WO2021003751A1 - Single-account multi-identity login method and apparatus, server, and storage medium - Google Patents

Single-account multi-identity login method and apparatus, server, and storage medium Download PDF

Info

Publication number
WO2021003751A1
WO2021003751A1 PCT/CN2019/095653 CN2019095653W WO2021003751A1 WO 2021003751 A1 WO2021003751 A1 WO 2021003751A1 CN 2019095653 W CN2019095653 W CN 2019095653W WO 2021003751 A1 WO2021003751 A1 WO 2021003751A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
login
identity
ticket
business system
Prior art date
Application number
PCT/CN2019/095653
Other languages
French (fr)
Chinese (zh)
Inventor
陈鹏宇
滕凯
陈滢朱
Original Assignee
深圳市鹰硕技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市鹰硕技术有限公司 filed Critical 深圳市鹰硕技术有限公司
Priority to PCT/CN2019/095653 priority Critical patent/WO2021003751A1/en
Priority to CN201980001193.3A priority patent/CN110582769A/en
Publication of WO2021003751A1 publication Critical patent/WO2021003751A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication

Definitions

  • the present invention relates to the technical field of single sign-on, in particular to a single-account multi-identity login method, device, authentication server and storage medium.
  • Patent CN101977184A discloses a multi-identity selection login device and service system, which provides a selection login system based on user identity. This system solves the problem that users cannot access different application subsystems with the same account and different identities in the same application server. It does not solve the problem of users accessing different services under different third-party business systems with the same account and different identities.
  • the purpose of the present invention is to provide a single-account multi-identity login method, device, authentication server, and storage medium to solve the above-mentioned background art problems.
  • a single account multi-identity login method including:
  • the user information corresponding to the user information acquisition request is returned to the third-party business system, so that the user can access the third-party business system with the user identity information.
  • the identity information includes one or more identity attributes
  • the identity attributes include a user role and an organization to which the user belongs.
  • the login request includes login information and an authentication callback address of the third-party business system.
  • the method further includes:
  • the user login ticket is generated according to the user ID and identity information of the matching user and sent to the third-party business system.
  • the method further includes:
  • a user login ticket is generated and sent to the third-party service system.
  • a single-account multi-identity login device including:
  • the login authentication module is used to obtain the login request submitted by the client user, and authenticate the login request;
  • the login ticket generation module is used to obtain the user ID and identity information of the matching user when the authentication is passed, generate the user login ticket according to the user ID and the identity information, and send it to the third-party business system;
  • the access authorization module is used to receive an access authorization request sent by a third-party business system, generate an access authorization ticket, and send the access authorization ticket to the third-party business system;
  • the access request receiving module is configured to receive a user information acquisition request sent by a third-party business system, where the user information acquisition request carries an access authorization ticket and a user login ticket;
  • the user information sending module is configured to return the user information corresponding to the user information acquisition request to the third-party business system after the verification of the access authorization ticket is passed, so that the user can access the third-party business system with the user identity information.
  • the single-account multi-identity login device is used to perform operations for implementing the single-account multi-identity login method described in any one of the above.
  • a single-account multi-identity login device including a memory and a processor, wherein:
  • Memory used to store instructions
  • the processor is configured to execute the instructions, so that the single-account multiple-identity login device executes operations for implementing the single-account multiple-identity login method described in any one of the above.
  • an authentication server which includes the single-account multi-identity login device described in any one of the above.
  • a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of the single-account multi-identity login method described in any one of the above are implemented.
  • the user is uniformly authenticated and managed by the authentication server.
  • the user accesses a third-party business system
  • the user first jumps to the unified login page, and the authentication server authenticates the user login information and then obtains the user ID and identity of the login user
  • the information generates a unique user login ticket and sends it to the third-party business system, so that the third-party business system pulls the user's related information according to the user login ticket and the access authorization ticket obtained from the authentication server into the function matching the user identity Mode.
  • the embodiments of the present invention enable users to access different services under different third-party business systems with the same account and different identities, which greatly reduces account management costs and improves work efficiency.
  • Figure 1 is a flowchart of a single account and multiple identity login method in an embodiment of the present invention
  • Figure 2 is a flowchart of a single account and multiple identity login method in another embodiment of the present invention.
  • FIG. 3 is a sequence diagram of a single account multi-identity login in an embodiment of the present invention.
  • Figure 4 is a structural diagram of a single-account multi-identity login device in an embodiment of the present invention.
  • Fig. 5 is a structural diagram of a single-account multi-identity login device in another embodiment of the present invention.
  • Fig. 1 it is a flowchart of a single-account multi-identity login method in an embodiment of the present invention.
  • the method of the embodiment of the present invention is executed by a single account multiple identity login device in the authentication server, and the method includes the following steps:
  • Step S101 Obtain a login request submitted by a client user, and authenticate the login request.
  • the user accesses the third-party business system through a browser on the client PC.
  • the third-party business system integrates a unified login authentication service based on CAS (Central Authentication Service).
  • CAS Central Authentication Service
  • CAS Central Authentication Service
  • the client user selects the login method on the unified login page, enters the login information and submits it to the authentication server, and the authentication server receives the login request submitted by the client user and authenticates the login request.
  • the login request includes login information and the authentication callback address of the third-party business system.
  • the login information can be a combination of a user name, a password, and an anti-intrusive verification code, or a combination of physiological characteristic information such as an account number, a face image, and a fingerprint.
  • the authentication server matches the login information entered by the user with the user information in the user database. If there is a matching user, the authentication is successful, otherwise the authentication fails. If the authentication fails, a prompt message will be given, and the user will wait for the login process to continue.
  • Step S102 If the authentication is passed, the user ID and identity information of the matching user are obtained, and a user login ticket is generated according to the user ID and identity information and sent to the third-party service system.
  • the identity information includes one or more identity attributes, where the identity attributes include the user role and the organization to which the user belongs.
  • user roles include: principal, student, teacher, director of education, and parent.
  • the user’s organization can be a first-level organization or a multi-level organization.
  • the first-level organization such as the name of the school, the name of the educational institution, etc.
  • the multi-level name is the name of the city + the name of the district + the name of the school, or the name of the district + School name, etc.
  • users order various functions in each third-party business system on an organization basis Take the first-level organizational structure as an example.
  • school A subscribes to a third-party business system S1 and a third-party business system S2.
  • Each user in school A registers through batch import or manual addition.
  • the system administrator The user is set with a corresponding user role, and the same user can set multiple user roles.
  • user Y can be either the principal of school A or the teacher of school A.
  • the same user can also belong to different organizations.
  • user Y can be a teacher from school A or school B.
  • the system background will merge the user information of user Y according to the user's ID number or other unique identification number, and only one copy of user information of Y user is saved in the system .
  • the business functions corresponding to the same user role in the same organization are the same, and the business functions corresponding to the same role in different organizations can be the same or different. Therefore, the business functions that a user can access are determined by both the user's organization and the user role.
  • the authentication server generates a user login ticket according to the user ID and identity information of the matching user, and sends the user login ticket to the third-party business system.
  • the user login ticket is a UUID (Universally Unique Identifier), which is generated by mixing the user ID and identity information of the matching user, and saves the user login ticket and the user ID correspondingly, so that the authentication server can User login ticket to uniquely identify the user.
  • UUID Universally Unique Identifier
  • the user login ticket is a one-time ticket. After the third-party business system pulls the required user information by virtue of the user login ticket, the authentication server destroys the user login ticket.
  • Step S103 Receive an access authorization request sent by a third-party business system, generate an access authorization ticket, and send the access authorization ticket to the third-party business system.
  • the third-party business system After receiving the user login ticket sent by the authentication server, the third-party business system initiates an access authorization request to the authentication server. Specifically, the third-party business system initiates an OAuth authentication request to the authentication server.
  • the OAuth authentication request carries the ID and key of the third-party business system, and the authentication server verifies the ID and key of the third-party business system. After passing, an access authorization ticket is generated, and the access authorization ticket is sent to the third-party business system.
  • Step S104 Receive a user information acquisition request sent by a third-party business system, where the user information acquisition request carries an access authorization ticket and a user login ticket.
  • the third-party business system After receiving the access authorization ticket, the third-party business system saves it locally. Before the access authorization ticket expires, it can pull the required user information from the authentication server with the access authorization ticket and the user login ticket. If the access authorization ticket expires, the third-party business system needs to reacquire the access authorization ticket from the authentication server.
  • Step S105 after the verification of the access authorization ticket is passed, the user information corresponding to the user information acquisition request is returned to the third-party business system, so that the user can access the third-party business system with the user identity information.
  • the authentication server verifies the access authorization ticket, and if the access authorization ticket is still within the validity period, it obtains corresponding user information according to the user information acquisition request and returns it to the third-party business system.
  • the third-party business system enters the functional mode that matches the user's identity according to the received user information.
  • the above embodiment uses the authentication server to perform unified authentication and management of users.
  • a user accesses a third-party business system
  • the authentication server authenticates the user login information and then obtains the user ID and identity information of the login user Generate a unique user login ticket and send it to a third-party business system, so that the third-party business system pulls the user's relevant information into a functional mode that matches the user's identity based on the user login ticket and the access authorization ticket obtained from the authentication server under.
  • the embodiments of the present invention enable users to access different services under different third-party business systems with the same account and different identities, which greatly reduces account management costs and improves work efficiency.
  • FIG. 2 it is a flowchart of a single-account multi-identity login method in another embodiment of the present invention.
  • the method includes the following steps:
  • Step S201 Obtain a login request submitted by a client user, and authenticate the login request.
  • This step is the same as S101 in FIG. 1, and will not be repeated here.
  • step S202 if the authentication is passed, the user ID and all identity information of the matching user are obtained.
  • the same user may correspond to multiple user identities.
  • user A can have two user roles: principal and teacher at the same time.
  • all the identity information corresponding to the matching user is obtained. If the user identity included in the matched user is unique, a user login ticket can be generated according to the user ID and identity information of the matched user and sent to the third-party business system.
  • Step S203 If the matching user includes multiple identities, all the identity information included in the matching user is sent to the client.
  • a user login ticket can also be generated according to the user ID and default identity information of the matching user and sent to the third-party service system.
  • Step S204 Obtain one of the identity information selected by the client user.
  • the client generates an identity selection interface for the user to choose based on all user identity information sent by the authentication server, and the user selects the user role and the organization to which the user belongs in the identity selection interface and submits it to the authentication server.
  • Step S204 Generate a user login ticket according to the user ID of the matching user and the identity information selected by the user and send it to the third-party service system.
  • Step S205 Receive an access authorization request sent by a third-party business system, generate an access authorization ticket, and send the access authorization ticket to the third-party business system.
  • Step S206 Receive a user information acquisition request sent by a third-party business system, where the user information acquisition request carries an access authorization ticket and a user login ticket.
  • Step S207 After passing the verification of the access authorization ticket, the user information corresponding to the user information acquisition request is returned to the third-party business system, so that the user can access the third-party business system with the user identity information.
  • the user can switch the identity of the current user to another user in the third-party business system or log in again to select a new user identity.
  • the above embodiment uses the authentication server to perform unified authentication and management of users.
  • a user accesses a third-party business system
  • the authentication server authenticates the user login information and then obtains the user ID and identity information of the login user Generate a unique user login ticket and send it to a third-party business system, so that the third-party business system pulls the user's relevant information into a functional mode that matches the user's identity based on the user login ticket and the access authorization ticket obtained from the authentication server under.
  • the embodiments of the present invention enable users to access different services under different third-party business systems with the same account and different identities, which greatly reduces account management costs and improves work efficiency.
  • FIG. 3 it is a sequence diagram of a single account multi-identity login in an embodiment of the present invention, including the following steps:
  • step S301 the client user requests to log in to the third-party business system.
