumer code-service code call relationship information) and cannot be tampered with (once it is tampered, the MD5 value will change), so the MD5 value It can replace the authorization relationship to encrypt information to realize the security authentication of the consumer's identity by the server. In this way, the subsequent consumer can apply for calling the service resource of the server by sending the MD5 value to the server.
  • the received MD5 value is compared with the pre-stored MD5 value to determine whether the current consumer has the access authority. In this way, the process of using the service key to decrypt the authorization relationship encrypted information can be omitted, which is beneficial to further reduce the authority verification Time-consuming to further improve the performance of the system.
  • the method further includes:
  • S11C Receive the MD5 value and consumption code information returned by the consumer in response to the prompt message, and check whether there is a corresponding pre-stored MD5 value according to the consumption code information;
  • step S11B if the encrypted information of the authorization relationship has expired, it indicates that the current consumer does not have the authority to access the service resource of the service party. At this time, the service sends a prompt message indicating that the identity has expired to the consumer to prompt the consumer to re-identify verification.
  • step S11C when the consumer successfully invokes the service resource of the server for the first time, the MD5 value that can replace the encrypted information of the authorization relationship can be obtained from the server, so when the consumer receives the prompt message that the identity is expired sent by the server At this time, the consumer can respond to the prompt message to return the consumption code information and the previously saved MD5 value to the server, and then the server checks whether there is a corresponding pre-stored MD5 value according to the received consumption code information, so as to enter step S11D to perform related operations .
  • step S11D if the server detects that there is a corresponding pre-stored MD5 value, it will further compare the received MD5 value with the pre-stored MD5 value to determine whether the two are consistent. If the two are consistent, it indicates the current consumer Have access rights; if the two are inconsistent, it means that the current consumer does not have access rights.
  • the service party can send a prompt message indicating that the identity verification failed to the consumer, and the consumer needs to obtain the authorization relationship from the service registry again. Encrypted information (the consumer will send a permission request request to the service registration center. At this time, the permission request includes the consumer's IP address information and consumer code information) to re-call the service resource of the service provider.
  • step S11E if the MD5 value received by the server is consistent with the pre-stored MD5 value, it indicates that the current consumer has access rights. At this time, the server can respond to the service invocation request and return the corresponding service resource to the consumer.
  • the consumer when the authorization relationship encryption information expires, the consumer can re-apply and call the service resource by resending the MD5 value and consumption code information, without having to re-obtain the authorization relationship encryption from the service registry In this way, it can reduce the dependence on the service registration center, which is beneficial to further reduce the consumption of network queries.
  • the consumer sends the consumption code information at the same time as the MD5 value. The advantage of this is that it can Prevent the impersonation of the identity caused by the leakage of MD5 value.
  • the MD5 value of consumer 1 is stolen by consumer 2, then consumer 2 wants to use the MD5 value to apply for the service resource of the service party Due to the predetermined authentication mechanism, the consumer 2 needs to send its own consumption code information and the MD5 value to the server, but because the consumer 1’s consumption code information is different from the consumer 2’s consumption code information, the server is in During verification, either the pre-stored MD5 value corresponding to consumer 2’s consumption code information cannot be found, or the MD5 value is inconsistent with the pre-stored MD5 value, which leads to identity verification failure, making consumer 2 unable to impersonate consumer 1’s Identity to call the service resources of the server; moreover, this also helps the server to quickly find the corresponding MD5 value for verification based on the consumption code information, without having to match one by one from multiple pre-stored MD5 values, and find the matching one. Pre-stored MD5 value (because the server can be called by different consumers with access rights, the server will store multiple different MD5 values), which helps to reduce the time
  • the method further includes:
  • S11G sends the refreshed authorization relationship encryption information and the reminder information for replacing the authorization relationship encryption information to the consumer to remind the consumer to replace the expired authorization relationship encryption information with the refreshed authorization relationship encryption information.
  • the server can refresh the time stamp on the encrypted information of the authorization relationship. For example, the time identified by the timestamp is 13:14:52 on January 1, 2019, and the encrypted information of the authorization relationship reaches the server The time is 13:14:56 on January 1, 2019.
  • the service party can check the timestamp The identification time is refreshed to 13:14:52 on January 8, 2019, and then the refreshed authorization relationship encryption information is sent to the consumer, and a reminder message is sent to notify the consumer to change the authorization relationship encryption information, when the consumer receives After the refreshed authorization relationship encryption information and reminder information, the consumer replaces the expired authorization relationship encryption information with the refreshed authorization relationship encryption information, so that when the consumer next applies for the service resource of the service party, There will be no problem of identity expiration and the need to pass MD5 value for secondary identity authentication, which is beneficial to reduce the time-consuming of authentication, improve the performance of the system, and also improve the flexibility of identity authentication.
  • the embodiment of the application also proposes a permission application method, applied to an identity authentication system, the identity authentication system includes a consumer, a service party and a service registry, the consumer, a service party and a service registry three Persons can communicate with each other in the form of a network.
  • the permission application method includes:
  • S21 The consumer sends a service registration request to the service registration center to register the service of the service party, where the service registration request includes the consumption code information of the consumer;
  • S22 Receive the service information of the service party returned by the service registration center in response to the service registration request, where the service information includes service code information;
  • S23 Generate consumption code-service code call relationship information according to the service code information and pre-stored consumption code information
  • S24 Send a permission application request to the service registration center, where the permission application request includes consumption code-service code invocation relationship information;
  • the receiving service registration center responds to the authorization request request and returns the authorization relationship encryption information and saves it, where the authorization relationship encryption information contains consumption code-service code invocation relationship information.
  • step S21 when the consumer first calls the service resource of the server, the consumer first needs to register the service of the server. Specifically, the consumer logs in to the service registration center by receiving the account and password entered by the user. After the login is successful, The consumer sends a service registration request to the service registration center for registering the service provider’s service, where the service registration request includes the consumer’s consumption code information. In this way, only if a service provider’s service is registered through the service registration center, the consumption The party can then apply to call the service resource of the service party.
  • step S22 when the server starts for the first time, the server will register its own service information in the service registration center, where the service information of the server includes the name of the server, the service code information of the server, and the server Specifically, when the service registration center receives the service registration request sent by the consumer, the service registration center will respond to the service registration request and randomly generate a service corresponding to the consumption code information The key is saved and the service information of the server is returned to the consumer.
  • step S23 when the consumer receives the service information returned by the service registration center, the consumer will generate consumption code-service code invocation relationship information based on the service code information in the service information and its own consumption code information for subsequent follow-up Perform related operations.
  • step S24 specifically, after the consumption code-service code call relationship information is generated, the consumer sends a permission application request to the service registration center, where the permission application request includes the consumption code-service code call relationship information, and the consumer’s The IP address information and the consumption code information of the consumer to apply for the authority to call the service resource of the server.
  • step S25 when the service registration center receives the permission application request, the service registration center saves the consumer's IP address information, and at the same time responds to the permission application request, finds out the previously generated corresponding consumption code information based on the consumption code information And use the service key to encrypt the consumption code-service code call relationship information to generate the authorization relationship encryption information, and then return the authorization relationship encryption information to the consumer, and the consumer receives the authorization relationship encryption information And save, in this way, the convenience of consumption has the authority to access the server.
  • the consumer When the consumer needs to call the service resource of the server later, the consumer only needs to find the request address of the server from the service information saved by itself, and then use http Just send a service invocation request to the server in the form of, where the authorization relationship encryption information and the consumer's consumption encoding information are placed in the http request header; in addition, in specific application scenarios, the consumer generally has multiple hosts, The user specifically invokes the service resource of the server by using a certain host of the consumer. Therefore, the IP address information of the consumer is the IP address corresponding to the host used by the user.
  • the replaced host needs to re-send a permission request to the service registration center to obtain the encryption information of the authorization relationship, where the permission request request includes the host’s IP address and the consumer’s consumption code information
  • the service registration center can learn which hosts of the consumer have obtained the encrypted information of the authorization relationship by querying the saved IP address information, so as to achieve the role of auditing changes in consumption instances.
  • the consumer's application for permission to access the server is implemented through an algorithm. Except for the first permission application process, the consumer needs to obtain the encrypted information of the authorization relationship from the service registry. Every time thereafter, when the consumer When you need to apply for the service resource of the service party, you only need to use the authorization relationship encrypted information and consumption code saved by yourself to call, without relying on a third-party authentication data source, thereby reducing the consumption of network queries.
  • the authorization relationship encryption information is stored in the consumer's cache folder, where the cache folder is encrypted by the consumer's local hardware information (such as Mac address, model information, etc.).
  • the above permission application method also includes:
  • the cache folder is decrypted first.
  • the The host compares its own pre-stored hardware information (such as the Mac address) with the local hardware information, and judges whether the hardware information is consistent with the local hardware information.
  • the current host If they are consistent, it preliminarily indicates that the current host has the authority to call the service resource of the server, and then it can Send a service call request including consumption code information and authorization relationship encryption information to the service server to obtain the service resources of the server; if they are inconsistent, the current host cannot obtain the authorization relationship encryption information from the cache file, and thus cannot call the server In this way, the consumer saves the encrypted information of the authorization relationship in the cache file encrypted by the local hardware information.
  • the information decrypts the cached file, which prevents the encrypted information of the authorization relationship from being copied to another host of the consumer for use (the host of the consumer changes, and the local hardware information also changes, thereby obtaining the encrypted information of the authorization relationship), Improved data security.
  • an embodiment of the present application also proposes an identity authentication system, including:
  • the service registration center is used to generate service key and authorization relationship encryption information, store service information of the service party, provide service key for the service party, and provide authorization relationship encryption information and service information for the consumer, where the authorization relationship encryption information Contains consumption code-service code call relationship information, and service information includes service code information;
  • Consumer used to generate consumption code-service code call relationship information based on service code information and its own consumption code information, obtain and save authorization relationship encryption information and service information from the service registry, and send service call requests to service providers , Where the service invocation request includes consumption coding information and authorization relationship encryption information;
  • the service party is used to register its own service information to the service registration center, obtain and save the service key from the service registration center, and determine whether the consumer has the right to call its own service resources according to the service invocation request sent by the consumer.
  • an embodiment of the present application also provides a computer device.
  • the computer device may be a server, and its internal structure may be as shown in FIG. 4.
  • the computer equipment includes a processor, a memory, a network interface and a database connected through a system bus. Among them, the computer designed processor is used to provide calculation and control capabilities.
  • the memory of the computer device includes a storage medium and an internal memory, where the storage medium may be a non-volatile storage medium or a volatile storage medium.
  • the storage medium stores an operating system, a computer program, and a database.
  • the internal memory provides an environment for the operation of the operating system and computer programs in the storage medium.
  • the database of the computer equipment is used to store identity authentication methods and programs.
  • the network interface of the computer device is used to communicate with an external terminal through a network connection. When the computer program is executed by the processor, the identity authentication method in any of the foregoing embodiments is implemented.
  • the embodiment of the present application also proposes a computer-readable storage medium, where the storage medium may be a non-volatile storage medium or a volatile storage medium.
  • a computer program is stored on the storage medium, and when the computer program is executed by the processor, the identity authentication method in any of the foregoing embodiments is implemented.
  • Non-volatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory.
  • Volatile memory may include random access memory (RAM) or external cache memory.
  • RAM is available in many forms, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), dual-rate data rate SDRAM (SSRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), etc.
  • SRAM static RAM
  • DRAM dynamic RAM
  • SDRAM synchronous DRAM
  • SDRAM dual-rate data rate SDRAM
  • SSRSDRAM dual-rate data rate SDRAM
  • ESDRAM enhanced SDRAM
  • SLDRAM synchronous Link (Synchlink) DRAM
  • SLDRAM synchronous Link (Synchlink) DRAM
  • Rambus direct RAM
  • DRAM direct memory bus dynamic RAM
  • RDRAM memory bus dynamic RAM

Abstract

Disclosed are an identity authentication method and system, a computer device, and a storage medium. The identity authentication method comprises: a serving party receives a service call request sent by a consuming party, the service call request comprising consumption code information and authorization relation encryption information; the authorization relation encryption information comprising consumption code-service code calling relation information; according to the consumption code information, check whether a service key is pre-stored in the serving party; if the service key is pre-stored in the serving party, use the service key to decrypt the authorization relation encryption information to obtain the consumption code-service code calling relation information; verify whether the consumption code-service code calling relation information is legal according to the consumption code information and the pre-stored service code information; and if yes, in response to the service call request, return a corresponding service resource to the consuming party. The identity authentication method can solve the large network consumption problem during the process that the serving party performs identity authentication on the consuming party.