  • the user accesses the third-party business system through the browser on the client PC.
  • Step S302 the third-party business system jumps to the unified login page according to the client request.
  • the third-party business system integrates a unified login authentication service based on CAS (Central Authentication Service). After receiving the client user's access request, it first judges whether the user is in the login state, if not, then jump to The default unified login page.
  • the unified login page link carries the authentication callback address of the third-party business system.
  • Step S303 the authentication server returns the unified login page to the client.
  • step S304 the user inputs login information on the client and submits it to the authentication server.
  • Step S305 The authentication server verifies the login information submitted by the user.
  • step S306 if the verification is passed, the identity information of the matching user is obtained and sent to the client.
  • the user ID and identity information of the matching user are obtained, and if there are multiple identities corresponding to the matching user, the identity information is sent to the client, where the identity information may include one or more identity attributes, specifically, Identity attributes include user roles and organizations to which the user belongs.
  • step S307 the user selects the identity information to be logged in at the client and submits it.
  • the user selects the organization information and user role information of the user to be logged in to submit.
  • the identity information corresponding to user Y includes the teacher of school A, the teacher of school B, and the principal of school C. User Y chooses according to the role to be logged in.
  • Step S308 the authentication server generates a user login ticket according to the ID and the identity information selected by the user.
  • Step S309 The authentication server sends the generated user login ticket to the third-party business system.
  • Step S310 After receiving the user login ticket, the third-party business system initiates an authorized access request to the authentication server.
  • the authorization access request carries the ID and key of the third-party service system. Any third-party business system that accesses the unified authentication service needs to be filed in the authentication server in advance, and the authentication server generates the ID and key of the corresponding third-party business system.
  • Step S311 the authentication server reviews the authorized access request, and if it passes, it generates an authorized access ticket and returns it to the third-party business system.
  • the authorized access ticket is set with a valid period. If the valid period is exceeded, the third-party business system needs to re-initiate an authorized access request to obtain a new authorized access ticket.
  • Step S312 the third-party business system initiates a user information acquisition request, and the user information acquisition request carries an authorization access ticket and a user login ticket.
  • Step S313 After the access authorization ticket is verified, the corresponding user information is returned to the third-party business system.
  • step S314 the third-party service system generates a corresponding function page according to the acquired user information and sends it to the client terminal to enable the user to log in to the third-party service system with the selected identity.
  • the above embodiment uses the authentication server to perform unified authentication and management of users.
  • a user accesses a third-party business system
  • the authentication server authenticates the user login information and then obtains the user ID and identity information of the login user Generate a unique user login ticket and send it to a third-party business system, so that the third-party business system pulls the user's relevant information into a functional mode that matches the user's identity based on the user login ticket and the access authorization ticket obtained from the authentication server under.
  • the embodiments of the present invention enable users to access different services under different third-party service systems with the same account and different identities, which greatly reduces account management costs and improves work efficiency.
  • FIG. 4 is a structural diagram of a single-account multi-identity login device in an embodiment of the present invention.
  • the single-account multi-identity login device includes a login authentication module 41, a login ticket generating module 42, an access authorization module 43, an access request receiving module 44, and a user information sending module 45, wherein:
  • the login authentication module 41 is configured to obtain a login request submitted by a client user, and authenticate the login request;
  • the login ticket generating module 42 is configured to obtain the user ID and identity information of the matching user when the authentication is passed, generate a user login ticket according to the user ID and the identity information, and send it to the third-party business system;
  • the access authorization module 43 is configured to receive an access authorization request sent by a third-party business system, generate an access authorization ticket, and send the access authorization ticket to the third-party business system;
  • the access request receiving module 44 is configured to receive a user information acquisition request sent by a third-party business system, where the user information acquisition request carries an access authorization ticket and a user login ticket;
  • the user information sending module 45 is configured to return the user information corresponding to the user information acquisition request to the third-party business system after passing the verification of the access authorization ticket, so that the user can access the third-party business system with the user identity information .
  • the user accesses the third-party business system through a browser on the client PC.
  • the third-party business system integrates a unified login authentication service based on CAS (Central Authentication Service).
  • CAS Central Authentication Service
  • CAS Central Authentication Service
  • the client user selects the login method on the unified login page, enters the login information and submits it to the authentication server, and the authentication server receives the login request submitted by the client user and authenticates the login request.
  • the login request includes login information and the authentication callback address of the third-party business system.
  • the login information can be a combination of a user name, a password, and an anti-intrusive verification code, or a combination of physiological characteristic information such as an account number, a face image, and a fingerprint.
  • the authentication server matches the login information entered by the user with the user information in the user database. If there is a matching user, the authentication is successful, otherwise the authentication fails. If the authentication fails, a prompt message will be given, and the user will wait for the login process to continue.
  • the identity information includes one or more identity attributes, where the identity attributes include the user role and the organization to which the user belongs.
  • user roles include: principal, student, teacher, director of education, and parent.
  • the user’s organization can be a first-level organization or a multi-level organization.
  • the first-level organization such as the name of the school, the name of the educational institution, etc.
  • the multi-level name is the name of the city + the name of the district + the name of the school, or the name of the district + School name, etc.
  • users order various functions in each third-party business system on an organization basis Take the first-level organizational structure as an example.
  • school A subscribes to a third-party business system S1 and a third-party business system S2.
  • Each user in school A registers through batch import or manual addition.
  • the system administrator The user is set with a corresponding user role, and the same user can set multiple user roles.
  • user Y can be either the principal of school A or the teacher of school A.
  • the same user can also belong to different organizations.
  • user Y can be a teacher from school A or school B.
  • the system background will merge the user information of user Y according to the user's ID number or other unique identification number, and only one copy of user information of Y user is saved in the system .
  • the business functions corresponding to the same user role in the same organization are the same, and the business functions corresponding to the same role in different organizations can be the same or different. Therefore, the business functions that a user can access are determined by both the user's organization and the user role.
  • the authentication server generates a user login ticket according to the user ID and identity information of the matching user, and sends the user login ticket to the third-party business system.
  • the user login ticket is a UUID (Universally Unique Identifier), which is generated by mixing the user ID and identity information of the matching user, and saves the user login ticket and the user ID correspondingly, so that the authentication server can User login ticket to uniquely identify the user.
  • UUID Universally Unique Identifier
  • the user login ticket is a one-time ticket. After the third-party business system pulls the required user information by virtue of the user login ticket, the authentication server destroys the user login ticket.
  • the third-party business system After receiving the user login ticket sent by the authentication server, the third-party business system initiates an access authorization request to the authentication server. Specifically, the third-party business system initiates an OAuth authentication request to the authentication server.
  • the OAuth authentication request carries the ID and key of the third-party business system, and the authentication server verifies the ID and key of the third-party business system. After passing, an access authorization ticket is generated, and the access authorization ticket is sent to the third-party business system.
  • the third-party business system After receiving the access authorization ticket, the third-party business system saves it locally. Before the access authorization ticket expires, it can pull the required user information from the authentication server with the access authorization ticket and the user login ticket. If the access authorization ticket expires, the third-party business system needs to reacquire the access authorization ticket from the authentication server.
  • the authentication server verifies the access authorization ticket, and if the access authorization ticket is still within the validity period, it obtains corresponding user information according to the user information acquisition request and returns it to the third-party business system.
  • the third-party business system enters the functional mode that matches the user's identity according to the received user information.
  • the single-account multiple-identity login device is used to perform operations for implementing the single-account multiple-identity login method as described in any of the above-mentioned embodiments (any embodiment in FIGS. 1 to 3).
  • the above embodiment uses the authentication server to perform unified authentication and management of users.
  • a user accesses a third-party business system
  • the authentication server authenticates the user login information and then obtains the user ID and identity information of the login user Generate a unique user login ticket and send it to a third-party business system, so that the third-party business system pulls the user's relevant information into a functional mode that matches the user's identity based on the user login ticket and the access authorization ticket obtained from the authentication server under.
  • the embodiments of the present invention enable users to access different services under different third-party business systems with the same account and different identities, which greatly reduces account management costs and improves work efficiency.
  • Fig. 5 is a structural diagram of a single-account multiple-identity login device in another embodiment of the present invention.
  • the single-account multiple identity login device includes a memory 51 and a processor 52, wherein:
  • the memory 51 is used to store a computer program that can run on the processor 52.
  • the processor 52 is configured to execute a computer program, so that the single-account multiple-identity login device executes operations for implementing the single-account multiple-identity login method as described in any of the foregoing embodiments (the embodiment of FIG. 1 or FIG. 2 or FIG. 3).
  • an authentication server which includes the single-account multi-identity login device as described in any of the foregoing embodiments (the embodiment of FIG. 4 or FIG. 5).
  • the above embodiment uses the authentication server to perform unified authentication and management of users.
  • a user accesses a third-party business system
  • the authentication server authenticates the user login information and then obtains the user ID and identity information of the login user Generate a unique user login ticket and send it to a third-party business system, so that the third-party business system pulls the user's relevant information into a functional mode that matches the user's identity based on the user login ticket and the access authorization ticket obtained from the authentication server under.
  • the embodiments of the present invention enable users to access different services under different third-party business systems with the same account and different identities, which greatly reduces account management costs and improves work efficiency.
  • a computer-readable storage medium a computer-readable storage medium
  • the computer-readable storage medium stores a computer program, and when the computer program is executed by a memory, any of the above
  • the single-account multi-identity login method described in an embodiment can be applied to an authentication server; the technical solutions of the foregoing embodiments are essentially or part of contributing to the prior art or All or part of the technical solution can be embodied in the form of a software product.
  • the computer software product is stored in a storage medium and includes several instructions to enable a computer device (which can be a personal computer, server, mobile device, or network device).
  • the aforementioned storage medium includes: U disk, mobile hard disk, Read Only Memory (ROM, Random Access Memory), random access memory (RAM, Random Access Memory), magnetic disks or optical disks and other media that can store program codes.
  • the above embodiment uses the authentication server to perform unified authentication and management of users.
  • a user accesses a third-party business system
  • the authentication server authenticates the user login information and then obtains the user ID and identity information of the login user Generate a unique user login ticket and send it to a third-party business system, so that the third-party business system pulls the user's relevant information into a functional mode that matches the user's identity based on the user login ticket and the access authorization ticket obtained from the authentication server under.
  • the embodiments of the present invention enable users to access different services under different third-party business systems with the same account and different identities, which greatly reduces account management costs and improves work efficiency.
  • the single account multi-identity login device described above can be implemented as a general-purpose processor, programmable logic controller (PLC), digital signal processor (DSP), application-specific integrated circuit (ASIC), Field programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, or any appropriate combination thereof.
  • PLC programmable logic controller
  • DSP digital signal processor
  • ASIC application-specific integrated circuit
  • FPGA Field programmable gate array
  • the program can be stored in a computer readable storage medium. During execution, it may include the procedures of the above-mentioned method embodiments.
  • the storage medium may be a magnetic disk, an optical disc, a read-only memory (Read-Only Memory, ROM), or a random access memory (Random Access Memory, RAM), etc.
  • the user is uniformly authenticated and managed by the authentication server.
  • the user accesses a third-party business system
  • the user first jumps to the unified login page, and the authentication server authenticates the user login information and then obtains the user ID and identity of the login user
  • the information generates a unique user login ticket and sends it to the third-party business system, so that the third-party business system pulls the user's related information according to the user login ticket and the access authorization ticket obtained from the authentication server into the function matching the user identity Mode.
  • the embodiments of the present invention enable users to access different services under different third-party business systems with the same account and different identities, which greatly reduces account management costs and improves work efficiency.