Description

身份认证方法、系统、计算机设备及存储介质Identity authentication method, system, computer equipment and storage medium
本申请要求于2019年4月25日提交中国专利局、申请号为201910341167.7,发明名称为“身份认证方法、系统、计算机设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on April 25, 2019, the application number is 201910341167.7, and the invention title is "identity authentication method, system, computer equipment and storage medium", the entire content of which is incorporated by reference In this application.
技术领域Technical field
本申请涉及到计算机技术领域,特别是涉及到一种身份认证方法、系统、计算机设备及存储介质。This application relates to the field of computer technology, in particular to an identity authentication method, system, computer equipment and storage medium.
背景技术Background technique
互联网服务离不开身份认证,对于服务器集群,或者是跨域的服务导向架构,当消费方(即服务的消费方,如调用各服务接口的应用系统)跨域访问服务方(即服务的提供方,如提供各服务接口的应用系统)的资源时,由于消费方和服务方之间不存在事先的信任关系,因此服务方需要对消费方进行身份认证,判断其是否具有访问的权限,然而现有技术中,服务方在对消费方进行身份认证的过程中,需要依赖第三方的认证数据源(即需要依赖第三方认证中心进行身份认证),使得网络查询的消耗大大增加。Internet services are inseparable from identity authentication. For server clusters, or a cross-domain service-oriented architecture, when consumers (that is, consumers of services, such as application systems that call various service interfaces) cross-domain access to service providers (that is, service provision) For example, when providing resources of the application system of each service interface, since there is no prior trust relationship between the consumer and the server, the server needs to authenticate the consumer to determine whether it has access rights. In the prior art, the service party needs to rely on a third-party authentication data source (that is, it needs to rely on a third-party authentication center for identity authentication) in the process of authenticating the consumer's identity, which greatly increases the consumption of network queries.
因此,如何在服务方对消费方进行身份认证的过程中,减少网络查询的消耗,是本领域技术人员亟待解决的技术问题。Therefore, how to reduce the consumption of network queries during the process of the service party's identity authentication of the consumer is a technical problem to be solved urgently by those skilled in the art.
技术问题technical problem
本申请的主要目的为提供一种身份认证方法、系统、计算机设备及存储介质,旨在解决服务方对消费方进行身份认证的过程中,网络消耗大的问题。The main purpose of this application is to provide an identity authentication method, system, computer equipment, and storage medium, aiming to solve the problem of high network consumption during the process of identity authentication by the service party to the consumer.
技术解决方案Technical solutions
本申请提出一种身份认证方法,包括:This application proposes an identity authentication method, including:
服务方接收消费方发送的服务调用请求,其中,服务调用请求包括消费方的消费编码信息以及预存于消费方中的授权关系加密信息,授权关系加密信息中含有消费编码-服务编码调用关系信息;The service party receives the service invocation request sent by the consumer, where the service invocation request includes the consumption code information of the consumer and the authorization relation encryption information pre-stored in the consumer, and the authorization relation encryption information contains consumption code-service code invocation relation information;
根据消费编码信息,检查自身是否预存有对应消费编码信息的服务密钥;According to the consumption code information, check whether the service key corresponding to the consumption code information is pre-stored;
若检查出自身预存有对应消费编码信息的服务密钥,则利用服务密钥对授权关系加密信息进行解密,获得消费编码-服务编码调用关系信息;If it is checked that the service key corresponding to the consumption code information is pre-stored, the service key is used to decrypt the authorization relationship encryption information to obtain the consumption code-service code call relationship information;
根据消费编码信息和预存的服务编码信息,对消费编码-服务编码调用关系信息进行验证,判断消费编码-服务编码调用关系信息是否合法;According to the consumption code information and the pre-stored service code information, verify the consumption code-service code call relationship information, and determine whether the consumption code-service code call relationship information is legal;
若消费编码-服务编码调用关系信息合法,则响应服务调用请求,向消费方返回对应的服务资源。If the consumption code-service code call relationship information is valid, the service call request is responded to and the corresponding service resource is returned to the consumer.
本申请还提出一种权限申请方法,包括:This application also proposes a permission application method, including:
消费方向服务注册中心发送服务注册请求,以注册服务方的服务,其中,服务注册请求包括消费方的消费编码信息;The consumer sends a service registration request to the service registration center to register the service of the service party, where the service registration request includes the consumption code information of the consumer;
接收服务注册中心响应服务注册请求而返回的服务方的服务信息,其中,服务信息包括服务编码信息;Receive the service information of the service party returned by the service registration center in response to the service registration request, where the service information includes service code information;
根据服务编码信息和预存的消费编码信息,生成消费编码-服务编码调用关系信息;According to the service code information and pre-stored consumption code information, generate consumption code-service code call relationship information;
向服务注册中心发送权限申请请求,其中,权限申请请求包括消费编码-服务编码调用关系信息;Send a permission application request to the service registration center, where the permission application request includes consumer code-service code invocation relationship information;
接收服务注册中心响应权限申请请求而返回授权关系加密信息并保存,其中,授权关系加密信息中含有消费编码-服务编码调用关系信息。The receiving service registration center returns and saves the authorization relationship encryption information in response to the permission application request, wherein the authorization relationship encryption information contains consumption code-service code invocation relationship information.
本申请还提出一种身份认证系统,包括:This application also proposes an identity authentication system, including:
服务注册中心,用于生成服务密钥和授权关系加密信息、存储服务方的服务信息、为服务方提供服务密钥,以及为消费方提供授权关系加密信息和服务信息,其中,授权关系加密信息中含有消费编码-服务编码调用关系信息,服务信息包括服务编码信息;The service registration center is used to generate service key and authorization relationship encryption information, store service information of the service party, provide service key for the service party, and provide authorization relationship encryption information and service information for the consumer, where the authorization relationship encryption information Contains consumption code-service code call relationship information, and service information includes service code information;
消费方,用于根据服务编码信息和自身的消费编码信息生成消费编码-服务编码调用关系信息、从服务注册中心中获取并保存授权关系加密信息和服务信息,以及向服务服务方发送服务调用请求,其中,服务调用请求包括消费编码信息以及授权关系加密信息;Consumer, used to generate consumption code-service code call relationship information based on service code information and its own consumption code information, obtain and save authorization relationship encryption information and service information from the service registry, and send service call requests to service providers , Where the service invocation request includes consumption encoding information and authorization relationship encryption information;
服务方,用于将自身的服务信息注册至服务注册中心、从服务注册中心中获取并保存服务密钥,以及根据消费方发送的服务调用请求判断消费方是否具有调用自身服务资源的权限。The service party is used to register its own service information to the service registration center, obtain and save the service key from the service registration center, and determine whether the consumer has the right to call its own service resources according to the service invocation request sent by the consumer.
本申请还提出一种计算机设备,包括存储器和处理器,存储器存储有计算机程序,处理器执行计算机程序时实现前述的身份认证方法的步骤。This application also proposes a computer device, including a memory and a processor, the memory stores a computer program, and the processor implements the steps of the aforementioned identity authentication method when the computer program is executed.
本申请还提出一种计算机可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现前述的身份认证方法的步骤。This application also proposes a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of the aforementioned identity authentication method are realized.
本申请还提出一种身份认证装置,包括:This application also proposes an identity authentication device, including:
第一接收模块,用于服务方接收消费方发送的服务调用请求,其中,所述服务调用请求包括所述消费方的消费编码信息以及预存于所述消费方中的授权关系加密信息,所述授权关系加密信息中含有消费编码-服务编码调用关系信息;The first receiving module is used for the service party to receive the service invocation request sent by the consumer, wherein the service invocation request includes the consumption code information of the consumer and the authorization relationship encryption information pre-stored in the consumer. The authorization relationship encryption information contains consumer code-service code call relationship information;
检查模块,用于根据所述消费编码信息,检查自身是否预存有对应所述消费编码信息的服务密钥;The checking module is configured to check whether the service key corresponding to the consumption coding information is pre-stored in itself according to the consumption coding information;
解密模块,用于若检查出自身预存有对应所述消费编码信息的服务密钥,则利用所述服务密钥对所述授权关系加密信息进行解密,获得所述消费编码-服务编码调用关系信息;The decryption module is configured to, if it is checked that the service key corresponding to the consumption code information is pre-stored, the service key is used to decrypt the authorization relationship encryption information to obtain the consumption code-service code call relationship information ;
验证模块,用于根据所述消费编码信息和预存的服务编码信息,对所述消费编码-服务编码调用关系信息进行验证,判断所述消费编码-服务编码调用关系信息是否合法;The verification module is configured to verify the consumption code-service code invocation relationship information according to the consumption code information and prestored service code information, and determine whether the consumption code-service code invocation relationship information is legal;
返回模块,用于若所述消费编码-服务编码调用关系信息合法,则响应所述服务调用请求,向所述消费方返回对应的服务资源。The return module is configured to respond to the service invocation request and return the corresponding service resource to the consumer if the consumption code-service code invocation relationship information is legal.
本申请还提供一种权限申请装置,包括:This application also provides a permission application device, including:
发送模块,用于消费方向服务注册中心发送服务注册请求,以注册服务方的服务,其中,所述服务注册请求包括所述消费方的消费编码信息;The sending module is used for the consumer to send a service registration request to the service registration center to register the service of the service party, wherein the service registration request includes the consumption code information of the consumer;
第二接收模块,用于接收服务注册中心响应所述服务注册请求而返回的所述服务方的服务信息,其中,所述服务信息包括服务编码信息;The second receiving module is configured to receive the service information of the service party returned by the service registration center in response to the service registration request, wherein the service information includes service code information;
生成模块,用于根据所述服务编码信息和预存的所述消费编码信息,生成消费编码-服务编码调用关系信息;A generating module, configured to generate consumption code-service code invocation relationship information according to the service code information and the prestored consumption code information;
请求模块,用于向所述服务注册中心发送权限申请请求,其中,所述权限申请请求包括所述消费编码-服务编码调用关系信息;The request module is configured to send a permission application request to the service registration center, where the permission application request includes the consumption code-service code invocation relationship information;
保存模块,用于接收所述服务注册中心响应所述权限申请请求而返回授权关系加密信息并保存,其中,所述授权关系加密信息中含有所述消费编码-服务编码调用关系信息。The saving module is configured to receive and save the authorization relationship encryption information returned by the service registration center in response to the authorization request request, wherein the authorization relationship encryption information contains the consumption code-service code invocation relationship information.
有益效果Beneficial effect
本申请的有益效果是:在本申请实施例提供的身份认证方法中,服务方对消费方的身份验证通过算法来实现,除了在首次的身份认证过程中,消费方需要从服务注册中心中获取授权关系加密信息、服务方需要从服务注册中心中获取服务密钥,此后的每一次,服务方对消费方进行身份验证时,只需对消费方发送的授权关系加密信息进行解密和验证即可,而无需依赖第三方的认证数据源,从而可减少网络查询的消耗。The beneficial effects of this application are: in the identity authentication method provided by the embodiments of this application, the service party’s identity verification of the consumer is achieved through algorithms, except for the first identity authentication process, the consumer needs to obtain information from the service registration center The authorization relationship encryption information, the server needs to obtain the service key from the service registration center, and every time after that, when the server authenticates the consumer, it only needs to decrypt and verify the authorization relationship encryption information sent by the consumer. , Without relying on third-party authentication data sources, which can reduce the consumption of network queries.
附图说明Description of the drawings
图1是本申请一实施中身份认证方法的流程示意图;Figure 1 is a schematic flow diagram of an identity authentication method in an implementation of this application;
图2是本申请一实施中权限申请方法的流程示意图;Figure 2 is a schematic flow diagram of a permission application method in the implementation of this application;
图3是本申请一实施中身份认证系统的结构示意图;Figure 3 is a schematic diagram of the structure of an identity authentication system in an implementation of this application;
图4是本申请一实施中计算机设备的结构示意图。Fig. 4 is a schematic diagram of the structure of a computer device in an implementation of the present application.
本发明目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The realization of the objectives, functional characteristics and advantages of the present invention will be further described in conjunction with the embodiments and with reference to the accompanying drawings.
本发明的最佳实施方式The best mode of the invention
应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。It should be understood that the specific embodiments described here are only used to explain the present invention, but not to limit the present invention.
参照图1和图3,本申请实施例提供一种身份认证方法,应用于身份认证系统,该身份认证系统包括消费方、服务方和服务注册中心,消费方、服务方和服务注册中心三者之间可通过网络的形式实现相互通信,该身份认证方法包括:1 and 3, an embodiment of the present application provides an identity authentication method, which is applied to an identity authentication system, the identity authentication system includes a consumer, a server, and a service registry, and the consumer, a server, and a service registry They can communicate with each other in the form of a network. The identity authentication method includes:
S11,服务方接收消费方发送的服务调用请求,其中,服务调用请求包括消费方的消费编码信息以及预存于消费方中的授权关系加密信息,授权关系加密信息中含有消费编码-服务编码调用关系信息;S11, the service party receives the service invocation request sent by the consumer, where the service invocation request includes the consumption code information of the consumer and the authorization relationship encryption information pre-stored in the consumer, and the authorization relationship encryption information contains the consumption code-service code invocation relationship information;
S12,根据消费编码信息,检查自身是否预存有对应消费编码信息的服务密钥;S12, according to the consumption code information, check whether the service key corresponding to the consumption code information is pre-stored;
若检查出自身预存有对应消费编码信息的服务密钥,则执行S13,利用服务密钥对授权关系加密信息进行解密,获得消费编码-服务编码调用关系信息;If it is checked that the service key corresponding to the consumption code information is pre-stored, S13 is executed to decrypt the authorization relationship encrypted information using the service key to obtain consumption code-service code call relationship information;
S14,根据消费编码信息和预存的服务编码信息,对消费编码-服务编码调用关系信息进行验证,判断消费编码-服务编码调用关系信息是否合法;S14: Verify the consumption code-service code call relationship information according to the consumption code information and the pre-stored service code information, and determine whether the consumption code-service code call relationship information is legal;
若消费编码-服务编码调用关系信息合法,则执行S15,响应服务调用请求,向消费方返回对应的服务资源。If the consumption code-service code call relationship information is valid, execute S15, respond to the service call request, and return the corresponding service resource to the consumer.
在上述步骤S11中,上述消费编码信息为消费方的唯一身份标识,不同的消费方具有不同的消费编码信息;上述授权关系加密信息为经过服务密钥加密后的消费编码-服务编码调用关系信息,用于实现服务方对消费方身份的安全认证,其中,消费编码-服务编码调用关系信息的具体表现形式可用Cn-Pn来表示,其中,Cn为消费方n所对应的消费编码信息,Pn为服务方n所对应的服务编码信息(服务编码信息为服务方的唯一身份标识,不同的服务方具有不同的服务编码信息),因此,通过消费编码-服务编码调用关系信息可获知消费方与服务方之间的调用关系,即某个消费方需要调用某个服务方的服务资源,例如消费方1需要调用服务方1的服务资源,那么消费编码-服务编码调用关系信息可用C1-P1来表示;In the above step S11, the consumption code information is the unique identity of the consumer, and different consumers have different consumption code information; the authorization relationship encryption information is the consumption code-service code invocation relationship information encrypted by the service key , Used to realize the security authentication of the identity of the consumer by the service party, where the specific expression form of the consumer code-service code call relationship information can be represented by Cn-Pn, where Cn is the consumer code information corresponding to the consumer n, Pn Is the service code information corresponding to the service party n (the service code information is the unique identity of the service party, and different service parties have different service code information). Therefore, through the consumption code-service code call relationship information, the consumer and the The call relationship between the service parties, that is, a consumer needs to call a service resource of a server, for example, consumer 1 needs to call the service resource of server 1, then the consumption code-service code call relationship information can be C1-P1 Means
在本步骤中,具体地,在服务方首次启动时,服务方会将自身的服务信息注册至服务注册中心中,其中,服务方的服务信息包括服务方的名称、服务方的服务编码信息、服务方的IP地址和端口、服务方的请求地址等;在消费方首次调用服务方的服务资源时,消费方首先需要注册服务方的服务,具体地,消费方通过接收用户输入的账号和密码登录服务注册中心,登录成功后,消费方向服务注册中心发送一个用于注册服务方服务的服务注册请求,其中,该服务注册请求包括消费方的消费编码信息,当服务注册中心接收到该服务注册请求时,服务注册中心会响应该服务注册请求,随机生成一个对应该消费编码信息的服务密钥并保存,同时向消费方返回服务方的服务信息,当消费方接收到该服务信息时,消费方会根据服务信息中的服务编码信息和自身的消费编码信息,生成消费编码-服务编码调用关系信息,然后消费方向服务注册中心发送一个用于申请访问服务方的权限申请请求,其中,该权限申请请求包括消费编码-服务编码调用关系信息、消费方的IP地址信息和上述消费编码信息,当服务注册中心接收到该权限申请请求时,服务注册中心会响应该权限申请请求,根据消费编码信息查找出之前生成的对应该消费编码信息的服务密钥,并利用该服务密钥对消费编码-服务编码调用关系信息进行加密,从而生成上述授权关系加密信息,进而将授权关系加密信息返回给消费方,消费方接收该授权关系加密信息并保存,当消费方调用服务方的服务资源时,消费方从自身保存的服务信息中找到服务方的请求地址,进而通过http的形式向服务方发送一个服务调用请求,其中,在http请求头中放有授权关系加密信息和消费方的消费编码信息,以便后续进行相关操作。In this step, specifically, when the server starts for the first time, the server will register its own service information in the service registry, where the service information of the server includes the name of the server, the service code information of the server, The server’s IP address and port, the server’s request address, etc.; when the consumer first calls the server’s service resources, the consumer first needs to register the server’s service. Specifically, the consumer receives the account and password entered by the user Log in to the service registration center. After the login is successful, the consumer sends a service registration request to the service registration center for registering the service side service, where the service registration request includes the consumer's consumption code information, when the service registration center receives the service registration When requested, the service registration center will respond to the service registration request, randomly generate and save a service key corresponding to the consumption code information, and return the service information of the service to the consumer. When the consumer receives the service information, the consumer The party will generate consumption code-service code call relationship information based on the service code information in the service information and its own consumption code information, and then the consumer will send a permission request for applying for access to the service party to the service registration center, where the permission The application request includes consumption code-service code call relationship information, consumer IP address information and the above consumption code information. When the service registration center receives the permission application request, the service registration center will respond to the permission application request based on the consumption code information Find the previously generated service key corresponding to the consumption code information, and use the service key to encrypt the consumption code-service code call relationship information, thereby generating the above-mentioned authorization relationship encryption information, and then returning the authorization relationship encryption information to the consumer The consumer receives the encrypted information of the authorization relationship and saves it. When the consumer calls the service resource of the server, the consumer finds the request address of the server from the service information saved by itself, and then sends a request address to the server via http A service call request, where the authorization relationship encryption information and the consumer's consumption code information are placed in the http request header for subsequent related operations.
在上述步骤S12中,具体地,当服务方接收到消费方发送的授权关系加密信息和消费编码信息时,为验证当前消费方是否具有访问的权限,服务方需要检验消费编码-服务编码调用关系信息的合法性,因此需要先对授权关系加密信息进行解密,以获得消费编码-服务编码调用关系信息,而对授权关系加密信息进行解密需要服务密钥,因此需要根据消费编码信息检查自身是否预存有对应的服务密钥,以便后续进行相关操作。In the above step S12, specifically, when the server receives the authorization relationship encryption information and the consumption code information sent by the consumer, in order to verify whether the current consumer has access rights, the server needs to check the consumption code-service code call relationship The legitimacy of the information, therefore, it is necessary to decrypt the encrypted information of the authorization relationship first to obtain the consumption code-service code call relationship information, and decrypt the encrypted information of the authorization relationship requires a service key, so it is necessary to check whether it is pre-stored according to the consumption code information There is a corresponding service key for subsequent related operations.
在上述步骤S13中,若服务方检查出自身预存有对应的服务密钥,则可直接利用该服务密钥对授权关系加密信息进行解密,获得消费编码-服务编码调用关系信息,以便后续进行相关操作,而若服务方检查出自身未预存有对应的服务密钥,则表明服务方是首次对当前消费方进行身份认证,因此需要先从服务注册中心中获取对应的服务密钥,具体地,当服务方检查到自身未预存有对应的服务密钥时,服务方会向服务注册中心发送一个密钥获取请求,其中,该密钥获取请求包括当前消费方的消费编码信息,当服务注册中心接收到该密钥获取请求时,服务注册中心根据消费编码信息从已保存的多个服务密钥(当不同的消费方通过服务注册中心注册不同服务方的服务时,服务注册中心会根据不同消费方的服务注册请求生成并保存不同的服务密钥,因此服务注册中心中存储有多个服务密钥)中查找出对应该消费编码信息的服务密钥并返回给服务方,服务方接收该服务密钥并保存,同时利用该服务密钥对授权关系加密信息进行解密,从而获得消费编码-服务编码调用关系信息,这样,当后续服务方需要再次对当前消费方进行身份认证时,只需根据当前消费方的消费编码信息从预存的多个服务密钥中查找出对应的服务密钥即可,而无需再次从服务注册中心中获取对应的服务密钥。In the above step S13, if the service party checks that it has a corresponding service key pre-stored, it can directly use the service key to decrypt the authorization relationship encryption information to obtain consumption code-service code call relationship information for subsequent correlation Operation, and if the service party checks that it does not have the corresponding service key pre-stored, it indicates that the service party authenticates the current consumer for the first time. Therefore, it needs to obtain the corresponding service key from the service registry first. Specifically, When the service party checks that it does not have the corresponding service key pre-stored, the service party sends a key acquisition request to the service registration center, where the key acquisition request includes the consumption code information of the current consumer. When the service registration center When receiving the key acquisition request, the service registration center will obtain multiple service keys from the saved service keys according to the consumption code information (when different consumers register the services of different service parties through the service registration center, the service registration center will The service registration request of the party generates and saves different service keys. Therefore, there are multiple service keys stored in the service registry). The service key corresponding to the consumption code information is searched out and returned to the service party, and the service party receives the service. The key is saved, and the service key is used to decrypt the encrypted information of the authorization relationship to obtain the consumption code-service code call relationship information. In this way, when the subsequent service party needs to authenticate the current consumer again, it only needs to be based on The current consumption code information of the consumer can find the corresponding service key from the multiple pre-stored service keys, without obtaining the corresponding service key from the service registration center again.
在上述步骤S14中,利用对应的服务密钥从授权关系加密信息中解密出消费编码-服务编码调用关系信息后,则进一步通过自身的服务编码信息和接收到的消费编码信息对消费编码-服务编码调用关系信息进行验证,判断该消费编码-服务编码调用关系信息是否合法,举例而言,假设当前消费方发送给服务方的消费编码信息为C1(即表明当前消费方为消费方1),服务方的服务编码信息为P1,解密得到的消费编码-服务编码调用关系信息为C1-P1,则在进行验证时,服务方将P1和C1分别与C1-P1进行匹配,判断是否存在匹配项,若只存在其中一个匹配项(C1或P1)或者不存在匹配项(即C1和P1均不匹配),则说明当前消费方提供的消费编码-服务编码调用关系信息是不合法的,当前消费方不具备访问服务方1的服务资源的权限,相反,若同时存在匹配项C1和P1,则说明当前消费方提供的消费编码-服务编码调用关系信息是合法的,当前消费方具备访问服务方1的服务资源的权限,在该例子中,由于消费编码信息为C1,服务编码信息为P1,解密得到的消费编码-服务编码调用关系信息为C1-P1,因此在进行验证时,最终会得到同时存在匹配项C1和P1的匹配结果,因此服务方1可据此判断当前消费方1具备访问自身服务资源的权限,而在另外一些例子中,例如当前消费方发送给服务方的消费编码信息为C1,服务方的服务编码信息为P1,解密得到的消费编码-服务编码调用关系信息为C2-P1,则在进行验证时,最终会得到只存在一个匹配项P1的匹配结果,进而服务方1可据此判断当前消费方1不具备访问自身服务资源的权限,同时,这也说明了消费方2具备访问服务方1的服务资源的权限,而消费方2的授权关系加密信息很可能是被消费方1盗用了。In the above step S14, after using the corresponding service key to decrypt the consumption code-service code invocation relationship information from the authorization relationship encryption information, then further use its own service code information and the received consumption code information to determine the consumption code-service The code call relationship information is verified to determine whether the consumption code-service code call relationship information is legal. For example, suppose the consumption code information sent by the current consumer to the server is C1 (that is, the current consumer is consumer 1), The service code information of the server is P1, and the consumer code-service code call relationship information obtained by decryption is C1-P1. During verification, the server will match P1 and C1 with C1-P1 to determine whether there is a match , If there is only one of the matching items (C1 or P1) or there is no matching item (that is, neither C1 nor P1 match), it means that the consumption code-service code call relationship information provided by the current consumer is illegal, and the current consumption The party does not have the authority to access the service resources of the service party 1. On the contrary, if there are matching items C1 and P1 at the same time, it means that the consumption code-service code call relationship information provided by the current consumer is legal, and the current consumer has access to the service party 1. In this example, since the consumption code information is C1, the service code information is P1, and the consumption code-service code call relationship information obtained by decryption is C1-P1, so when verifying, you will finally get At the same time there is a matching result of the matching items C1 and P1, so the server 1 can determine that the current consumer 1 has the right to access its own service resources, and in other examples, such as the consumption code information sent by the current consumer to the server Is C1, the service code information of the server is P1, and the consumer code-service code call relationship information obtained by decryption is C2-P1. When verification is performed, the matching result that there is only one matching item P1 will eventually be obtained, and then the server 1 Based on this, it can be judged that the current consumer 1 does not have the authority to access its own service resources. At the same time, this also shows that the consumer 2 has the authority to access the service resources of the server 1, and the authorization relationship encryption information of the consumer 2 is likely to be Misappropriated by consumer 1.
在上述步骤S15中,若消费编码-服务编码调用关系信息合法,则服务方可据此判断出当前消费方具备访问自身服务资源的权限,进而响应当前消费方发送的服务调用请求,向消费方返回对应的服务资源。In the above step S15, if the consumer code-service code call relationship information is legal, the service party can determine that the current consumer has the right to access its own service resources, and then respond to the service call request sent by the current consumer to the consumer Return the corresponding service resource.
在本实施例中,服务方对消费方的身份验证通过算法来实现,除了在首次的身份认证过程中,消费方需要从服务注册中心中获取授权关系加密信息、服务方需要从服务注册中心中获取服务密钥,此后的每一次,服务方对消费方进行身份验证时,只需对消费方发送的授权关系加密信息进行解密和验证即可,而无需依赖第三方的认证数据源,从而可减少网络查询的消耗,而且,服务方对消费方的身份验证是通过对称加密算法来实现的,只是利用服务密钥对消费编码-服务编码调用关系信息进行加密,使得产生的加密数据(即授权关系加密信息)较短,这样,在服务方对消费方进行身份验证时,有利于缩短解密的时间,从而可减少验权的耗时,提高系统的性能。In this embodiment, the identity verification of the consumer by the service party is implemented through an algorithm. Except in the first identity authentication process, the consumer needs to obtain the authorization relationship encryption information from the service registry, and the service party needs to obtain the encryption information from the service registry. Obtain the service key. After that, every time the service party authenticates the consumer, it only needs to decrypt and verify the authorization relationship encrypted information sent by the consumer, instead of relying on a third-party authentication data source. Reduce the consumption of network queries, and the service party’s authentication of the consumer’s identity is achieved through a symmetric encryption algorithm. It only uses the service key to encrypt the consumer code-service code call relationship information, so that the generated encrypted data (ie authorization The relationship encryption information) is shorter, so that when the service party authenticates the consumer, it helps to shorten the decryption time, thereby reducing the time-consuming authentication of the right and improving the performance of the system.
另外,在本实施例中,需要说明的是,当消费方拥有消费编码-服务编码调用关系信息时,此时消费方还不具备访问服务方的权限,只有当获得授权关系加密信息后(即消费编码-服务编码调用关系信息需要经过服务密钥的加密),消费方才具备访问服务方的权限,这样,可防止消费方对消费编码-服务编码调用关系信息进行篡改(因为消费方没有服务密钥),随意调用不同服务方的服务资源,从而保证服务资源获取的安全性和可靠性。In addition, in this embodiment, it should be noted that when the consumer has the consumption code-service code call relationship information, the consumer does not have the right to access the service party at this time, and only after obtaining the authorization relationship encrypted information (ie The consumer code-service code call relationship information needs to be encrypted by the service key), so that the consumer has the authority to access the service party. This prevents the consumer from tampering with the consumer code-service code call relationship information (because the consumer does not have the service secret Key), freely call the service resources of different service parties to ensure the security and reliability of service resource acquisition.
在一个优选的实施例中,授权关系加密信息附带有时间戳,接收消费方发送的服务调用请求的步骤之后,还包括:In a preferred embodiment, the encrypted information of the authorization relationship is accompanied by a timestamp, and after the step of receiving the service invocation request sent by the consumer, the method further includes:
S11A,根据时间戳判断授权关系加密信息是否过期;S11A: Determine whether the encrypted information of the authorization relationship expires according to the timestamp;
若授权关系加密信息未过期,则执行上述S12,根据消费编码信息,检查自身是否预存有对应消费编码信息的服务密钥。If the encrypted information of the authorization relationship has not expired, the above S12 is executed to check whether the service key corresponding to the consumption code information is pre-stored according to the consumption code information.