Abstract

Disclosed are a single-account multi-identity login method and apparatus, an authentication server, and a storage medium. The method comprises: acquiring a login request submitted by a client user, and authenticating the login request; if the authentication is passed, acquiring a user ID and identity information that match the user, generating a user login ticket according to the user ID and the identity information, and sending the user login ticket to a third-party service system; receiving an access authorization request sent by the third-party service system, generating an access authorization ticket, and sending the access authorization ticket to the third-party service system; receiving a user information acquisition request sent by the third-party service system, wherein the user information acquisition request carries the access authorization ticket and the user login ticket; and after the access authorization ticket passes verification, returning, to the third-party service system, user information corresponding to the user information acquisition request so that the user accesses the third-party service system by using the user identity information. The present invention greatly reduces account management costs and improves working efficiency.

Description

一种单账号多身份登录方法、装置、服务器及存储介质Single account multi-identity login method, device, server and storage medium 技术领域Technical field
本发明涉及单点登录技术领域,尤其涉及一种单账号多身份登录方法、装置、认证服务器及存储介质。The present invention relates to the technical field of single sign-on, in particular to a single-account multi-identity login method, device, authentication server and storage medium.
背景技术Background technique
随着业务平台的不断集成,业务系统越来越大。对于基础数据的统一要求也越来越多。对于既存的业务系统来时,用户的整合是一个比较麻烦的工作。因一个人可以在不同的系统中分别注册不同的账号,也可分角色在同一系统中创建不同的用户账号。对于频繁使用业务系统的用户来说,一个系统注册多个账号非常不利于用户的使用。如果能够只提供的一个账号,通过选择用户的不同身份来实现角色的切换,这无疑在使用上能够带来很大的便利。With the continuous integration of business platforms, business systems are getting bigger and bigger. There are more and more unified requirements for basic data. For the existing business system, user integration is a more troublesome task. Because a person can register different accounts in different systems, or create different user accounts in the same system by role. For users who frequently use business systems, registering multiple accounts in one system is very unfavorable for users. If only one account can be provided, the role switching can be realized by selecting different identities of users, which will undoubtedly bring great convenience in use.
针对开发人员来说,多个业务系统的集成,每个系统中用户的角色权限的各自差异化的定义和配置来说,也是需要针对每个系统分别实现一套用户权限的处理逻辑。从实际开发过程中来说,是一个繁琐并且不断重复的工作。For developers, the integration of multiple business systems and the differentiated definition and configuration of the user's role permissions in each system also require a set of user permissions processing logic for each system. From the actual development process, it is a tedious and repetitive work.
专利CN101977184A公开了一种多身份选择登录装置及服务系统,提供一种基于用户身份的选择登录系统,该系统解决了用户不能在同一应用服务器中以同一账号不同身份访问不同应用子系统的问题,没有解决用户以同一账号不同身份访问不同的第三方业务系统下不同的业务的问题。Patent CN101977184A discloses a multi-identity selection login device and service system, which provides a selection login system based on user identity. This system solves the problem that users cannot access different application subsystems with the same account and different identities in the same application server. It does not solve the problem of users accessing different services under different third-party business systems with the same account and different identities.
发明内容Summary of the invention
本发明的目的在于提供一种单账号多身份登录方法、装置、认证服务器及存储介质,以解决上述背景技术中提出的问题。The purpose of the present invention is to provide a single-account multi-identity login method, device, authentication server, and storage medium to solve the above-mentioned background art problems.
根据本发明的一个方面,提供一种单账号多身份登录方法,包括:According to one aspect of the present invention, there is provided a single account multi-identity login method, including:
获取客户端用户提交的登录请求,对所述登录请求进行认证;Obtain the login request submitted by the client user, and authenticate the login request;
若认证通过,则获取匹配用户的用户ID和身份信息,根据所述用户ID和身份信息生成用户登录票据发送至第三方业务系统;If the authentication is passed, obtain the user ID and identity information of the matching user, generate a user login ticket according to the user ID and identity information, and send it to the third-party business system;
接收第三方业务系统发送的访问授权请求,生成访问授权票据,将所述访问授权票据发送给第三方业务系统;Receiving an access authorization request sent by a third-party business system, generating an access authorization ticket, and sending the access authorization ticket to the third-party business system;
接收第三方业务系统发送的用户信息获取请求,所述用户信息获取请求携带访问授权票据和用户登录票据;Receiving a user information acquisition request sent by a third-party business system, where the user information acquisition request carries an access authorization ticket and a user login ticket;
对所述访问授权票据验证通过后,返回与所述用户信息获取请求相对应的用户信息至第三方业务系统,实现用户以所述用户身份信息访问第三方业务系统。After the verification of the access authorization ticket is passed, the user information corresponding to the user information acquisition request is returned to the third-party business system, so that the user can access the third-party business system with the user identity information.
在本发明的一个实施例中,所述身份信息中包含一个或多个身份属性,所述身份属性包括用户角色和用户所属组织。In an embodiment of the present invention, the identity information includes one or more identity attributes, and the identity attributes include a user role and an organization to which the user belongs.
在本发明的一个实施例中,所述登录请求中包含登录信息和第三方业务系统的认证回调地址。In an embodiment of the present invention, the login request includes login information and an authentication callback address of the third-party business system.
在本发明的一个实施例中,所述方法还包括:In an embodiment of the present invention, the method further includes:
认证通过后,获取匹配用户的用户ID和所有身份信息;After passing the authentication, obtain the user ID and all identity information of the matching user;
判断匹配用户是否包含多个身份;Determine whether the matched user contains multiple identities;
若判断为否,则根据匹配用户的用户ID和身份信息生成用户登录票据发送至第三方业务系统。If the judgment is no, the user login ticket is generated according to the user ID and identity information of the matching user and sent to the third-party business system.
在本发明的一个实施例中,所述方法还包括:In an embodiment of the present invention, the method further includes:
若判断为是,则将匹配用户包含的所有身份信息发送至客户端;If the judgment is yes, all the identity information contained in the matched user is sent to the client;
获取客户端用户选取的其中一个身份信息;Obtain one of the identity information selected by the client user;
根据匹配用户的用户ID和所述用户选取的身份信息生成用户登录票据发送至第三方业务系统。According to the user ID of the matching user and the identity information selected by the user, a user login ticket is generated and sent to the third-party service system.
根据本发明的一个方面,提供一种单账号多身份登录装置,包括:According to one aspect of the present invention, there is provided a single-account multi-identity login device, including:
登录认证模块,用于获取客户端用户提交的登录请求,对所述登录请求进行认证;The login authentication module is used to obtain the login request submitted by the client user, and authenticate the login request;
登录票据生成模块,用于当认证通过时,获取匹配用户的用户ID和身份信息,根据所述用户ID和身份信息生成用户登录票据发送至第三方业务系统;The login ticket generation module is used to obtain the user ID and identity information of the matching user when the authentication is passed, generate the user login ticket according to the user ID and the identity information, and send it to the third-party business system;
访问授权模块,用于接收第三方业务系统发送的访问授权请求,生成访问授权票据,将所述访问授权票据发送给第三方业务系统;The access authorization module is used to receive an access authorization request sent by a third-party business system, generate an access authorization ticket, and send the access authorization ticket to the third-party business system;
访问请求接收模块,用于接收第三方业务系统发送的用户信息获取请求,所述用户信息获取请求携带访问授权票据和用户登录票据;The access request receiving module is configured to receive a user information acquisition request sent by a third-party business system, where the user information acquisition request carries an access authorization ticket and a user login ticket;
用户信息发送模块,用于对所述访问授权票据验证通过后,返回与所述用户信息获取请求相对应的用户信息至第三方业务系统,实现用户以所述用户身份信息访问第三方业务系统。The user information sending module is configured to return the user information corresponding to the user information acquisition request to the third-party business system after the verification of the access authorization ticket is passed, so that the user can access the third-party business system with the user identity information.
在本发明的一个实施例中,所述单账号多身份登录装置用于执行实现上述任一项所述的单账号多身份登录方法的操作。In an embodiment of the present invention, the single-account multi-identity login device is used to perform operations for implementing the single-account multi-identity login method described in any one of the above.
根据本发明的一个方面,提供一种单账号多身份登录装置,包括存储器和处理器,其中:According to one aspect of the present invention, there is provided a single-account multi-identity login device, including a memory and a processor, wherein:
存储器,用于存储指令;Memory, used to store instructions;
处理器,用于执行所述指令,使得所述单账号多身份登录装置执行实现上述任一项所述的单账号多身份登录方法的操作。The processor is configured to execute the instructions, so that the single-account multiple-identity login device executes operations for implementing the single-account multiple-identity login method described in any one of the above.
根据本发明的一个方面,提供一种认证服务器,包括上述任一项所述的单账号多身份登录装置。According to one aspect of the present invention, an authentication server is provided, which includes the single-account multi-identity login device described in any one of the above.
根据本发明的一个方面,提供一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现上述任一项所述的单账号多身份登录方法的步骤。According to one aspect of the present invention, there is provided a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the steps of the single-account multi-identity login method described in any one of the above are implemented.
实施本发明实施例,将具有如下有益效果:Implementing the embodiments of the present invention will have the following beneficial effects:
本发明实施例通过认证服务器对用户进行统一认证和管理,用户访问第三方业务系统时,先跳转到统一登录页面,由认证服务器对用户登录信息认证通过后再获取登录用户的用户ID和身份信息生成唯一的用户登录票据发送至第三方业务系统,以使得第三方业务系统根据该用户登录票据及从认证服务器获取的访问授权票据拉取该用户的相关信息进入到与用户身份相匹配的功能模式下。本发明实施例使得用户可以以同一账号不同身份访问不同的第三方业务系统下不同的业务,大大减轻了账号管理成本,提高了工作效率。In the embodiment of the present invention, the user is uniformly authenticated and managed by the authentication server. When the user accesses a third-party business system, the user first jumps to the unified login page, and the authentication server authenticates the user login information and then obtains the user ID and identity of the login user The information generates a unique user login ticket and sends it to the third-party business system, so that the third-party business system pulls the user's related information according to the user login ticket and the access authorization ticket obtained from the authentication server into the function matching the user identity Mode. The embodiments of the present invention enable users to access different services under different third-party business systems with the same account and different identities, which greatly reduces account management costs and improves work efficiency.
附图说明Description of the drawings
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the drawings in the following description are only These are some embodiments of the present invention. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without creative work.
其中:among them:
图1为本发明一个实施例中一种单账号多身份登录方法的流程图;Figure 1 is a flowchart of a single account and multiple identity login method in an embodiment of the present invention;
图2为本发明另一个实施例中一种单账号多身份登录方法的流程图;Figure 2 is a flowchart of a single account and multiple identity login method in another embodiment of the present invention;
图3为本发明一个实施例中一种单账号多身份登录的时序图;FIG. 3 is a sequence diagram of a single account multi-identity login in an embodiment of the present invention;
图4为本发明一个实施例中一种单账号多身份登录装置的结构图;Figure 4 is a structural diagram of a single-account multi-identity login device in an embodiment of the present invention;
图5为本发明另一个实施例中一种单账号多身份登录装置的结构图。Fig. 5 is a structural diagram of a single-account multi-identity login device in another embodiment of the present invention.
具体实施方式Detailed ways
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, rather than all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of the present invention.
如图1所示,为本发明一个实施例中一种单账号多身份登录方法的流程图。优选的,本发明实施例的方法由认证服务器中的单账号多身份登录装置进行执行,该方法包括以下步骤:As shown in Fig. 1, it is a flowchart of a single-account multi-identity login method in an embodiment of the present invention. Preferably, the method of the embodiment of the present invention is executed by a single account multiple identity login device in the authentication server, and the method includes the following steps:
步骤S101,获取客户端用户提交的登录请求,对所述登录请求进行认证。Step S101: Obtain a login request submitted by a client user, and authenticate the login request.