在本实施例中,由于授权关系加密信息存放的时间越久,泄露的风险可能就越大,因此服务注册中心在生成授权关系加密信息时可为其打上一个时间戳,使得授权关系加密信息具备时效性,即消费方需要在有效时间内使用授权关系加密信息,才能获取服务方的服务资源,这样,可一定程度上保证服务资源获取的安全性,具体地,由于时间戳可以唯一地标识某一时刻的时间,且时间戳与授权关系加密信息的时效性均为消息的时间属性,因此可以依据时间戳所标识的时刻是否处于消息的有效时间内,来判断授权关系加密信息是否过期,例如,时间戳所标识的时刻为2019年1月1日13点14分52秒(即授权关系加密信息的生成时间+预设有效时间,如预设有效时间为7天,则授权关系加密信息的生成时间为2019年12月25日13点14分52秒,其中,预设有效时间可根据使用需要而定),授权关系加密信息到达服务方的时刻为2019年1月1日13点14分50秒,由于2019年1月1日13点14分50秒在2019年1月1日13点14分52秒之前,因此服务方可据此判断授权关系加密信息未过期,又例如,时间戳所标识的时刻为2019年1月1日13点14分52秒,授权关系加密信息到达服务方的时刻为2019年1月1日13点14分56秒,由于2019年1月1日13点14分56秒在2019年1月1日13点14分52秒之后,因此服务方可据此判断授权关系加密信息已过期;若授权关系加密信息未过期,则此时可执行上述步骤S12;而若授权关系加密信息已过期,则此时可进入步骤S11B执行相关操作。In this embodiment, since the longer the storage time of the encrypted information of the authorization relationship, the greater the risk of leakage. Therefore, the service registry can put a time stamp on the encrypted information of the authorization relationship when it generates the encrypted information of the authorization relationship, so that the encrypted information of the authorization relationship has timeliness. The consumer needs to use the authorization relationship to encrypt the information within the valid time to obtain the service resource of the service party. In this way, the security of the service resource acquisition can be guaranteed to a certain extent. Specifically, because the timestamp can uniquely identify a certain The time of the time, and the timeliness of the time stamp and the encrypted information of the authorization relationship are the time attributes of the message. Therefore, it can be judged whether the encrypted information of the authorization relationship expires according to whether the time identified by the timestamp is within the valid time of the message, for example, The time indicated by the timestamp is 13:14:52 on January 1, 2019 (that is, the generation time of the authorization relationship encrypted information + the preset effective time, if the preset effective time is 7 days, the authorization relationship encrypted information is generated The time is 13:14:52 on December 25, 2019, where the preset effective time can be determined according to the needs of use), and the time when the encrypted information of the authorization relationship reaches the service party is 13:14:50 on January 1, 2019 Since 13:14:50 on January 1, 2019 is before 13:14:52 on January 1, 2019, the service party can determine that the encrypted information of the authorization relationship has not expired. For example, the time stamp The time of identification is 13:14:52 on January 1, 2019, and the time at which the encrypted information of the authorization relationship reaches the service party is 13:14:56 on January 1, 2019, due to 13:14 on January 1, 2019 Minutes and 56 seconds are after 13:14:52 on January 1, 2019, so the service party can determine that the encryption information of the authorization relationship has expired; if the encryption information of the authorization relationship has not expired, the above step S12 can be performed at this time; and If the encrypted information of the authorization relationship has expired, step S11B can be executed at this time.
在一个优选的实施例中,判断消费编码-服务编码调用关系信息是否合法的步骤之后,还包括:In a preferred embodiment, after the step of judging whether the consumption code-service code call relationship information is legal, the method further includes:
若消费编码-服务编码调用关系信息合法,则执行S14A,利用预设的MD5算法对消费编码-服务编码调用关系信息进行计算,获得对应的MD5值并保存;If the consumption code-service code call relationship information is legal, execute S14A, use the preset MD5 algorithm to calculate the consumption code-service code call relationship information, obtain the corresponding MD5 value and save;
S14B,将MD5值发送至消费方进行保存。S14B: Send the MD5 value to the consumer for storage.
在本实施例中,若消费编码-服务编码调用关系信息合法,则表明当前消费方具有访问服务方的服务资源的权限,此时服务方可响应当前消费方发送的服务调用请求,向消费方返回对应的服务资源,同时,服务方可利用预设的MD5算法对消费编码-服务编码调用关系信息进行计算,获得对应的MD5值并保存,同时将该MD5值发送给消费方,消费方接收到该MD5值后对其进行保存,由于MD5值具有唯一性(与消费编码-服务编码调用关系信息一一对应)和不可篡改性(一旦被篡改,MD5值将发生变化),因此该MD5值可代替授权关系加密信息,用于实现服务方对消费方身份的安全认证,这样,后续消费方可通过将该MD5值发送至服务方来申请调用服务方的服务资源,而服务方可通过将接收到的MD5值与预存的MD5值进行比较,来判断出当前消费方是否具备访问的权限,这样,可省去利用服务密钥解密授权关系加密信息的过程,从而有利于进一步减少验权的耗时,进一步提高系统的性能。In this embodiment, if the consumption code-service code call relationship information is legal, it indicates that the current consumer has the right to access the service resource of the service party. At this time, the service party can respond to the service call request sent by the current consumer to the consumer Return the corresponding service resource. At the same time, the service party can use the preset MD5 algorithm to calculate the consumption code-service code call relationship information, obtain and save the corresponding MD5 value, and send the MD5 value to the consumer, and the consumer receives Save the MD5 value after reaching the MD5 value. Because the MD5 value is unique (one-to-one correspondence with the consumer code-service code call relationship information) and cannot be tampered with (once it is tampered, the MD5 value will change), so the MD5 value It can replace the authorization relationship to encrypt information to realize the security authentication of the consumer's identity by the server. In this way, the subsequent consumer can apply for calling the service resource of the server by sending the MD5 value to the server. The received MD5 value is compared with the pre-stored MD5 value to determine whether the current consumer has the access authority. In this way, the process of using the service key to decrypt the authorization relationship encrypted information can be omitted, which is beneficial to further reduce the authority verification Time-consuming to further improve the performance of the system.
在另一个优选的实施例中,根据时间戳判断授权关系加密信息是否过期的步骤之后,还包括:In another preferred embodiment, after the step of judging whether the encrypted information of the authorization relationship expires according to the timestamp, the method further includes:
若授权关系加密信息已过期,则执行S11B,向消费方发送身份过期的提示信息,以提示消费方重新进行身份验证;If the encrypted information of the authorization relationship has expired, execute S11B to send a prompt message indicating that the identity has expired to the consumer to prompt the consumer to re-authenticate;
S11C,接收消费方响应提示信息而返回的MD5值和消费编码信息,并根据消费编码信息检查自身是否存在对应的预存MD5值;S11C: Receive the MD5 value and consumption code information returned by the consumer in response to the prompt message, and check whether there is a corresponding pre-stored MD5 value according to the consumption code information;
若存在对应的预存MD5值,则执行S11D,将MD5值与预存MD5值进行比较,判断MD5值与预存MD5值是否一致;If there is a corresponding pre-stored MD5 value, execute S11D, compare the MD5 value with the pre-stored MD5 value, and judge whether the MD5 value is consistent with the pre-stored MD5 value;
若MD5值与预存MD5值一致,则执行S11E,响应服务调用请求,向消费方返回对应的服务资源。If the MD5 value is consistent with the pre-stored MD5 value, execute S11E, respond to the service call request, and return the corresponding service resource to the consumer.
在上述步骤S11B中,若授权关系加密信息已过期,则表明当前消费方不具有访问服务方的服务资源的权限,此时服务方向消费方发送身份过期的提示信息,以提示消费方重新进行身份验证。In the above step S11B, if the encrypted information of the authorization relationship has expired, it indicates that the current consumer does not have the authority to access the service resource of the service party. At this time, the service sends a prompt message indicating that the identity has expired to the consumer to prompt the consumer to re-identify verification.
在上述步骤S11C中,由于消费方首次成功调用服务方的服务资源时,可从服务方中获得可代替授权关系加密信息的MD5值,因此当消费方接收到服务方发送的身份过期的提示信息时,消费方可响应该提示信息向服务方返回消费编码信息和之前保存的MD5值,进而服务方根据接收到的消费编码信息检查自身是否存在对应的预存MD5值,以便进入步骤S11D执行相关操作。In the above step S11C, when the consumer successfully invokes the service resource of the server for the first time, the MD5 value that can replace the encrypted information of the authorization relationship can be obtained from the server, so when the consumer receives the prompt message that the identity is expired sent by the server At this time, the consumer can respond to the prompt message to return the consumption code information and the previously saved MD5 value to the server, and then the server checks whether there is a corresponding pre-stored MD5 value according to the received consumption code information, so as to enter step S11D to perform related operations .
在上述步骤S11D中,若服务方检查到自身存在对应的预存MD5值,则进一步将接收到的MD5值与预存MD5值进行比较,判断两者是否一致,若两者一致,则表明当前消费方具有访问权限;而若两者不一致,则表明当前消费方不具有访问权限,此时服务方可向消费方发送一个身份验证失败的提示信息,此时消费方需要重新从服务注册中心获取授权关系加密信息(消费方会向服务注册中心发送一个权限申请请求,此时,该权限申请请求包括消费方的IP地址信息和消费编码信息),以重新调用服务方的服务资源。In the above step S11D, if the server detects that there is a corresponding pre-stored MD5 value, it will further compare the received MD5 value with the pre-stored MD5 value to determine whether the two are consistent. If the two are consistent, it indicates the current consumer Have access rights; if the two are inconsistent, it means that the current consumer does not have access rights. At this time, the service party can send a prompt message indicating that the identity verification failed to the consumer, and the consumer needs to obtain the authorization relationship from the service registry again. Encrypted information (the consumer will send a permission request request to the service registration center. At this time, the permission request includes the consumer's IP address information and consumer code information) to re-call the service resource of the service provider.
在上述步骤S11E中,若服务方接收到的MD5值与预存MD5值一致,则表明当前消费方具有访问权限,此时服务方可响应服务调用请求,向消费方返回对应的服务资源。In the above step S11E, if the MD5 value received by the server is consistent with the pre-stored MD5 value, it indicates that the current consumer has access rights. At this time, the server can respond to the service invocation request and return the corresponding service resource to the consumer.
在本实施例中,当授权关系加密信息过期时,消费方可通过重新发送MD5值和消费编码信息的方式来重新申请调用服务方的服务资源,而无需重新从服务注册中心中获取授权关系加密信息,这样,可减少对服务注册中心的依赖,进而有利于进一步减少网络查询的消耗,同时,消费方在发送MD5值的同时也一并再发送一次消费编码信息,这样做的好处在于,可防止MD5值泄露而导致的身份冒充,例如,由于各种原因,消费方1的MD5值被消费方2盗取了,那么消费方2想要通过该MD5值来申请调用服务方的服务资源时,由于预定的认证机制,消费方2需要向服务方发送自身的消费编码信息和该MD5值,但由于消费方1的消费编码信息和消费方2的消费编码信息并不一样,因此服务方在进行验证时,要么查找不到对应消费方2的消费编码信息的预存MD5值,要么出现MD5值与预存MD5值不一致的情况,进而导致身份验证失败,从而使得消费方2无法冒充消费方1的身份去调用服务方的服务资源;而且,这样也有利于服务方可根据消费编码信息快速找到对应的MD5值进行验证,而无需从预存的多个MD5值中逐一进行匹配,从中查找出匹配的预存MD5值(因为服务方可被具有访问权限的不同消费方进行调用,因此服务方会存储有多个不同的MD5值),从而有利于减少验权的耗时,提高系统的性能。In this embodiment, when the authorization relationship encryption information expires, the consumer can re-apply and call the service resource by resending the MD5 value and consumption code information, without having to re-obtain the authorization relationship encryption from the service registry In this way, it can reduce the dependence on the service registration center, which is beneficial to further reduce the consumption of network queries. At the same time, the consumer sends the consumption code information at the same time as the MD5 value. The advantage of this is that it can Prevent the impersonation of the identity caused by the leakage of MD5 value. For example, due to various reasons, the MD5 value of consumer 1 is stolen by consumer 2, then consumer 2 wants to use the MD5 value to apply for the service resource of the service party Due to the predetermined authentication mechanism, the consumer 2 needs to send its own consumption code information and the MD5 value to the server, but because the consumer 1’s consumption code information is different from the consumer 2’s consumption code information, the server is in During verification, either the pre-stored MD5 value corresponding to consumer 2’s consumption code information cannot be found, or the MD5 value is inconsistent with the pre-stored MD5 value, which leads to identity verification failure, making consumer 2 unable to impersonate consumer 1’s Identity to call the service resources of the server; moreover, this also helps the server to quickly find the corresponding MD5 value for verification based on the consumption code information, without having to match one by one from multiple pre-stored MD5 values, and find the matching one. Pre-stored MD5 value (because the server can be called by different consumers with access rights, the server will store multiple different MD5 values), which helps to reduce the time-consuming verification of rights and improve the performance of the system.
在又一个优选的实施例中,判断MD5值与预存MD5值是否一致的步骤之后,还包括:In another preferred embodiment, after the step of determining whether the MD5 value is consistent with the pre-stored MD5 value, the method further includes:
若MD5值与预存MD5值一致,则执行S11F,对授权关系加密信息上的时间戳进行刷新;If the MD5 value is consistent with the pre-stored MD5 value, execute S11F to refresh the timestamp on the encrypted information of the authorization relationship;
S11G,向消费方发送刷新后的授权关系加密信息以及更换授权关系加密信息的提醒信息,以提醒消费方将已过期的授权关系加密信息替换为刷新后的授权关系加密信息。S11G sends the refreshed authorization relationship encryption information and the reminder information for replacing the authorization relationship encryption information to the consumer to remind the consumer to replace the expired authorization relationship encryption information with the refreshed authorization relationship encryption information.
在本实施例中,若MD5值与预存MD5值一致,则表明当前消费方具有访问权限,此时为避免当前消费方下次再申请调用服务方的服务资源时,出现身份过期的问题而需要进行二次身份认证,服务方可对授权关系加密信息上的时间戳进行刷新,例如,时间戳所标识的时刻为2019年1月1日13点14分52秒,授权关系加密信息到达服务方的时刻为2019年1月1日13点14分56秒,假设预设有效时间为7天,则当服务方通过MD5值判断出当前消费方具有访问权限时,则服务方可对时间戳所标识的时刻刷新为2019年1月8日13点14分52秒,然后将刷新后的授权关系加密信息发送给消费方,并发送提醒消息通知消费方更换授权关系加密信息,当消费方接收到刷新后的授权关系加密信息以及提醒信息后,消费方将已过期的授权关系加密信息替换为刷新后的授权关系加密信息,这样,当消费方下次再申请调用服务方的服务资源时,就不会出现身份过期的问题而需要通过MD5值进行二次身份认证了,从而有利于减少验权的耗时,提高系统的性能,同时也提高了身份认证的灵活性。In this embodiment, if the MD5 value is consistent with the pre-stored MD5 value, it indicates that the current consumer has access rights. At this time, it is necessary to avoid the problem of identity expiration when the current consumer applies for service resources of the service party next time For secondary identity authentication, the server can refresh the time stamp on the encrypted information of the authorization relationship. For example, the time identified by the timestamp is 13:14:52 on January 1, 2019, and the encrypted information of the authorization relationship reaches the server The time is 13:14:56 on January 1, 2019. Assuming that the preset valid time is 7 days, when the service party determines that the current consumer has access rights through the MD5 value, the service party can check the timestamp The identification time is refreshed to 13:14:52 on January 8, 2019, and then the refreshed authorization relationship encryption information is sent to the consumer, and a reminder message is sent to notify the consumer to change the authorization relationship encryption information, when the consumer receives After the refreshed authorization relationship encryption information and reminder information, the consumer replaces the expired authorization relationship encryption information with the refreshed authorization relationship encryption information, so that when the consumer next applies for the service resource of the service party, There will be no problem of identity expiration and the need to pass MD5 value for secondary identity authentication, which is beneficial to reduce the time-consuming of authentication, improve the performance of the system, and also improve the flexibility of identity authentication.
参照图2和图3,本申请实施例还提出一种权限申请方法,应用于身份认证系统,该身份认证系统包括消费方、服务方和服务注册中心,消费方、服务方和服务注册中心三者之间可通过网络的形式实现相互通信,该权限申请方法包括:2 and 3, the embodiment of the application also proposes a permission application method, applied to an identity authentication system, the identity authentication system includes a consumer, a service party and a service registry, the consumer, a service party and a service registry three Persons can communicate with each other in the form of a network. The permission application method includes:
S21,消费方向服务注册中心发送服务注册请求,以注册服务方的服务,其中,服务注册请求包括消费方的消费编码信息;S21: The consumer sends a service registration request to the service registration center to register the service of the service party, where the service registration request includes the consumption code information of the consumer;
S22,接收服务注册中心响应服务注册请求而返回的服务方的服务信息,其中,服务信息包括服务编码信息;S22: Receive the service information of the service party returned by the service registration center in response to the service registration request, where the service information includes service code information;
S23,根据服务编码信息和预存的消费编码信息,生成消费编码-服务编码调用关系信息;S23: Generate consumption code-service code call relationship information according to the service code information and pre-stored consumption code information;
S24,向服务注册中心发送权限申请请求,其中,权限申请请求包括消费编码-服务编码调用关系信息;S24: Send a permission application request to the service registration center, where the permission application request includes consumption code-service code invocation relationship information;
S25,接收服务注册中心响应权限申请请求而返回授权关系加密信息并保存,其中,授权关系加密信息中含有消费编码-服务编码调用关系信息。S25: The receiving service registration center responds to the authorization request request and returns the authorization relationship encryption information and saves it, where the authorization relationship encryption information contains consumption code-service code invocation relationship information.