在本发明的一个实施例中,用户在客户端PC上,通过浏览器来访问第三方业务系统。第三方业务系统中集成了基于CAS(Central Authentication Service,中央认证服务器)的统一登录认证服务,接收到客户端用户的访问请求时,先判断该用户是否处于登录态,如果不是,则将页面跳转到认证服务器的统一登录页面。在页面跳转过程中,第三方业务系统会告知认证服务器第三方业务系统的认证回调地址,以使得认证服务器在认证成功之后,能够 正确地将信息返回给第三方业务系统中。In an embodiment of the present invention, the user accesses the third-party business system through a browser on the client PC. The third-party business system integrates a unified login authentication service based on CAS (Central Authentication Service). When receiving an access request from a client user, it first determines whether the user is in the login state. If not, the page jumps Go to the unified login page of the authentication server. During the page jump process, the third-party business system will inform the authentication server of the authentication callback address of the third-party business system, so that the authentication server can correctly return the information to the third-party business system after successful authentication.
客户端用户在统一登录页面选择登录方式,输入登录信息后提交到认证服务器,认证服务器接收到客户端用户提交的登录请求,对所述登录请求进行认证。其中,所述登录请求中包含登录信息和第三方业务系统的认证回调地址。登录信息可以是用户名、密码和反侵入式验证码的组合,也可以是账号、人脸图像、指纹等生理特征信息的组合。认证服务器将用户输入的登录信息和用户数据库中的用户信息进行匹配,如果存在匹配用户,则认证成功,否则认证失败。如果认证失败,给出提示信息,等待用户继续进行登录处理。The client user selects the login method on the unified login page, enters the login information and submits it to the authentication server, and the authentication server receives the login request submitted by the client user and authenticates the login request. Wherein, the login request includes login information and the authentication callback address of the third-party business system. The login information can be a combination of a user name, a password, and an anti-intrusive verification code, or a combination of physiological characteristic information such as an account number, a face image, and a fingerprint. The authentication server matches the login information entered by the user with the user information in the user database. If there is a matching user, the authentication is successful, otherwise the authentication fails. If the authentication fails, a prompt message will be given, and the user will wait for the login process to continue.
步骤S102,若认证通过,则获取匹配用户的用户ID和身份信息,根据所述用户ID和身份信息生成用户登录票据发送至第三方业务系统。Step S102: If the authentication is passed, the user ID and identity information of the matching user are obtained, and a user login ticket is generated according to the user ID and identity information and sent to the third-party service system.
认证通过后,获取匹配用户的用户ID和身份信息,所述身份信息包含一个或多个身份属性,其中,身份属性包括用户角色和用户所属组织。教学场景下,用户角色包括:校长、学生、老师、教育局长和家长等。用户所属组织可以是一级组织,也可以是多级组织,一级组织,比如为学校名称、教育机构名称等,多级名称为市级名称+区级名称+学校名称、或者区级名称+学校名称等。After the authentication is passed, the user ID and identity information of the matching user are obtained. The identity information includes one or more identity attributes, where the identity attributes include the user role and the organization to which the user belongs. In the teaching scenario, user roles include: principal, student, teacher, director of education, and parent. The user’s organization can be a first-level organization or a multi-level organization. The first-level organization, such as the name of the school, the name of the educational institution, etc. The multi-level name is the name of the city + the name of the district + the name of the school, or the name of the district + School name, etc.
具体的,用户以组织为单位订购各第三方业务系统中的各项功能。以一级组织架构为例,比如:学校A订购了第三方业务系统S1和第三方业务系统S2,学校A内各用户通过批量导入注册或手动添加进行注册,注册时,系统管理员为每个用户设置有对应的用户角色,同一用户可以设置多个用户角色。比如,用户Y既可以是A校的校长,也可以A校的老师。此外,同一用户也可以分属于不同的组织。如:Y用户既可以是A校的老师,也可以是B校的老师。系统Y用户通过A校和B校同时注册到系统后,系统后台会根据用户的身份证号或者其他唯一识别号,将Y用户的用户信息进行合并,系统中仅保存一份Y用户的用户信息。同一组织内同一用户角色对应的业务功能相同,不同组织内同一角色对应的业务功能可以相同,也可以不同,因此,用户可访问的业务功能由用户所属组织和用户角色二者共同决定。Specifically, users order various functions in each third-party business system on an organization basis. Take the first-level organizational structure as an example. For example, school A subscribes to a third-party business system S1 and a third-party business system S2. Each user in school A registers through batch import or manual addition. When registering, the system administrator The user is set with a corresponding user role, and the same user can set multiple user roles. For example, user Y can be either the principal of school A or the teacher of school A. In addition, the same user can also belong to different organizations. For example, user Y can be a teacher from school A or school B. After the system Y user is registered to the system through school A and B at the same time, the system background will merge the user information of user Y according to the user's ID number or other unique identification number, and only one copy of user information of Y user is saved in the system . The business functions corresponding to the same user role in the same organization are the same, and the business functions corresponding to the same role in different organizations can be the same or different. Therefore, the business functions that a user can access are determined by both the user's organization and the user role.
认证服务器根据匹配用户的用户ID和身份信息生成用户登录票据,并将该用户登录票据发送至第三方业务系统。具体的,用户登录票据为一个 UUID(Universally Unique Identifier,通用唯一识别码),利用匹配用户的用户ID和身份信息混合生成,并将该用户登录票据与用户ID对应保存,以使得认证服务器可以根据用户登录票据来唯一确定该用户。The authentication server generates a user login ticket according to the user ID and identity information of the matching user, and sends the user login ticket to the third-party business system. Specifically, the user login ticket is a UUID (Universally Unique Identifier), which is generated by mixing the user ID and identity information of the matching user, and saves the user login ticket and the user ID correspondingly, so that the authentication server can User login ticket to uniquely identify the user.
在本发明的一个实施例中,用户登录票据为一次性票据,当第三方业务系统凭借该用户登录票据拉取所需的用户信息之后,认证服务器即将该用户登录票据进行销毁。In an embodiment of the present invention, the user login ticket is a one-time ticket. After the third-party business system pulls the required user information by virtue of the user login ticket, the authentication server destroys the user login ticket.
步骤S103,接收第三方业务系统发送的访问授权请求,生成访问授权票据,将所述访问授权票据发送给第三方业务系统。Step S103: Receive an access authorization request sent by a third-party business system, generate an access authorization ticket, and send the access authorization ticket to the third-party business system.
第三方业务系统接收到认证服务器发送的用户登录票据之后,向认证服务器发起访问授权请求。具体的,第三方业务系统向认证服务器发起OAuth鉴权请求,该OAuth鉴权请求中携带有第三方业务系统的ID和密钥,认证服务器对第三方业务系统的ID和密钥进行验证,验证通过后,生成访问授权票据,并将该访问授权票据发送给第三方业务系统。After receiving the user login ticket sent by the authentication server, the third-party business system initiates an access authorization request to the authentication server. Specifically, the third-party business system initiates an OAuth authentication request to the authentication server. The OAuth authentication request carries the ID and key of the third-party business system, and the authentication server verifies the ID and key of the third-party business system. After passing, an access authorization ticket is generated, and the access authorization ticket is sent to the third-party business system.
步骤S104,接收第三方业务系统发送的用户信息获取请求,所述用户信息获取请求携带访问授权票据和用户登录票据。Step S104: Receive a user information acquisition request sent by a third-party business system, where the user information acquisition request carries an access authorization ticket and a user login ticket.
第三方业务系统接收到访问授权票据之后在本地进行保存,在访问授权票据过期之前,可以凭借访问授权票据和用户登录票据从认证服务器拉取所需的用户信息。若访问授权票据过期了,则第三方业务系统需要从认证服务器重新获取访问授权票据。After receiving the access authorization ticket, the third-party business system saves it locally. Before the access authorization ticket expires, it can pull the required user information from the authentication server with the access authorization ticket and the user login ticket. If the access authorization ticket expires, the third-party business system needs to reacquire the access authorization ticket from the authentication server.
步骤S105,对所述访问授权票据验证通过后,返回与所述用户信息获取请求相对应的用户信息至第三方业务系统,实现用户以所述用户身份信息访问第三方业务系统。Step S105, after the verification of the access authorization ticket is passed, the user information corresponding to the user information acquisition request is returned to the third-party business system, so that the user can access the third-party business system with the user identity information.
认证服务器对访问授权票据进行验证,若该访问授权票据仍在有效期内,则根据用户信息获取请求获取相应的用户信息返回给第三方业务系统。第三方业务系统根据接收到的用户信息进入到与用户身份相匹配的功能模式下。The authentication server verifies the access authorization ticket, and if the access authorization ticket is still within the validity period, it obtains corresponding user information according to the user information acquisition request and returns it to the third-party business system. The third-party business system enters the functional mode that matches the user's identity according to the received user information.
上述实施例通过认证服务器对用户进行统一认证和管理,用户访问第三方业务系统时,先跳转到统一登录页面,由认证服务器对用户登录信息认证通过后再获取登录用户的用户ID和身份信息生成唯一的用户登录票据发送 至第三方业务系统,以使得第三方业务系统根据该用户登录票据及从认证服务器获取的访问授权票据拉取该用户的相关信息进入到与用户身份相匹配的功能模式下。本发明实施例使得用户可以以同一账号不同身份访问不同的第三方业务系统下不同的业务,大大减轻了账号管理成本,提高了工作效率。The above embodiment uses the authentication server to perform unified authentication and management of users. When a user accesses a third-party business system, he first jumps to the unified login page, and the authentication server authenticates the user login information and then obtains the user ID and identity information of the login user Generate a unique user login ticket and send it to a third-party business system, so that the third-party business system pulls the user's relevant information into a functional mode that matches the user's identity based on the user login ticket and the access authorization ticket obtained from the authentication server under. The embodiments of the present invention enable users to access different services under different third-party business systems with the same account and different identities, which greatly reduces account management costs and improves work efficiency.
如图2所示,为本发明另一个实施例中一种单账号多身份登录方法的流程图,该方法包括以下步骤:As shown in FIG. 2, it is a flowchart of a single-account multi-identity login method in another embodiment of the present invention. The method includes the following steps:
步骤S201,获取客户端用户提交的登录请求,对所述登录请求进行认证。Step S201: Obtain a login request submitted by a client user, and authenticate the login request.
该步骤与图1中S101相同,在此不再赘述。This step is the same as S101 in FIG. 1, and will not be repeated here.
步骤S202,若认证通过,则获取匹配用户的用户ID和所有身份信息。In step S202, if the authentication is passed, the user ID and all identity information of the matching user are obtained.
在本发明一个实施例中,同一用户可以对应由多个用户身份。比如,用户A可同时拥有校长和老师两种用户角色。认证通过后,获取匹配用户对应的所有身份信息。若匹配用户包含的用户身份唯一,则可根据匹配用户的用户ID和身份信息生成用户登录票据发送至第三方业务系统。In an embodiment of the present invention, the same user may correspond to multiple user identities. For example, user A can have two user roles: principal and teacher at the same time. After the authentication is passed, all the identity information corresponding to the matching user is obtained. If the user identity included in the matched user is unique, a user login ticket can be generated according to the user ID and identity information of the matched user and sent to the third-party business system.
步骤S203,若匹配用户包含多个身份,将匹配用户包含的所有身份信息发送至客户端。Step S203: If the matching user includes multiple identities, all the identity information included in the matching user is sent to the client.
在本发明的一个实施例中,若匹配用户包含的用户身份由多个,还可以根据匹配用户的用户ID和默认身份信息生成用户登录票据发送至第三方业务系统。In an embodiment of the present invention, if the matching user includes multiple user identities, a user login ticket can also be generated according to the user ID and default identity information of the matching user and sent to the third-party service system.
步骤S204,获取客户端用户选取的其中一个身份信息。Step S204: Obtain one of the identity information selected by the client user.
具体的,客户端根据认证服务器发送的所有用户身份信息,生成身份选择界面供用户选择,用户在身份选择界面选择用户角色和用户所属组织后提交到认证服务器。Specifically, the client generates an identity selection interface for the user to choose based on all user identity information sent by the authentication server, and the user selects the user role and the organization to which the user belongs in the identity selection interface and submits it to the authentication server.
步骤S204,根据匹配用户的用户ID和所述用户选取的身份信息生成用户登录票据发送至第三方业务系统。Step S204: Generate a user login ticket according to the user ID of the matching user and the identity information selected by the user and send it to the third-party service system.
步骤S205,接收第三方业务系统发送的访问授权请求,生成访问授权票据,将所述访问授权票据发送给第三方业务系统。Step S205: Receive an access authorization request sent by a third-party business system, generate an access authorization ticket, and send the access authorization ticket to the third-party business system.
步骤S206,接收第三方业务系统发送的用户信息获取请求,所述用户信息获取请求携带访问授权票据和用户登录票据。Step S206: Receive a user information acquisition request sent by a third-party business system, where the user information acquisition request carries an access authorization ticket and a user login ticket.
步骤S207,对所述访问授权票据验证通过后,返回与所述用户信息获取请求相对应的用户信息至第三方业务系统,实现用户以所述用户身份信息访问第三方业务系统。Step S207: After passing the verification of the access authorization ticket, the user information corresponding to the user information acquisition request is returned to the third-party business system, so that the user can access the third-party business system with the user identity information.