在上述步骤S21中,在消费方首次调用服务方的服务资源时,消费方首先需要注册服务方的服务,具体地,消费方通过接收用户输入的账号和密码登录服务注册中心,登录成功后,消费方向服务注册中心发送一个用于注册服务方服务的服务注册请求,其中,该服务注册请求包括消费方的消费编码信息,这样,只有先通过服务注册中心注册了某个服务方的服务,消费方后续才能申请调用该服务方的服务资源。In the above step S21, when the consumer first calls the service resource of the server, the consumer first needs to register the service of the server. Specifically, the consumer logs in to the service registration center by receiving the account and password entered by the user. After the login is successful, The consumer sends a service registration request to the service registration center for registering the service provider’s service, where the service registration request includes the consumer’s consumption code information. In this way, only if a service provider’s service is registered through the service registration center, the consumption The party can then apply to call the service resource of the service party.
在上述步骤S22中,在服务方首次启动时,服务方会将自身的服务信息注册至服务注册中心中,其中,服务方的服务信息包括服务方的名称、服务方的服务编码信息、服务方的IP地址和端口、服务方的请求地址等;具体地,当服务注册中心接收到消费方发送的服务注册请求时,服务注册中心会响应该服务注册请求,随机生成一个对应消费编码信息的服务密钥并保存,同时向消费方返回服务方的服务信息。In the above step S22, when the server starts for the first time, the server will register its own service information in the service registration center, where the service information of the server includes the name of the server, the service code information of the server, and the server Specifically, when the service registration center receives the service registration request sent by the consumer, the service registration center will respond to the service registration request and randomly generate a service corresponding to the consumption code information The key is saved and the service information of the server is returned to the consumer.
在上述步骤S23中,当消费方接收到服务注册中心返回的服务信息时,消费方会根据服务信息中的服务编码信息和自身的消费编码信息,生成消费编码-服务编码调用关系信息,以便后续进行相关操作。In the above step S23, when the consumer receives the service information returned by the service registration center, the consumer will generate consumption code-service code invocation relationship information based on the service code information in the service information and its own consumption code information for subsequent follow-up Perform related operations.
在上述步骤S24中,具体地,生成消费编码-服务编码调用关系信息后,消费方向服务注册中心发送一个权限申请请求,其中,该权限申请请求包括消费编码-服务编码调用关系信息、消费方的IP地址信息和消费方的消费编码信息,以申请调用服务方的服务资源的权限。In the above step S24, specifically, after the consumption code-service code call relationship information is generated, the consumer sends a permission application request to the service registration center, where the permission application request includes the consumption code-service code call relationship information, and the consumer’s The IP address information and the consumption code information of the consumer to apply for the authority to call the service resource of the server.
在上述步骤S25中,当服务注册中心接收到该权限申请请求时,服务注册中心保存消费方的IP地址信息,同时响应该权限申请请求,根据消费编码信息查找出之前生成的对应该消费编码信息的服务密钥,并利用该服务密钥对消费编码-服务编码调用关系信息进行加密,从而生成上述授权关系加密信息,进而将授权关系加密信息返回给消费方,消费方接收该授权关系加密信息并保存,这样,消费方便具备了访问服务方的权限,后续当消费方需要调用服务方的服务资源时,消费方只需从自身保存的服务信息中找到服务方的请求地址,进而通过http的形式向服务方发送一个服务调用请求即可,其中,在http请求头中放有授权关系加密信息和消费方的消费编码信息;另外,在具体的应用场景中,消费方一般拥有多台主机,而用户具体是通过使用消费方的某台主机来调用服务方的服务资源的,因此,消费方的IP地址信息为用户所使用主机对应的IP地址,这样,当后续用户更换主机来申请调用服务方的服务资源时,更换后的主机需要重新向服务注册中心发送一个权限申请请求,以获取授权关系加密信息,其中,此时该权限申请请求包括该主机的IP地址和消费方的消费编码信息,这样,服务注册中心后续通过查询已保存的IP地址信息即可获知消费方的哪些主机获取过授权关系加密信息,达到审计消费实例变化的作用。In the above step S25, when the service registration center receives the permission application request, the service registration center saves the consumer's IP address information, and at the same time responds to the permission application request, finds out the previously generated corresponding consumption code information based on the consumption code information And use the service key to encrypt the consumption code-service code call relationship information to generate the authorization relationship encryption information, and then return the authorization relationship encryption information to the consumer, and the consumer receives the authorization relationship encryption information And save, in this way, the convenience of consumption has the authority to access the server. When the consumer needs to call the service resource of the server later, the consumer only needs to find the request address of the server from the service information saved by itself, and then use http Just send a service invocation request to the server in the form of, where the authorization relationship encryption information and the consumer's consumption encoding information are placed in the http request header; in addition, in specific application scenarios, the consumer generally has multiple hosts, The user specifically invokes the service resource of the server by using a certain host of the consumer. Therefore, the IP address information of the consumer is the IP address corresponding to the host used by the user. In this way, when the subsequent user changes the host to apply for invoking the service For service resources of the party, the replaced host needs to re-send a permission request to the service registration center to obtain the encryption information of the authorization relationship, where the permission request request includes the host’s IP address and the consumer’s consumption code information In this way, the service registration center can learn which hosts of the consumer have obtained the encrypted information of the authorization relationship by querying the saved IP address information, so as to achieve the role of auditing changes in consumption instances.
在本实施例中,消费方申请访问服务方的权限通过算法来实现,除了在首次的权限申请过程中,消费方需要从服务注册中心中获取授权关系加密信息,此后的每一次,当消费方需要申请调用服务方的服务资源时,只需将利用自身保存的授权关系加密信息和消费编码进行调用即可,而无需依赖第三方的认证数据源,从而可减少网络查询的消耗。In this embodiment, the consumer's application for permission to access the server is implemented through an algorithm. Except for the first permission application process, the consumer needs to obtain the encrypted information of the authorization relationship from the service registry. Every time thereafter, when the consumer When you need to apply for the service resource of the service party, you only need to use the authorization relationship encrypted information and consumption code saved by yourself to call, without relying on a third-party authentication data source, thereby reducing the consumption of network queries.
在一个优选的实施例中,授权关系加密信息保存于消费方的缓存文件夹中,其中,缓存文件夹通过消费方的本地硬件信息(如Mac地址、型号信息等)进行加密,上述权限申请方法还包括:In a preferred embodiment, the authorization relationship encryption information is stored in the consumer's cache folder, where the cache folder is encrypted by the consumer's local hardware information (such as Mac address, model information, etc.). The above permission application method Also includes:
S26,将预存的硬件信息与本地硬件信息进行比较,判断硬件信息与本地硬件信息是否一致,以获取缓存文件夹中的授权关系加密信息;S26, comparing the pre-stored hardware information with the local hardware information, and judging whether the hardware information is consistent with the local hardware information, to obtain the authorization relationship encryption information in the cache folder;
若硬件信息与本地硬件信息一致,则执行S27,向服务服务方发送服务调用请求,以获取服务方的服务资源,其中,服务调用请求包括消费编码信息以及授权关系加密信息。If the hardware information is consistent with the local hardware information, execute S27 to send a service invocation request to the service server to obtain the service resource of the server, where the service invocation request includes consumption encoding information and authorization relationship encryption information.
在本实施例中,当用户需要通过消费方的某台主机申请调用服务方的服务资源时,需要从缓存文件中获得授权关系加密信息,因此先对该缓存文件夹进行解密,具体地,该主机将自身预存的硬件信息(如Mac地址)与本地硬件信息进行比较,判断该硬件信息与本地硬件信息是否一致,若一致,则初步表明当前主机具备调用服务方的服务资源的权限,进而可向服务服务方发送包括有消费编码信息以及授权关系加密信息的服务调用请求,以获取服务方的服务资源;若不一致,则当前主机无法从缓存文件中获得授权关系加密信息,进而无法调用服务方的服务资源,这样,消费方通过将授权关系加密信息保存于经过本地硬件信息加密过的缓存文件中,当消费方的某台主机需要调用服务方的服务资源时,需要先通过自身的本地硬件信息对缓存文件解密,从而可防止授权关系加密信息被拷贝至消费方的另一台主机上进行使用(消费方的主机变了,本地硬件信息也就变了,从而获得授权关系加密信息),提高了数据的安全性。In this embodiment, when the user needs to request the service resource of the service party through a certain host of the consumer, he needs to obtain the authorization relationship encryption information from the cache file, so the cache folder is decrypted first. Specifically, the The host compares its own pre-stored hardware information (such as the Mac address) with the local hardware information, and judges whether the hardware information is consistent with the local hardware information. If they are consistent, it preliminarily indicates that the current host has the authority to call the service resource of the server, and then it can Send a service call request including consumption code information and authorization relationship encryption information to the service server to obtain the service resources of the server; if they are inconsistent, the current host cannot obtain the authorization relationship encryption information from the cache file, and thus cannot call the server In this way, the consumer saves the encrypted information of the authorization relationship in the cache file encrypted by the local hardware information. When a certain host of the consumer needs to call the service resource of the server, it needs to pass its own local hardware The information decrypts the cached file, which prevents the encrypted information of the authorization relationship from being copied to another host of the consumer for use (the host of the consumer changes, and the local hardware information also changes, thereby obtaining the encrypted information of the authorization relationship), Improved data security.
参照图3,本申请实施例还提出一种身份认证系统,包括:3, an embodiment of the present application also proposes an identity authentication system, including:
服务注册中心,用于生成服务密钥和授权关系加密信息、存储服务方的服务信息、为服务方提供服务密钥,以及为消费方提供授权关系加密信息和服务信息,其中,授权关系加密信息中含有消费编码-服务编码调用关系信息,服务信息包括服务编码信息;The service registration center is used to generate service key and authorization relationship encryption information, store service information of the service party, provide service key for the service party, and provide authorization relationship encryption information and service information for the consumer, where the authorization relationship encryption information Contains consumption code-service code call relationship information, and service information includes service code information;
消费方,用于根据服务编码信息和自身的消费编码信息生成消费编码-服务编码调用关系信息、从服务注册中心中获取并保存授权关系加密信息和服务信息,以及向服务服务方发送服务调用请求,其中,服务调用请求包括消费编码信息以及授权关系加密信息;Consumer, used to generate consumption code-service code call relationship information based on service code information and its own consumption code information, obtain and save authorization relationship encryption information and service information from the service registry, and send service call requests to service providers , Where the service invocation request includes consumption coding information and authorization relationship encryption information;
服务方,用于将自身的服务信息注册至服务注册中心、从服务注册中心中获取并保存服务密钥,以及根据消费方发送的服务调用请求判断消费方是否具有调用自身服务资源的权限。The service party is used to register its own service information to the service registration center, obtain and save the service key from the service registration center, and determine whether the consumer has the right to call its own service resources according to the service invocation request sent by the consumer.
在本实施例中,服务注册中心、消费方和服务方三者之间相互通信的原理过程可参照上述方法实施例的相关描述,本领域技术人员可以理解,对此不再赘述。In this embodiment, the principle and process of mutual communication among the service registration center, the consumer and the service party can refer to the relevant description of the above method embodiment, which can be understood by those skilled in the art, and will not be repeated here.
参照图4,本申请实施例中还提供一种计算机设备,该计算机设备可以是服务器,其内部结构可以如图4所示。该计算机设备包括通过系统总线连接的处理器、存储器、网络接口和数据库。其中,该计算机设计的处理器用于提供计算和控制能力。该计算机设备的存储器包括存储介质、内存储器,其中,存储介质可以是非易失性存储介质,也可以是易失性存储介质。该存储介质存储有操作系统、计算机程序和数据库。该内存储器为存储介质中的操作系统和计算机程序的运行提供环境。该计算机设备的数据库用于存储身份认证方法程序等。该计算机设备的网络接口用于与外部的终端通过网络连接通信。该计算机程序被处理器执行时实现上述任一实施例中的身份认证方法。Referring to FIG. 4, an embodiment of the present application also provides a computer device. The computer device may be a server, and its internal structure may be as shown in FIG. 4. The computer equipment includes a processor, a memory, a network interface and a database connected through a system bus. Among them, the computer designed processor is used to provide calculation and control capabilities. The memory of the computer device includes a storage medium and an internal memory, where the storage medium may be a non-volatile storage medium or a volatile storage medium. The storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the storage medium. The database of the computer equipment is used to store identity authentication methods and programs. The network interface of the computer device is used to communicate with an external terminal through a network connection. When the computer program is executed by the processor, the identity authentication method in any of the foregoing embodiments is implemented.
本申请实施例还提出一种计算机可读存储介质,其中,存储介质可以是非易失性存储介质,也可以是易失性存储介质。存储介质上存储有计算机程序,计算机程序被处理器执行时实现上述任一实施例中的身份认证方法。The embodiment of the present application also proposes a computer-readable storage medium, where the storage medium may be a non-volatile storage medium or a volatile storage medium. A computer program is stored on the storage medium, and when the computer program is executed by the processor, the identity authentication method in any of the foregoing embodiments is implemented.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的计算机程序可存储与一非易失性计算机可读取存储介质中,该计算机程序在执行时,可包括如上述各方法的实施例的流程。其中,本申请所提供的和实施例中所使用的对存储器、存储、数据库或其它介质的任何引用,均可包括非易失性和/或易失性存储器。非易失性存储器可以包括只读存储器(ROM)、可编程ROM(PROM)、电可编程ROM(EPROM)、电可擦除可编程ROM(EEPROM)或闪存。易失性存储器可包括随机存取存储器(RAM)或者外部高速缓冲存储器。作为说明而非局限,RAM通过多种形式可得,诸如静态RAM(SRAM)、动态RAM(DRAM)、同步DRAM(SDRAM)、双速据率SDRAM(SSRSDRAM)、增强型SDRAM(ESDRAM)、同步链路(Synchlink)DRAM(SLDRAM)、存储器总线(Rambus)直接RAM(RDRAM)、直接存储器总线动态RAM(DRDRAM)、以及存储器总线动态RAM(RDRAM)等。Those of ordinary skill in the art can understand that all or part of the processes in the above-mentioned embodiment methods can be implemented by computer programs instructing relevant hardware. The computer programs can be stored and a non-volatile computer readable storage In the medium, when the computer program is executed, it may include the procedures of the above-mentioned method embodiments. Wherein, any reference to memory, storage, database or other media provided in this application and used in the embodiments may include non-volatile and/or volatile memory. Non-volatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory may include random access memory (RAM) or external cache memory. As an illustration and not a limitation, RAM is available in many forms, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), dual-rate data rate SDRAM (SSRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), etc.
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其它变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、装置、物品或者方法不仅包括那些要素,而且还包括没有明确列出的其它要素,或者是还包括为这种过程、装置、物品或者方法所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、装置、物品或者方法中还存在另外的相同要素。It should be noted that in this article, the terms "including", "including" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, device, article or method including a series of elements not only includes those elements, It also includes other elements not explicitly listed, or elements inherent to the process, device, article, or method. If there are no more restrictions, the element defined by the sentence "including a..." does not exclude the existence of other identical elements in the process, device, article or method that includes the element.
以上所述仅为本发明的优选实施例,并非因此限制本发明的专利范围,凡是利用本发明说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本发明的专利保护范围内。The above are only the preferred embodiments of the present invention, and do not limit the scope of the present invention. Any equivalent structure or equivalent process transformation made by using the content of the description and drawings of the present invention, or directly or indirectly applied to other related The technical field is also included in the scope of patent protection of the present invention.