在本发明的一个实施例中,用户可在第三方业务系统内实现当前用户其他用户身份的切换或者重新登录选择新的用户身份。In an embodiment of the present invention, the user can switch the identity of the current user to another user in the third-party business system or log in again to select a new user identity.
上述实施例通过认证服务器对用户进行统一认证和管理,用户访问第三方业务系统时,先跳转到统一登录页面,由认证服务器对用户登录信息认证通过后再获取登录用户的用户ID和身份信息生成唯一的用户登录票据发送至第三方业务系统,以使得第三方业务系统根据该用户登录票据及从认证服务器获取的访问授权票据拉取该用户的相关信息进入到与用户身份相匹配的功能模式下。本发明实施例使得用户可以以同一账号不同身份访问不同的第三方业务系统下不同的业务,大大减轻了账号管理成本,提高了工作效率。The above embodiment uses the authentication server to perform unified authentication and management of users. When a user accesses a third-party business system, he first jumps to the unified login page, and the authentication server authenticates the user login information and then obtains the user ID and identity information of the login user Generate a unique user login ticket and send it to a third-party business system, so that the third-party business system pulls the user's relevant information into a functional mode that matches the user's identity based on the user login ticket and the access authorization ticket obtained from the authentication server under. The embodiments of the present invention enable users to access different services under different third-party business systems with the same account and different identities, which greatly reduces account management costs and improves work efficiency.
如图3所示,为本发明一个实施例中一种单账号多身份登录的时序图,包括如下步骤:As shown in Figure 3, it is a sequence diagram of a single account multi-identity login in an embodiment of the present invention, including the following steps:
步骤S301,客户端用户请求登录第三方业务系统。In step S301, the client user requests to log in to the third-party business system.
用户在客户端PC上,通过浏览器来访问第三方业务系统。The user accesses the third-party business system through the browser on the client PC.
步骤S302,第三方业务系统根据客户端请求,跳转到统一登录页面。Step S302, the third-party business system jumps to the unified login page according to the client request.
第三方业务系统中集成了基于CAS(Central Authentication Service,中央认证服务器)的统一登录认证服务,接收到客户端用户的访问请求后,先判断该用户是否处于登录态,如果不是,则跳转到预设的统一登录页面。该统一登录页面链接中携带有第三方业务系统的认证回调地址。The third-party business system integrates a unified login authentication service based on CAS (Central Authentication Service). After receiving the client user's access request, it first judges whether the user is in the login state, if not, then jump to The default unified login page. The unified login page link carries the authentication callback address of the third-party business system.
步骤S303,认证服务器返回统一登录页面至客户端。Step S303, the authentication server returns the unified login page to the client.
步骤S304,用户在客户端输入登录信息提交至认证服务器。In step S304, the user inputs login information on the client and submits it to the authentication server.
步骤S305,认证服务器对用户提交的登录信息进行验证。Step S305: The authentication server verifies the login information submitted by the user.
步骤S306,若验证通过,则获取匹配用户的身份信息发送至客户端。In step S306, if the verification is passed, the identity information of the matching user is obtained and sent to the client.
具体的,获取匹配用户的用户ID和身份信息,若匹配用户对应的身份有多个,则将所述身份信息发送至客户端,其中,身份信息可包含一个或多个身份属性,具体的,身份属性包括用户角色和用户所属组织。Specifically, the user ID and identity information of the matching user are obtained, and if there are multiple identities corresponding to the matching user, the identity information is sent to the client, where the identity information may include one or more identity attributes, specifically, Identity attributes include user roles and organizations to which the user belongs.
步骤S307,用户在客户端选择要登录的身份信息进行提交。In step S307, the user selects the identity information to be logged in at the client and submits it.
具体的,用户选择要登录的用户所属组织信息和用户角色信息进行提交。如教学场景下,用户Y对应的身份信息包括学校A的老师、学校B的老师、学校C的校长。用户Y根据要登录的角色进行选择。Specifically, the user selects the organization information and user role information of the user to be logged in to submit. For example, in a teaching scenario, the identity information corresponding to user Y includes the teacher of school A, the teacher of school B, and the principal of school C. User Y chooses according to the role to be logged in.
步骤S308,认证服务器根据用ID和用户选取的身份信息生成用户登录票据。Step S308, the authentication server generates a user login ticket according to the ID and the identity information selected by the user.
步骤S309,认证服务器将生成的用户登录票据发送至第三方业务系统。Step S309: The authentication server sends the generated user login ticket to the third-party business system.
步骤S310,第三方业务系统接收到用户登录票据后,向认证服务器发起授权访问请求。Step S310: After receiving the user login ticket, the third-party business system initiates an authorized access request to the authentication server.
该授权访问请求中携带有第三方业务系统的ID和密钥。任何接入统一认证服务的第三方业务系统需预先在认证服务器进行备案,并由认证服务器生成相应的第三方业务系统的ID和密钥。The authorization access request carries the ID and key of the third-party service system. Any third-party business system that accesses the unified authentication service needs to be filed in the authentication server in advance, and the authentication server generates the ID and key of the corresponding third-party business system.
步骤S311,认证服务器对授权访问请求进行审核,若通过,则生成授权访问票据返回给第三方业务系统。Step S311, the authentication server reviews the authorized access request, and if it passes, it generates an authorized access ticket and returns it to the third-party business system.
该授权访问票据设置有有效期,若超过有效期,则第三方业务系统需要重新发起授权访问请求获取新的授权访问票据。The authorized access ticket is set with a valid period. If the valid period is exceeded, the third-party business system needs to re-initiate an authorized access request to obtain a new authorized access ticket.
步骤S312,第三方业务系统发起用户信息获取请求,该用户信息获取请求中携带授权访问票据和用户登录票据。Step S312, the third-party business system initiates a user information acquisition request, and the user information acquisition request carries an authorization access ticket and a user login ticket.
步骤S313,对所述访问授权票据验证通过后,返回相对应的用户信息至第三方业务系统。Step S313: After the access authorization ticket is verified, the corresponding user information is returned to the third-party business system.
步骤S314,第三方业务系统根据获取的用户信息生成相应的功能页面发送至客户端实现用户以选取的身份登录至第三方业务系统。In step S314, the third-party service system generates a corresponding function page according to the acquired user information and sends it to the client terminal to enable the user to log in to the third-party service system with the selected identity.
上述实施例通过认证服务器对用户进行统一认证和管理,用户访问第三方业务系统时,先跳转到统一登录页面,由认证服务器对用户登录信息认证通过后再获取登录用户的用户ID和身份信息生成唯一的用户登录票据发送至第三方业务系统,以使得第三方业务系统根据该用户登录票据及从认证服务器获取的访问授权票据拉取该用户的相关信息进入到与用户身份相匹配的功能模式下。本发明实施例使得用户可以以同一账号不同身份访问不同的第 三方业务系统下不同的业务,大大减轻了账号管理成本,提高了工作效率。The above embodiment uses the authentication server to perform unified authentication and management of users. When a user accesses a third-party business system, he first jumps to the unified login page, and the authentication server authenticates the user login information and then obtains the user ID and identity information of the login user Generate a unique user login ticket and send it to a third-party business system, so that the third-party business system pulls the user's relevant information into a functional mode that matches the user's identity based on the user login ticket and the access authorization ticket obtained from the authentication server under. The embodiments of the present invention enable users to access different services under different third-party service systems with the same account and different identities, which greatly reduces account management costs and improves work efficiency.
如图4为本发明一个实施例中一种单账号多身份登录装置的结构图。优选的,所述单账号多身份登录装置包括登录认证模块41、登录票据生成模块42、访问授权模块43、访问请求接收模块44、用户信息发送模块45,其中:Figure 4 is a structural diagram of a single-account multi-identity login device in an embodiment of the present invention. Preferably, the single-account multi-identity login device includes a login authentication module 41, a login ticket generating module 42, an access authorization module 43, an access request receiving module 44, and a user information sending module 45, wherein:
登录认证模块41,用于获取客户端用户提交的登录请求,对所述登录请求进行认证;The login authentication module 41 is configured to obtain a login request submitted by a client user, and authenticate the login request;
登录票据生成模块42,用于当认证通过时,获取匹配用户的用户ID和身份信息,根据所述用户ID和身份信息生成用户登录票据发送至第三方业务系统;The login ticket generating module 42 is configured to obtain the user ID and identity information of the matching user when the authentication is passed, generate a user login ticket according to the user ID and the identity information, and send it to the third-party business system;
访问授权模块43,用于接收第三方业务系统发送的访问授权请求,生成访问授权票据,将所述访问授权票据发送给第三方业务系统;The access authorization module 43 is configured to receive an access authorization request sent by a third-party business system, generate an access authorization ticket, and send the access authorization ticket to the third-party business system;
访问请求接收模块44,用于接收第三方业务系统发送的用户信息获取请求,所述用户信息获取请求携带访问授权票据和用户登录票据;The access request receiving module 44 is configured to receive a user information acquisition request sent by a third-party business system, where the user information acquisition request carries an access authorization ticket and a user login ticket;
用户信息发送模块45,用于对所述访问授权票据验证通过后,返回与所述用户信息获取请求相对应的用户信息至第三方业务系统,实现用户以所述用户身份信息访问第三方业务系统。The user information sending module 45 is configured to return the user information corresponding to the user information acquisition request to the third-party business system after passing the verification of the access authorization ticket, so that the user can access the third-party business system with the user identity information .
在本发明的一个实施例中,用户在客户端PC上,通过浏览器来访问第三方业务系统。第三方业务系统中集成了基于CAS(Central Authentication Service,中央认证服务器)的统一登录认证服务,接收到客户端用户的访问请求时,先判断该用户是否处于登录态,如果不是,则将页面跳转到认证服务器的统一登录页面。在页面跳转过程中,第三方业务系统会告知认证服务器第三方业务系统的认证回调地址,以使得认证服务器在认证成功之后,能够正确地将信息返回给第三方业务系统中。In an embodiment of the present invention, the user accesses the third-party business system through a browser on the client PC. The third-party business system integrates a unified login authentication service based on CAS (Central Authentication Service). When receiving an access request from a client user, it first determines whether the user is in the login state. If not, the page jumps Go to the unified login page of the authentication server. During the page jump process, the third-party business system will inform the authentication server of the authentication callback address of the third-party business system, so that the authentication server can correctly return the information to the third-party business system after successful authentication.
客户端用户在统一登录页面选择登录方式,输入登录信息后提交到认证服务器,认证服务器接收到客户端用户提交的登录请求,对所述登录请求进行认证。其中,所述登录请求中包含登录信息和第三方业务系统的认证回调地址。登录信息可以是用户名、密码和反侵入式验证码的组合,也可以是账号、人脸图像、指纹等生理特征信息的组合。认证服务器将用户输入的登录 信息和用户数据库中的用户信息进行匹配,如果存在匹配用户,则认证成功,否则认证失败。如果认证失败,给出提示信息,等待用户继续进行登录处理。The client user selects the login method on the unified login page, enters the login information and submits it to the authentication server, and the authentication server receives the login request submitted by the client user and authenticates the login request. Wherein, the login request includes login information and the authentication callback address of the third-party business system. The login information can be a combination of a user name, a password, and an anti-intrusive verification code, or a combination of physiological characteristic information such as an account number, a face image, and a fingerprint. The authentication server matches the login information entered by the user with the user information in the user database. If there is a matching user, the authentication is successful, otherwise the authentication fails. If the authentication fails, a prompt message will be given, and the user will wait for the login process to continue.
认证通过后,获取匹配用户的用户ID和身份信息,所述身份信息包含一个或多个身份属性,其中,身份属性包括用户角色和用户所属组织。教学场景下,用户角色包括:校长、学生、老师、教育局长和家长等。用户所属组织可以是一级组织,也可以是多级组织,一级组织,比如为学校名称、教育机构名称等,多级名称为市级名称+区级名称+学校名称、或者区级名称+学校名称等。After the authentication is passed, the user ID and identity information of the matching user are obtained. The identity information includes one or more identity attributes, where the identity attributes include the user role and the organization to which the user belongs. In the teaching scenario, user roles include: principal, student, teacher, director of education, and parent. The user’s organization can be a first-level organization or a multi-level organization. The first-level organization, such as the name of the school, the name of the educational institution, etc. The multi-level name is the name of the city + the name of the district + the name of the school, or the name of the district + School name, etc.
具体的,用户以组织为单位订购各第三方业务系统中的各项功能。以一级组织架构为例,比如:学校A订购了第三方业务系统S1和第三方业务系统S2,学校A内各用户通过批量导入注册或手动添加进行注册,注册时,系统管理员为每个用户设置有对应的用户角色,同一用户可以设置多个用户角色。比如,用户Y既可以是A校的校长,也可以A校的老师。此外,同一用户也可以分属于不同的组织。如:Y用户既可以是A校的老师,也可以是B校的老师。系统Y用户通过A校和B校同时注册到系统后,系统后台会根据用户的身份证号或者其他唯一识别号,将Y用户的用户信息进行合并,系统中仅保存一份Y用户的用户信息。同一组织内同一用户角色对应的业务功能相同,不同组织内同一角色对应的业务功能可以相同,也可以不同,因此,用户可访问的业务功能由用户所属组织和用户角色二者共同决定。Specifically, users order various functions in each third-party business system on an organization basis. Take the first-level organizational structure as an example. For example, school A subscribes to a third-party business system S1 and a third-party business system S2. Each user in school A registers through batch import or manual addition. When registering, the system administrator The user is set with a corresponding user role, and the same user can set multiple user roles. For example, user Y can be either the principal of school A or the teacher of school A. In addition, the same user can also belong to different organizations. For example, user Y can be a teacher from school A or school B. After the system Y user is registered to the system through school A and B at the same time, the system background will merge the user information of user Y according to the user's ID number or other unique identification number, and only one copy of user information of Y user is saved in the system . The business functions corresponding to the same user role in the same organization are the same, and the business functions corresponding to the same role in different organizations can be the same or different. Therefore, the business functions that a user can access are determined by both the user's organization and the user role.
认证服务器根据匹配用户的用户ID和身份信息生成用户登录票据,并将该用户登录票据发送至第三方业务系统。具体的,用户登录票据为一个UUID(Universally Unique Identifier,通用唯一识别码),利用匹配用户的用户ID和身份信息混合生成,并将该用户登录票据与用户ID对应保存,以使得认证服务器可以根据用户登录票据来唯一确定该用户。The authentication server generates a user login ticket according to the user ID and identity information of the matching user, and sends the user login ticket to the third-party business system. Specifically, the user login ticket is a UUID (Universally Unique Identifier), which is generated by mixing the user ID and identity information of the matching user, and saves the user login ticket and the user ID correspondingly, so that the authentication server can User login ticket to uniquely identify the user.
在本发明的一个实施例中,用户登录票据为一次性票据,当第三方业务系统凭借该用户登录票据拉取所需的用户信息之后,认证服务器即将该用户登录票据进行销毁。In an embodiment of the present invention, the user login ticket is a one-time ticket. After the third-party business system pulls the required user information by virtue of the user login ticket, the authentication server destroys the user login ticket.
第三方业务系统接收到认证服务器发送的用户登录票据之后,向认证服务器发起访问授权请求。具体的,第三方业务系统向认证服务器发起OAuth 鉴权请求,该OAuth鉴权请求中携带有第三方业务系统的ID和密钥,认证服务器对第三方业务系统的ID和密钥进行验证,验证通过后,生成访问授权票据,并将该访问授权票据发送给第三方业务系统。After receiving the user login ticket sent by the authentication server, the third-party business system initiates an access authorization request to the authentication server. Specifically, the third-party business system initiates an OAuth authentication request to the authentication server. The OAuth authentication request carries the ID and key of the third-party business system, and the authentication server verifies the ID and key of the third-party business system. After passing, an access authorization ticket is generated, and the access authorization ticket is sent to the third-party business system.
第三方业务系统接收到访问授权票据之后在本地进行保存,在访问授权票据过期之前,可以凭借访问授权票据和用户登录票据从认证服务器拉取所需的用户信息。若访问授权票据过期了,则第三方业务系统需要从认证服务器重新获取访问授权票据。After receiving the access authorization ticket, the third-party business system saves it locally. Before the access authorization ticket expires, it can pull the required user information from the authentication server with the access authorization ticket and the user login ticket. If the access authorization ticket expires, the third-party business system needs to reacquire the access authorization ticket from the authentication server.
认证服务器对访问授权票据进行验证,若该访问授权票据仍在有效期内,则根据用户信息获取请求获取相应的用户信息返回给第三方业务系统。第三方业务系统根据接收到的用户信息进入到与用户身份相匹配的功能模式下。The authentication server verifies the access authorization ticket, and if the access authorization ticket is still within the validity period, it obtains corresponding user information according to the user information acquisition request and returns it to the third-party business system. The third-party business system enters the functional mode that matches the user's identity according to the received user information.
在本发明的一个实施例中,所述单账号多身份登录装置用于执行实现如上述任一实施例(图1至图3任意实施例)所述的单账号多身份登录方法的操作。In an embodiment of the present invention, the single-account multiple-identity login device is used to perform operations for implementing the single-account multiple-identity login method as described in any of the above-mentioned embodiments (any embodiment in FIGS. 1 to 3).
上述实施例通过认证服务器对用户进行统一认证和管理,用户访问第三方业务系统时,先跳转到统一登录页面,由认证服务器对用户登录信息认证通过后再获取登录用户的用户ID和身份信息生成唯一的用户登录票据发送至第三方业务系统,以使得第三方业务系统根据该用户登录票据及从认证服务器获取的访问授权票据拉取该用户的相关信息进入到与用户身份相匹配的功能模式下。本发明实施例使得用户可以以同一账号不同身份访问不同的第三方业务系统下不同的业务,大大减轻了账号管理成本,提高了工作效率。The above embodiment uses the authentication server to perform unified authentication and management of users. When a user accesses a third-party business system, he first jumps to the unified login page, and the authentication server authenticates the user login information and then obtains the user ID and identity information of the login user Generate a unique user login ticket and send it to a third-party business system, so that the third-party business system pulls the user's relevant information into a functional mode that matches the user's identity based on the user login ticket and the access authorization ticket obtained from the authentication server under. The embodiments of the present invention enable users to access different services under different third-party business systems with the same account and different identities, which greatly reduces account management costs and improves work efficiency.
如图5所示为本发明另一个实施例中一种单账号多身份登录装置的结构图,所述单账号多身份登录装置包括存储器51和处理器52,其中:Fig. 5 is a structural diagram of a single-account multiple-identity login device in another embodiment of the present invention. The single-account multiple identity login device includes a memory 51 and a processor 52, wherein:
存储器51,用于存储可在处理器52上运行的计算机程序。The memory 51 is used to store a computer program that can run on the processor 52.
处理器52,用于执行计算机程序,使得单账号多身份登录装置执行实现如上述任一实施例(图1或图2或图3实施例)所述的单账号多身份登录方法的操作。The processor 52 is configured to execute a computer program, so that the single-account multiple-identity login device executes operations for implementing the single-account multiple-identity login method as described in any of the foregoing embodiments (the embodiment of FIG. 1 or FIG. 2 or FIG. 3).
根据本发明的另一方面,提供一种认证服务器,包括如上述任一实施例(图4或图5实施例)所述的单账号多身份登录装置。According to another aspect of the present invention, an authentication server is provided, which includes the single-account multi-identity login device as described in any of the foregoing embodiments (the embodiment of FIG. 4 or FIG. 5).
上述实施例通过认证服务器对用户进行统一认证和管理,用户访问第三方业务系统时,先跳转到统一登录页面,由认证服务器对用户登录信息认证通过后再获取登录用户的用户ID和身份信息生成唯一的用户登录票据发送至第三方业务系统,以使得第三方业务系统根据该用户登录票据及从认证服务器获取的访问授权票据拉取该用户的相关信息进入到与用户身份相匹配的功能模式下。本发明实施例使得用户可以以同一账号不同身份访问不同的第三方业务系统下不同的业务,大大减轻了账号管理成本,提高了工作效率。The above embodiment uses the authentication server to perform unified authentication and management of users. When a user accesses a third-party business system, he first jumps to the unified login page, and the authentication server authenticates the user login information and then obtains the user ID and identity information of the login user Generate a unique user login ticket and send it to a third-party business system, so that the third-party business system pulls the user's relevant information into a functional mode that matches the user's identity based on the user login ticket and the access authorization ticket obtained from the authentication server under. The embodiments of the present invention enable users to access different services under different third-party business systems with the same account and different identities, which greatly reduces account management costs and improves work efficiency.
根据本发明的另一方面,提供一种计算机可读存储介质,一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被储器执行时实现如上述任一实施例(例如图1~图3实施例)所述的单账号多身份登录方法,可以应用于认证服务器中;前述实施例的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,移动设备或者网络设备等)或processor(处理器)执行本实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。According to another aspect of the present invention, there is provided a computer-readable storage medium, a computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program is executed by a memory, any of the above The single-account multi-identity login method described in an embodiment (for example, the embodiments of Figures 1 to 3) can be applied to an authentication server; the technical solutions of the foregoing embodiments are essentially or part of contributing to the prior art or All or part of the technical solution can be embodied in the form of a software product. The computer software product is stored in a storage medium and includes several instructions to enable a computer device (which can be a personal computer, server, mobile device, or network device). Etc.) or a processor (processor) executes all or part of the steps of the method in this embodiment. The aforementioned storage medium includes: U disk, mobile hard disk, Read Only Memory (ROM, Random Access Memory), random access memory (RAM, Random Access Memory), magnetic disks or optical disks and other media that can store program codes.
上述实施例通过认证服务器对用户进行统一认证和管理,用户访问第三方业务系统时,先跳转到统一登录页面,由认证服务器对用户登录信息认证通过后再获取登录用户的用户ID和身份信息生成唯一的用户登录票据发送至第三方业务系统,以使得第三方业务系统根据该用户登录票据及从认证服务器获取的访问授权票据拉取该用户的相关信息进入到与用户身份相匹配的功能模式下。本发明实施例使得用户可以以同一账号不同身份访问不同的第三方业务系统下不同的业务,大大减轻了账号管理成本,提高了工作效率。The above embodiment uses the authentication server to perform unified authentication and management of users. When a user accesses a third-party business system, he first jumps to the unified login page, and the authentication server authenticates the user login information and then obtains the user ID and identity information of the login user Generate a unique user login ticket and send it to a third-party business system, so that the third-party business system pulls the user's relevant information into a functional mode that matches the user's identity based on the user login ticket and the access authorization ticket obtained from the authentication server under. The embodiments of the present invention enable users to access different services under different third-party business systems with the same account and different identities, which greatly reduces account management costs and improves work efficiency.
在上述描述的单账号多身份登录装置可以实现为用于执行本申请所描述功能的通用处理器、可编程逻辑控制器(PLC)、数字信号处理器(DSP)、专用集成电路(ASIC)、现场可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件或者其任意适当组合。The single account multi-identity login device described above can be implemented as a general-purpose processor, programmable logic controller (PLC), digital signal processor (DSP), application-specific integrated circuit (ASIC), Field programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, or any appropriate combination thereof.
上述本发明实施例序号仅仅为了描述,不代表实施例的优劣。The sequence numbers of the foregoing embodiments of the present invention are only for description, and do not represent the superiority of the embodiments.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于一计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。其中,所述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)或随机存储记忆体(Random Access Memory,RAM)等。A person of ordinary skill in the art can understand that all or part of the processes in the above-mentioned embodiment methods can be implemented by instructing relevant hardware through a computer program. The program can be stored in a computer readable storage medium. During execution, it may include the procedures of the above-mentioned method embodiments. Wherein, the storage medium may be a magnetic disk, an optical disc, a read-only memory (Read-Only Memory, ROM), or a random access memory (Random Access Memory, RAM), etc.
以上所揭露的仅为本发明较佳实施例而已,当然不能以此来限定本发明之权利范围,因此依本发明权利要求所作的等同变化,仍属本发明所涵盖的范围。The above-disclosed are only preferred embodiments of the present invention. Of course, the scope of rights of the present invention cannot be limited by this. Therefore, equivalent changes made according to the claims of the present invention still fall within the scope of the present invention.
工业实用性Industrial applicability
本发明实施例通过认证服务器对用户进行统一认证和管理,用户访问第三方业务系统时,先跳转到统一登录页面,由认证服务器对用户登录信息认证通过后再获取登录用户的用户ID和身份信息生成唯一的用户登录票据发送至第三方业务系统,以使得第三方业务系统根据该用户登录票据及从认证服务器获取的访问授权票据拉取该用户的相关信息进入到与用户身份相匹配的功能模式下。本发明实施例使得用户可以以同一账号不同身份访问不同的第三方业务系统下不同的业务,大大减轻了账号管理成本,提高了工作效率。In the embodiment of the present invention, the user is uniformly authenticated and managed by the authentication server. When the user accesses a third-party business system, the user first jumps to the unified login page, and the authentication server authenticates the user login information and then obtains the user ID and identity of the login user The information generates a unique user login ticket and sends it to the third-party business system, so that the third-party business system pulls the user's related information according to the user login ticket and the access authorization ticket obtained from the authentication server into the function matching the user identity Mode. The embodiments of the present invention enable users to access different services under different third-party business systems with the same account and different identities, which greatly reduces account management costs and improves work efficiency.