Claims (20)

  1. 一种身份认证方法,其特征在于,包括:An identity authentication method, characterized in that it comprises:
    服务方接收消费方发送的服务调用请求,其中,所述服务调用请求包括所述消费方的消费编码信息以及预存于所述消费方中的授权关系加密信息,所述授权关系加密信息中含有消费编码-服务编码调用关系信息;The service party receives the service invocation request sent by the consumer, wherein the service invocation request includes the consumption code information of the consumer and the authorization relationship encryption information pre-stored in the consumer, and the authorization relationship encryption information contains the consumption Coding-service code calling relationship information;
    根据所述消费编码信息,检查自身是否预存有对应所述消费编码信息的服务密钥;According to the consumption code information, check whether the service key corresponding to the consumption code information is pre-stored in itself;
    若检查出自身预存有对应所述消费编码信息的服务密钥,则利用所述服务密钥对所述授权关系加密信息进行解密,获得所述消费编码-服务编码调用关系信息;If it is checked that the service key corresponding to the consumption code information is pre-stored, the service key is used to decrypt the authorization relationship encryption information to obtain the consumption code-service code call relationship information;
    根据所述消费编码信息和预存的服务编码信息,对所述消费编码-服务编码调用关系信息进行验证,判断所述消费编码-服务编码调用关系信息是否合法;Verifying the consumption code-service code invocation relationship information according to the consumption code information and the pre-stored service code information, and determine whether the consumption code-service code invocation relationship information is legal;
    若所述消费编码-服务编码调用关系信息合法,则响应所述服务调用请求,向所述消费方返回对应的服务资源。If the consumption code-service code invocation relationship information is valid, respond to the service invocation request and return the corresponding service resource to the consumer.
  2. 根据权利要求1所述的身份认证方法,其特征在于,所述授权关系加密信息附带有时间戳,所述接收消费方发送的服务调用请求的步骤之后,还包括:The identity authentication method according to claim 1, wherein the encrypted information of the authorization relationship is accompanied by a time stamp, and after the step of receiving the service invocation request sent by the consumer, the method further comprises:
    根据所述时间戳判断所述授权关系加密信息是否过期;Judging whether the encrypted information of the authorization relationship expires according to the timestamp;
    若所述授权关系加密信息未过期,则执行所述根据所述消费编码信息,检查自身是否预存有对应所述消费编码信息的服务密钥的步骤。If the encryption information of the authorization relationship has not expired, the step of checking whether the service key corresponding to the consumption coding information is pre-stored according to the consumption coding information is performed.
  3. 根据权利要求2所述的身份认证方法,其特征在于,所述判断所述消费编码-服务编码调用关系信息是否合法的步骤之后,还包括:The identity authentication method according to claim 2, wherein after the step of judging whether the consumption code-service code call relationship information is legal, the method further comprises:
    若所述消费编码-服务编码调用关系信息合法,则利用预设的MD5算法对所述消费编码-服务编码调用关系信息进行计算,获得对应的MD5值并保存;If the consumption code-service code calling relationship information is legal, use a preset MD5 algorithm to calculate the consumption code-service code calling relationship information to obtain the corresponding MD5 value and save it;
    将所述MD5值发送至所述消费方进行保存。The MD5 value is sent to the consumer for storage.
  4. 根据权利要求3所述的身份认证方法,其特征在于,所述根据所述时间戳判断所述授权关系加密信息是否过期的步骤之后,还包括:The identity authentication method according to claim 3, wherein after the step of judging whether the encrypted information of the authorization relationship has expired according to the timestamp, the method further comprises:
    若所述授权关系加密信息已过期,则向所述消费方发送身份过期的提示信息,以提示所述消费方重新进行身份验证;If the encryption information of the authorization relationship has expired, sending a prompt message indicating that the identity has expired to the consumer to prompt the consumer to perform identity verification again;
    接收所述消费方响应所述提示信息而返回的所述MD5值和所述消费编码信息,并根据所述消费编码信息检查自身是否存在对应的预存MD5值;Receiving the MD5 value and the consumption code information returned by the consumer in response to the prompt information, and check whether there is a corresponding pre-stored MD5 value according to the consumption code information;
    若存在对应的预存MD5值,则将所述MD5值与所述预存MD5值进行比较,判断所述MD5值与所述预存MD5值是否一致;If there is a corresponding pre-stored MD5 value, compare the MD5 value with the pre-stored MD5 value to determine whether the MD5 value is consistent with the pre-stored MD5 value;
    若所述MD5值与所述预存MD5值一致,则响应所述服务调用请求,向所述消费方返回对应的服务资源。If the MD5 value is consistent with the pre-stored MD5 value, in response to the service invocation request, the corresponding service resource is returned to the consumer.
  5. 根据权利要求4所述的身份认证方法,其特征在于,所述判断所述MD5值与所述预存MD5值是否一致的步骤之后,还包括:The identity authentication method according to claim 4, wherein after the step of determining whether the MD5 value is consistent with the pre-stored MD5 value, the method further comprises:
    若所述MD5值与所述预存MD5值一致,则对所述授权关系加密信息上的所述时间戳进行刷新;If the MD5 value is consistent with the pre-stored MD5 value, refresh the time stamp on the encrypted information of the authorization relationship;
    向所述消费方发送刷新后的所述授权关系加密信息以及更换所述授权关系加密信息的提醒信息,以提醒所述消费方将已过期的所述授权关系加密信息替换为刷新后的所述授权关系加密信息。Send the updated encryption information of the authorization relationship and the reminder information for replacing the encrypted information of the authorization relationship to the consumer to remind the consumer to replace the expired encrypted information of the authorization relationship with the refreshed The authorization relationship encrypts information.
  6. 一种权限申请方法,其特征在于,包括:A permission application method, characterized in that it includes:
    消费方向服务注册中心发送服务注册请求,以注册服务方的服务,其中,所述服务注册请求包括所述消费方的消费编码信息;The consumer sends a service registration request to the service registration center to register the service of the service party, wherein the service registration request includes the consumption code information of the consumer;
    接收服务注册中心响应所述服务注册请求而返回的所述服务方的服务信息,其中,所述服务信息包括服务编码信息;Receiving the service information of the service party returned by the service registration center in response to the service registration request, wherein the service information includes service code information;
    根据所述服务编码信息和预存的所述消费编码信息,生成消费编码-服务编码调用关系信息;Generate consumption code-service code call relationship information according to the service code information and the prestored consumption code information;
    向所述服务注册中心发送权限申请请求,其中,所述权限申请请求包括所述消费编码-服务编码调用关系信息;Sending a permission application request to the service registration center, where the permission application request includes the consumption code-service code invocation relationship information;
    接收所述服务注册中心响应所述权限申请请求而返回授权关系加密信息并保存,其中,所述授权关系加密信息中含有所述消费编码-服务编码调用关系信息。The service registration center returns and saves authorization relationship encryption information in response to the permission application request, wherein the authorization relationship encryption information contains the consumption code-service code invocation relationship information.
  7. 根据权利要求6所述的权限申请方法,其特征在于,所述授权关系加密信息保存于所述消费方的缓存文件夹中,其中,所述缓存文件夹通过所述消费方的本地硬件信息进行加密,所述权限申请方法还包括:The permission application method according to claim 6, wherein the encryption information of the authorization relationship is stored in a cache folder of the consumer, wherein the cache folder is processed by the local hardware information of the consumer. Encryption, the permission application method further includes:
    将预存的硬件信息与所述本地硬件信息进行比较,判断所述硬件信息与所述本地硬件信息是否一致,以获取所述缓存文件夹中的所述授权关系加密信息;Comparing the pre-stored hardware information with the local hardware information to determine whether the hardware information is consistent with the local hardware information, so as to obtain the authorization relationship encryption information in the cache folder;
    若所述硬件信息与所述本地硬件信息一致,则向所述服务服务方发送服务调用请求,以获取所述服务方的服务资源,其中,所述服务调用请求包括所述消费编码信息以及所述授权关系加密信息。If the hardware information is consistent with the local hardware information, a service invocation request is sent to the service server to obtain the service resource of the server, where the service invocation request includes the consumption coding information and the The authorization relationship encrypted information.
  8. 一种身份认证系统,其特征在于,包括:An identity authentication system is characterized in that it comprises:
    服务注册中心,用于生成服务密钥和授权关系加密信息、存储服务方的服务信息、为所述服务方提供所述服务密钥,以及为消费方提供所述授权关系加密信息和所述服务信息,其中,所述授权关系加密信息中含有消费编码-服务编码调用关系信息,所述服务信息包括服务编码信息;The service registration center is used to generate the service key and authorization relationship encryption information, store the service information of the service party, provide the service key for the service party, and provide the consumer with the authorization relationship encryption information and the service Information, wherein the authorization relationship encryption information contains consumption code-service code invocation relationship information, and the service information includes service code information;
    消费方,用于根据所述服务编码信息和自身的消费编码信息生成消费编码-服务编码调用关系信息、从所述服务注册中心中获取并保存所述授权关系加密信息和所述服务信息,以及向所述服务服务方发送服务调用请求,其中,所述服务调用请求包括所述消费编码信息以及所述授权关系加密信息;The consumer is used to generate consumption code-service code call relationship information based on the service code information and its own consumption code information, obtain and save the authorization relationship encryption information and the service information from the service registration center, and Sending a service invocation request to the service server, where the service invocation request includes the consumption encoding information and the authorization relationship encryption information;
    服务方,用于将自身的所述服务信息注册至所述服务注册中心、从所述服务注册中心中获取并保存所述服务密钥,以及根据所述消费方发送的服务调用请求判断所述消费方是否具有调用自身服务资源的权限。The service party is used to register its own service information to the service registration center, obtain and save the service key from the service registration center, and determine the service call request sent by the consumer Whether the consumer has the authority to call its own service resources.
  9. 一种计算机设备,包括存储器和处理器,所述存储器存储有计算机程序,其特征在于,所述处理器执行所述计算机程序时实现身份认证方法,该身份认证方法,包括:A computer device includes a memory and a processor, the memory stores a computer program, and is characterized in that when the processor executes the computer program, an identity authentication method is implemented, and the identity authentication method includes:
    服务方接收消费方发送的服务调用请求,其中,所述服务调用请求包括所述消费方的消费编码信息以及预存于所述消费方中的授权关系加密信息,所述授权关系加密信息中含有消费编码-服务编码调用关系信息;The service party receives the service invocation request sent by the consumer, wherein the service invocation request includes the consumption code information of the consumer and the authorization relationship encryption information pre-stored in the consumer, and the authorization relationship encryption information contains the consumption Coding-service code calling relationship information;
    根据所述消费编码信息,检查自身是否预存有对应所述消费编码信息的服务密钥;According to the consumption code information, check whether the service key corresponding to the consumption code information is pre-stored in itself;
    若检查出自身预存有对应所述消费编码信息的服务密钥,则利用所述服务密钥对所述授权关系加密信息进行解密,获得所述消费编码-服务编码调用关系信息;If it is checked that the service key corresponding to the consumption code information is pre-stored, the service key is used to decrypt the authorization relationship encryption information to obtain the consumption code-service code call relationship information;
    根据所述消费编码信息和预存的服务编码信息,对所述消费编码-服务编码调用关系信息进行验证,判断所述消费编码-服务编码调用关系信息是否合法;Verifying the consumption code-service code invocation relationship information according to the consumption code information and the pre-stored service code information, and determine whether the consumption code-service code invocation relationship information is legal;
    若所述消费编码-服务编码调用关系信息合法,则响应所述服务调用请求,向所述消费方返回对应的服务资源。If the consumption code-service code invocation relationship information is valid, respond to the service invocation request and return the corresponding service resource to the consumer.
  10. 根据权利要求9所述的计算机设备,其特征在于,所述所述授权关系加密信息附带有时间戳,所述接收消费方发送的服务调用请求的步骤之后,还包括:The computer device according to claim 9, wherein the encrypted information of the authorization relationship is attached with a time stamp, and after the step of receiving the service invocation request sent by the consumer, the method further comprises:
    根据所述时间戳判断所述授权关系加密信息是否过期;Judging whether the encrypted information of the authorization relationship expires according to the timestamp;
    若所述授权关系加密信息未过期,则执行所述根据所述消费编码信息,检查自身是否预存有对应所述消费编码信息的服务密钥的步骤。If the encryption information of the authorization relationship has not expired, the step of checking whether the service key corresponding to the consumption coding information is pre-stored according to the consumption coding information is performed.
  11. 根据权利要求10所述的计算机设备,其特征在于,所述判断所述消费编码-服务编码调用关系信息是否合法的步骤之后,还包括:The computer device according to claim 10, wherein after the step of judging whether the consumption code-service code call relationship information is legal, the method further comprises:
    若所述消费编码-服务编码调用关系信息合法,则利用预设的MD5算法对所述消费编码-服务编码调用关系信息进行计算,获得对应的MD5值并保存;If the consumption code-service code calling relationship information is legal, use a preset MD5 algorithm to calculate the consumption code-service code calling relationship information to obtain the corresponding MD5 value and save it;
    将所述MD5值发送至所述消费方进行保存。The MD5 value is sent to the consumer for storage.
  12. 根据权利要求11所述的计算机设备,其特征在于,所述根据所述时间戳判断所述授权关系加密信息是否过期的步骤之后,还包括:The computer device according to claim 11, wherein after the step of judging whether the encrypted information of the authorization relationship has expired according to the timestamp, the method further comprises:
    若所述授权关系加密信息已过期,则向所述消费方发送身份过期的提示信息,以提示所述消费方重新进行身份验证;If the encryption information of the authorization relationship has expired, sending a prompt message indicating that the identity has expired to the consumer to prompt the consumer to perform identity verification again;
    接收所述消费方响应所述提示信息而返回的所述MD5值和所述消费编码信息,并根据所述消费编码信息检查自身是否存在对应的预存MD5值;Receiving the MD5 value and the consumption code information returned by the consumer in response to the prompt information, and check whether there is a corresponding pre-stored MD5 value according to the consumption code information;
    若存在对应的预存MD5值,则将所述MD5值与所述预存MD5值进行比较,判断所述MD5值与所述预存MD5值是否一致;If there is a corresponding pre-stored MD5 value, compare the MD5 value with the pre-stored MD5 value to determine whether the MD5 value is consistent with the pre-stored MD5 value;
    若所述MD5值与所述预存MD5值一致,则响应所述服务调用请求,向所述消费方返回对应的服务资源。If the MD5 value is consistent with the pre-stored MD5 value, in response to the service invocation request, the corresponding service resource is returned to the consumer.
  13. 根据权利要求12所述的计算机设备,其特征在于,所述判断所述MD5值与所述预存MD5值是否一致的步骤之后,还包括:The computer device according to claim 12, wherein after the step of determining whether the MD5 value is consistent with the pre-stored MD5 value, the method further comprises:
    若所述MD5值与所述预存MD5值一致,则对所述授权关系加密信息上的所述时间戳进行刷新;If the MD5 value is consistent with the pre-stored MD5 value, refresh the time stamp on the encrypted information of the authorization relationship;
    向所述消费方发送刷新后的所述授权关系加密信息以及更换所述授权关系加密信息的提醒信息,以提醒所述消费方将已过期的所述授权关系加密信息替换为刷新后的所述授权关系加密信息。Send the updated encryption information of the authorization relationship and the reminder information for replacing the encrypted information of the authorization relationship to the consumer to remind the consumer to replace the expired encrypted information of the authorization relationship with the refreshed The authorization relationship encrypts information.
  14. 一种计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现一种身份认证方法,该身份认证方法包括:A computer-readable storage medium with a computer program stored thereon, wherein the computer program implements an identity authentication method when executed by a processor, and the identity authentication method includes:
    服务方接收消费方发送的服务调用请求,其中,所述服务调用请求包括所述消费方的消费编码信息以及预存于所述消费方中的授权关系加密信息,所述授权关系加密信息中含有消费编码-服务编码调用关系信息;The service party receives the service invocation request sent by the consumer, wherein the service invocation request includes the consumption code information of the consumer and the authorization relationship encryption information pre-stored in the consumer, and the authorization relationship encryption information contains the consumption Coding-service code calling relationship information;
    根据所述消费编码信息,检查自身是否预存有对应所述消费编码信息的服务密钥;According to the consumption code information, check whether the service key corresponding to the consumption code information is pre-stored in itself;
    若检查出自身预存有对应所述消费编码信息的服务密钥,则利用所述服务密钥对所述授权关系加密信息进行解密,获得所述消费编码-服务编码调用关系信息;If it is checked that the service key corresponding to the consumption code information is pre-stored, the service key is used to decrypt the authorization relationship encryption information to obtain the consumption code-service code call relationship information;
    根据所述消费编码信息和预存的服务编码信息,对所述消费编码-服务编码调用关系信息进行验证,判断所述消费编码-服务编码调用关系信息是否合法;Verifying the consumption code-service code invocation relationship information according to the consumption code information and the pre-stored service code information, and determine whether the consumption code-service code invocation relationship information is legal;
    若所述消费编码-服务编码调用关系信息合法,则响应所述服务调用请求,向所述消费方返回对应的服务资源。If the consumption code-service code invocation relationship information is valid, respond to the service invocation request and return the corresponding service resource to the consumer.
  15. 根据权利要求14所述的计算机可读存储介质,其特征在于,所述授权关系加密信息附带有时间戳,所述接收消费方发送的服务调用请求的步骤之后,还包括:The computer-readable storage medium according to claim 14, wherein the encrypted information of the authorization relationship is accompanied by a time stamp, and after the step of receiving the service invocation request sent by the consumer, the method further comprises:
    根据所述时间戳判断所述授权关系加密信息是否过期;Judging whether the encrypted information of the authorization relationship expires according to the timestamp;
    若所述授权关系加密信息未过期,则执行所述根据所述消费编码信息,检查自身是否预存有对应所述消费编码信息的服务密钥的步骤。If the encryption information of the authorization relationship has not expired, the step of checking whether the service key corresponding to the consumption coding information is pre-stored according to the consumption coding information is performed.
  16. 根据权利要求15所述的计算机可读存储介质,其特征在于,所述判断所述消费编码-服务编码调用关系信息是否合法的步骤之后,还包括:The computer-readable storage medium according to claim 15, wherein after the step of determining whether the consumption code-service code call relationship information is legal, the method further comprises:
    若所述消费编码-服务编码调用关系信息合法,则利用预设的MD5算法对所述消费编码-服务编码调用关系信息进行计算,获得对应的MD5值并保存;If the consumption code-service code calling relationship information is legal, use a preset MD5 algorithm to calculate the consumption code-service code calling relationship information to obtain the corresponding MD5 value and save it;
    将所述MD5值发送至所述消费方进行保存。The MD5 value is sent to the consumer for storage.
  17. 根据权利要求16所述的计算机可读存储介质,其特征在于,所述根据所述时间戳判断所述授权关系加密信息是否过期的步骤之后,还包括:The computer-readable storage medium according to claim 16, wherein after the step of judging whether the encrypted information of the authorization relationship has expired according to the timestamp, the method further comprises:
    若所述授权关系加密信息已过期,则向所述消费方发送身份过期的提示信息,以提示所述消费方重新进行身份验证;If the encryption information of the authorization relationship has expired, sending a prompt message indicating that the identity has expired to the consumer to prompt the consumer to perform identity verification again;
    接收所述消费方响应所述提示信息而返回的所述MD5值和所述消费编码信息,并根据所述消费编码信息检查自身是否存在对应的预存MD5值;Receiving the MD5 value and the consumption code information returned by the consumer in response to the prompt information, and check whether there is a corresponding pre-stored MD5 value according to the consumption code information;
    若存在对应的预存MD5值,则将所述MD5值与所述预存MD5值进行比较,判断所述MD5值与所述预存MD5值是否一致;If there is a corresponding pre-stored MD5 value, compare the MD5 value with the pre-stored MD5 value to determine whether the MD5 value is consistent with the pre-stored MD5 value;
    若所述MD5值与所述预存MD5值一致,则响应所述服务调用请求,向所述消费方返回对应的服务资源。If the MD5 value is consistent with the pre-stored MD5 value, in response to the service invocation request, the corresponding service resource is returned to the consumer.
  18. 根据权利要求17所述的计算机可读存储介质,其特征在于,所述判断所述MD5值与所述预存MD5值是否一致的步骤之后,还包括:18. The computer-readable storage medium according to claim 17, wherein after the step of determining whether the MD5 value is consistent with the pre-stored MD5 value, the method further comprises:
    若所述MD5值与所述预存MD5值一致,则对所述授权关系加密信息上的所述时间戳进行刷新;If the MD5 value is consistent with the pre-stored MD5 value, refresh the time stamp on the encrypted information of the authorization relationship;
    向所述消费方发送刷新后的所述授权关系加密信息以及更换所述授权关系加密信息的提醒信息,以提醒所述消费方将已过期的所述授权关系加密信息替换为刷新后的所述授权关系加密信息。Send the refreshed encryption information of the authorization relationship and the reminder information for replacing the encrypted information of the authorization relationship to the consumer to remind the consumer to replace the expired encrypted information of the authorization relationship with the refreshed The authorization relationship encrypts information.
  19. 一种身份认证装置,其特征在于,包括:An identity authentication device is characterized by comprising:
    第一接收模块,用于服务方接收消费方发送的服务调用请求,其中,所述服务调用请求包括所述消费方的消费编码信息以及预存于所述消费方中的授权关系加密信息,所述授权关系加密信息中含有消费编码-服务编码调用关系信息;The first receiving module is used for the service party to receive the service invocation request sent by the consumer, wherein the service invocation request includes the consumption code information of the consumer and the authorization relationship encryption information pre-stored in the consumer. The authorization relationship encryption information contains consumer code-service code call relationship information;
    检查模块,用于根据所述消费编码信息,检查自身是否预存有对应所述消费编码信息的服务密钥;The checking module is configured to check whether the service key corresponding to the consumption coding information is pre-stored in itself according to the consumption coding information;
    解密模块,用于若检查出自身预存有对应所述消费编码信息的服务密钥,则利用所述服务密钥对所述授权关系加密信息进行解密,获得所述消费编码-服务编码调用关系信息;The decryption module is configured to, if it is checked that the service key corresponding to the consumption code information is pre-stored, the service key is used to decrypt the authorization relationship encryption information to obtain the consumption code-service code call relationship information ;
    验证模块,用于根据所述消费编码信息和预存的服务编码信息,对所述消费编码-服务编码调用关系信息进行验证,判断所述消费编码-服务编码调用关系信息是否合法;The verification module is configured to verify the consumption code-service code invocation relationship information according to the consumption code information and prestored service code information, and determine whether the consumption code-service code invocation relationship information is legal;
    返回模块,用于若所述消费编码-服务编码调用关系信息合法,则响应所述服务调用请求,向所述消费方返回对应的服务资源。The return module is configured to respond to the service invocation request and return the corresponding service resource to the consumer if the consumption code-service code invocation relationship information is legal.
  20. 一种权限申请装置,其特征在于,包括:A permission application device, characterized in that it comprises:
    发送模块,用于消费方向服务注册中心发送服务注册请求,以注册服务方的服务,其中,所述服务注册请求包括所述消费方的消费编码信息;The sending module is used for the consumer to send a service registration request to the service registration center to register the service of the service party, wherein the service registration request includes the consumption code information of the consumer;
    第二接收模块,用于接收服务注册中心响应所述服务注册请求而返回的所述服务方的服务信息,其中,所述服务信息包括服务编码信息;The second receiving module is configured to receive the service information of the service party returned by the service registration center in response to the service registration request, wherein the service information includes service code information;
    生成模块,用于根据所述服务编码信息和预存的所述消费编码信息,生成消费编码-服务编码调用关系信息;A generating module, configured to generate consumption code-service code invocation relationship information according to the service code information and the prestored consumption code information;
    请求模块,用于向所述服务注册中心发送权限申请请求,其中,所述权限申请请求包括所述消费编码-服务编码调用关系信息;The request module is configured to send a permission application request to the service registration center, where the permission application request includes the consumption code-service code invocation relationship information;
    保存模块,用于接收所述服务注册中心响应所述权限申请请求而返回授权关系加密信息并保存,其中,所述授权关系加密信息中含有所述消费编码-服务编码调用关系信息。The saving module is configured to receive and save the authorization relationship encryption information returned by the service registration center in response to the authorization request request, wherein the authorization relationship encryption information contains the consumption code-service code invocation relationship information.
PCT/CN2019/119479 2019-04-25 2019-11-19 Identity authentication method and system, computer device, and storage medium WO2020215709A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910341167.7 2019-04-25
CN201910341167.7A CN110213229B (en) 2019-04-25 2019-04-25 Identity authentication method, system, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
WO2020215709A1 true WO2020215709A1 (en) 2020-10-29