Claims (10)

  1. 一种单账号多身份登录方法,其特征在于,所述方法包括:A single-account multi-identity login method, characterized in that the method includes:
    获取客户端用户提交的登录请求,对所述登录请求进行认证;Obtain the login request submitted by the client user, and authenticate the login request;
    若认证通过,则获取匹配用户的用户ID和身份信息,根据所述用户ID和身份信息生成用户登录票据发送至第三方业务系统;If the authentication is passed, obtain the user ID and identity information of the matching user, generate a user login ticket according to the user ID and identity information, and send it to the third-party business system;
    接收第三方业务系统发送的访问授权请求,生成访问授权票据,将所述访问授权票据发送给第三方业务系统;Receiving an access authorization request sent by a third-party business system, generating an access authorization ticket, and sending the access authorization ticket to the third-party business system;
    接收第三方业务系统发送的用户信息获取请求,所述用户信息获取请求携带访问授权票据和用户登录票据;Receiving a user information acquisition request sent by a third-party business system, where the user information acquisition request carries an access authorization ticket and a user login ticket;
    对所述访问授权票据验证通过后,返回与所述用户信息获取请求相对应的用户信息至第三方业务系统,实现用户以所述用户身份信息访问第三方业务系统。After the verification of the access authorization ticket is passed, the user information corresponding to the user information acquisition request is returned to the third-party business system, so that the user can access the third-party business system with the user identity information.
  2. 如权利要求1所述的方法,其特征在于,所述身份信息中包含一个或多个身份属性,所述身份属性包括用户角色和用户所属组织。The method of claim 1, wherein the identity information includes one or more identity attributes, and the identity attributes include a user role and an organization to which the user belongs.
  3. 如权利要求1所述的方法,其特征在于,所述登录请求中包含登录信息和第三方业务系统的认证回调地址。The method of claim 1, wherein the login request includes login information and an authentication callback address of a third-party business system.
  4. 如权利要求1至3任意一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 1 to 3, wherein the method further comprises:
    认证通过后,获取匹配用户的用户ID和所有身份信息;After passing the authentication, obtain the user ID and all identity information of the matching user;
    判断匹配用户是否包含多个身份;Determine whether the matched user contains multiple identities;
    若判断为否,则根据匹配用户的用户ID和身份信息生成用户登录票据发送至第三方业务系统。If the judgment is no, the user login ticket is generated according to the user ID and identity information of the matching user and sent to the third-party business system.
  5. 如权利要求4所述的方法,其特征在于,所述方法还包括:The method according to claim 4, wherein the method further comprises:
    若判断为是,则将匹配用户包含的所有身份信息发送至客户端;If the judgment is yes, all the identity information contained in the matched user is sent to the client;
    获取客户端用户选取的其中一个身份信息;Obtain one of the identity information selected by the client user;
    根据匹配用户的用户ID和所述用户选取的身份信息生成用户登录票据发送至第三方业务系统。According to the user ID of the matching user and the identity information selected by the user, a user login ticket is generated and sent to the third-party service system.
  6. 一种单账号多身份登录装置,其特征在于,包括:A single-account multi-identity login device, characterized in that it comprises:
    登录认证模块,用于获取客户端用户提交的登录请求,对所述登录请求进行认证;The login authentication module is used to obtain the login request submitted by the client user, and authenticate the login request;
    登录票据生成模块,用于当认证通过时,获取匹配用户的用户ID和身份信息,根据所述用户ID和身份信息生成用户登录票据发送至第三方业务系统;The login ticket generation module is used to obtain the user ID and identity information of the matching user when the authentication is passed, generate the user login ticket according to the user ID and the identity information, and send it to the third-party business system;
    访问授权模块,用于接收第三方业务系统发送的访问授权请求,生成访问授权票据,将所述访问授权票据发送给第三方业务系统;The access authorization module is used to receive an access authorization request sent by a third-party business system, generate an access authorization ticket, and send the access authorization ticket to the third-party business system;
    访问请求接收模块,用于接收第三方业务系统发送的用户信息获取请求,所述用户信息获取请求携带访问授权票据和用户登录票据;The access request receiving module is configured to receive a user information acquisition request sent by a third-party business system, where the user information acquisition request carries an access authorization ticket and a user login ticket;
    用户信息发送模块,用于对所述访问授权票据验证通过后,返回与所述用户信息获取请求相对应的用户信息至第三方业务系统,实现用户以所述用户身份信息访问第三方业务系统。The user information sending module is configured to return the user information corresponding to the user information acquisition request to the third-party business system after the verification of the access authorization ticket is passed, so that the user can access the third-party business system with the user identity information.
  7. 如权利要求6所述的单账号多身份登录装置,其特征在于,所述单账号多身份登录装置用于执行实现权利要求1-5任一项所述的单账号多身份登录方法的操作。The single-account multiple-identity login device according to claim 6, wherein the single-account multiple-identity login device is configured to perform operations for implementing the single-account multiple-identity login method of any one of claims 1-5.
  8. 一种单账号多身份登录装置,其特征在于,包括存储器和处理器,其中:A single-account multi-identity login device, which is characterized by comprising a memory and a processor, wherein:
    存储器,用于存储指令;Memory, used to store instructions;
    处理器,用于执行所述指令,使得所述单账号多身份登录装置执行实现权利要求1-5任一项所述的单账号多身份登录方法的操作。The processor is configured to execute the instruction, so that the single-account multiple-identity login device executes the operation of implementing the single-account multiple-identity login method of any one of claims 1-5.
  9. 一种认证服务器,其特征在于,包括权利要求6-8任一项所述的单账号多身份登录装置。An authentication server, characterized by comprising the single-account multi-identity login device according to any one of claims 6-8.
  10. 一种计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现权利要求1-7任一项所述的方法的步骤。A computer-readable storage medium with a computer program stored thereon, wherein the computer program implements the steps of the method according to any one of claims 1-7 when the computer program is executed by a processor.
PCT/CN2019/095653 2019-07-11 2019-07-11 Single-account multi-identity login method and apparatus, server, and storage medium WO2021003751A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2019/095653 WO2021003751A1 (en) 2019-07-11 2019-07-11 Single-account multi-identity login method and apparatus, server, and storage medium
CN201980001193.3A CN110582769A (en) 2019-07-11 2019-07-11 single-account multi-identity login method, device, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/095653 WO2021003751A1 (en) 2019-07-11 2019-07-11 Single-account multi-identity login method and apparatus, server, and storage medium