Family

ID=67786496

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/119479 WO2020215709A1 (en) 2019-04-25 2019-11-19 Identity authentication method and system, computer device, and storage medium

Country Status (2)

Country Link
CN (1) CN110213229B (en)
WO (1) WO2020215709A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113094190A (en) * 2021-04-09 2021-07-09 中国工商银行股份有限公司 Micro-service calling method, calling device, electronic equipment and storage medium
CN114095150A (en) * 2021-11-12 2022-02-25 微位(深圳)网络科技有限公司 Identity authentication method, device, equipment and readable storage medium
CN114697099A (en) * 2022-03-24 2022-07-01 浪潮云信息技术股份公司 Multi-party authorization authentication scheme based on elliptic curve encryption algorithm

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110213229B (en) * 2019-04-25 2021-09-14 平安科技(深圳)有限公司 Identity authentication method, system, computer equipment and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150295930A1 (en) * 2014-04-15 2015-10-15 Level 3 Communications, Llc Device registration, authentication, and authorization system and method
CN105577612A (en) * 2014-10-11 2016-05-11 中兴通讯股份有限公司 Identity authentication method, third party server, merchant server, and user terminal
CN105975846A (en) * 2016-04-29 2016-09-28 宇龙计算机通信科技(深圳)有限公司 Terminal authentication method and system
US20170230825A1 (en) * 2016-02-05 2017-08-10 Verizon Patent And Licensing Inc. Authenticating mobile devices
CN108418790A (en) * 2018-01-22 2018-08-17 平安科技(深圳)有限公司 Business tracking method, device, terminal device and storage medium
CN108769029A (en) * 2018-05-31 2018-11-06 中国农业银行股份有限公司 It is a kind of to application system authentication device, method and system
CN110213229A (en) * 2019-04-25 2019-09-06 平安科技(深圳)有限公司 Identity identifying method, system, computer equipment and storage medium

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102263809A (en) * 2010-05-31 2011-11-30 中国移动通信集团贵州有限公司 Method for realizing service safety control based on enterprise service bus and apparatus thereof
US9081951B2 (en) * 2011-09-29 2015-07-14 Oracle International Corporation Mobile application, identity interface
CN103237032A (en) * 2013-04-26 2013-08-07 银联商务有限公司 Consumption management system and method
CN103888451B (en) * 2014-03-10 2017-09-26 百度在线网络技术(北京)有限公司 Authorization method, the apparatus and system of certification
CN104574052B (en) * 2015-01-30 2018-04-27 深圳飞人网络信息技术有限公司 The method of payment and system of authentication are carried out based on 3D line holographic projections
CN106559389A (en) * 2015-09-28 2017-04-05 阿里巴巴集团控股有限公司 A kind of Service Source issue, call method, device, system and cloud service platform
US20170213220A1 (en) * 2016-01-25 2017-07-27 Sigue Corporation Securing transactions on an insecure network
AU2017296055A1 (en) * 2016-07-15 2019-02-07 Cardinalcommerce Corporation Authentication to authorization bridge using enriched messages
CN107888548A (en) * 2016-09-30 2018-04-06 北京金山云网络技术有限公司 A kind of Information Authentication method and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150295930A1 (en) * 2014-04-15 2015-10-15 Level 3 Communications, Llc Device registration, authentication, and authorization system and method
CN105577612A (en) * 2014-10-11 2016-05-11 中兴通讯股份有限公司 Identity authentication method, third party server, merchant server, and user terminal
US20170230825A1 (en) * 2016-02-05 2017-08-10 Verizon Patent And Licensing Inc. Authenticating mobile devices
CN105975846A (en) * 2016-04-29 2016-09-28 宇龙计算机通信科技(深圳)有限公司 Terminal authentication method and system
CN108418790A (en) * 2018-01-22 2018-08-17 平安科技(深圳)有限公司 Business tracking method, device, terminal device and storage medium
CN108769029A (en) * 2018-05-31 2018-11-06 中国农业银行股份有限公司 It is a kind of to application system authentication device, method and system
CN110213229A (en) * 2019-04-25 2019-09-06 平安科技(深圳)有限公司 Identity identifying method, system, computer equipment and storage medium

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113094190A (en) * 2021-04-09 2021-07-09 中国工商银行股份有限公司 Micro-service calling method, calling device, electronic equipment and storage medium
CN113094190B (en) * 2021-04-09 2024-02-23 中国工商银行股份有限公司 Micro-service calling method, micro-service calling device, electronic equipment and storage medium
CN114095150A (en) * 2021-11-12 2022-02-25 微位(深圳)网络科技有限公司 Identity authentication method, device, equipment and readable storage medium
CN114095150B (en) * 2021-11-12 2024-01-26 微位(深圳)网络科技有限公司 Identity authentication method, device, equipment and readable storage medium
CN114697099A (en) * 2022-03-24 2022-07-01 浪潮云信息技术股份公司 Multi-party authorization authentication scheme based on elliptic curve encryption algorithm

Also Published As

Publication number Publication date
CN110213229A (en) 2019-09-06
CN110213229B (en) 2021-09-14

Similar Documents

Publication Publication Date Title
US10771459B2 (en) Terminal apparatus, server apparatus, blockchain and method for FIDO universal authentication using the same
WO2020215709A1 (en) Identity authentication method and system, computer device, and storage medium
US9621355B1 (en) Securely authorizing client applications on devices to hosted services
US8589442B2 (en) Intersystem single sign-on
US9398050B2 (en) Dynamically configured connection to a trust broker
US11841959B1 (en) Systems and methods for requiring cryptographic data protection as a precondition of system access
WO2020173332A1 (en) Trusted execution environment-based application activation method and apparatus
CN111107073B (en) Application automatic login method and device, computer equipment and storage medium
US20220394026A1 (en) Network identity protection method and device, and electronic equipment and storage medium
US9015819B2 (en) Method and system for single sign-on
CN112597481A (en) Sensitive data access method and device, computer equipment and storage medium
US11526596B2 (en) Remote processing of credential requests
US20130097427A1 (en) Soft-Token Authentication System
WO2016054990A1 (en) Security check method, device, terminal and server
US20220417028A1 (en) Methods, Systems, and Devices for Server Control of Client Authorization Proof of Possession
WO2022143030A1 (en) National key identification cryptographic algorithm-based private key distribution system
US11943213B2 (en) Device and method for mediating configuration of authentication information
CN112261103A (en) Node access method and related equipment
CN111614458A (en) Method, system and storage medium for generating gateway JWT
CN114070620B (en) Short address access method, device, computer equipment and storage medium
CN115865445A (en) DID certificate data-based secure transfer method, DID certificate data system and storage medium
GB2582180A (en) Distributed authentication
CN111723347B (en) Identity authentication method, identity authentication device, electronic equipment and storage medium
US9882891B2 (en) Identity verification
US20230129128A1 (en) Secure and documented key access by an application

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19926346

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19926346

Country of ref document: EP

Kind code of ref document: A1