Publications (1)

Publication Number Publication Date
WO2021003751A1 true WO2021003751A1 (en) 2021-01-14

Family

ID=68815545

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/095653 WO2021003751A1 (en) 2019-07-11 2019-07-11 Single-account multi-identity login method and apparatus, server, and storage medium

Country Status (2)

Country Link
CN (1) CN110582769A (en)
WO (1) WO2021003751A1 (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112929391A (en) * 2021-03-15 2021-06-08 浪潮云信息技术股份公司 Method for realizing cross-platform identity authentication based on single sign-on
CN113159803A (en) * 2021-04-25 2021-07-23 呼和浩特中燃城市燃气发展有限公司 Gas reinstallation system and method
CN113190813A (en) * 2021-05-25 2021-07-30 数字广东网络建设有限公司 Dual-authentication processing method, device, equipment and medium
CN113660204A (en) * 2021-07-09 2021-11-16 北京航天云路有限公司 Method for realizing unified integrated binding service
CN113792310A (en) * 2021-09-01 2021-12-14 百融至信(北京)征信有限公司 Automatic data matching system and method
CN113904825A (en) * 2021-09-29 2022-01-07 百融至信(北京)征信有限公司 Multi-application unified access gateway method and system
CN113922959A (en) * 2021-11-12 2022-01-11 中国国家博物馆 Unified identity authentication system and method for multi-application system
CN114239015A (en) * 2021-12-15 2022-03-25 成都飞机工业(集团)有限责任公司 Data security management method and device, data cloud platform and storage medium
CN114285595A (en) * 2021-11-12 2022-04-05 珠海大横琴科技发展有限公司 Data processing method and device
CN114745203A (en) * 2022-05-13 2022-07-12 长扬科技(北京)有限公司 Method and device for monitoring full life cycle of user account
CN115189958A (en) * 2022-07-18 2022-10-14 西安热工研究院有限公司 Method for realizing authentication roaming and authentication between multi-level architectures
CN115422514A (en) * 2022-09-22 2022-12-02 北京广知大为科技有限公司 Information interaction method, system, equipment and program product
CN115604039A (en) * 2022-12-15 2023-01-13 江苏金智教育信息股份有限公司(Cn) Third-party assisted identity verification login method and system
CN115630387A (en) * 2022-12-08 2023-01-20 爱集微咨询(厦门)有限公司 Data processing method and device, electronic equipment and readable storage medium
CN116346504A (en) * 2023-05-30 2023-06-27 北京安博通科技股份有限公司 Method and device for simulating CAS (control and architecture) authentication login and pressure test and electronic equipment
CN116797266A (en) * 2023-08-22 2023-09-22 深圳市百慧文化发展有限公司 Ticketing system and account management method thereof
CN117093880A (en) * 2023-10-19 2023-11-21 四川互慧软件有限公司 Single sign-on user management method and system based on medical integrated platform

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111200601B (en) * 2019-12-29 2022-09-20 航天信息股份有限公司企业服务分公司 Method and system for butting user and application based on universal transfer service
CN111314340B (en) * 2020-02-13 2022-11-22 深信服科技股份有限公司 Authentication method and authentication platform
CN111291340A (en) * 2020-03-05 2020-06-16 浪潮通用软件有限公司 Unified identity authentication management system and method
CN111478894B (en) * 2020-04-03 2022-11-22 深信服科技股份有限公司 External user authorization method, device, equipment and readable storage medium
CN111786969B (en) * 2020-06-17 2024-04-23 朗新科技集团股份有限公司 Single sign-on method, device and system
CN111988318B (en) * 2020-08-21 2022-11-08 上海浦东发展银行股份有限公司 Authorization authentication system and method thereof
CN111953708B (en) * 2020-08-24 2022-08-26 北京金山云网络技术有限公司 Cross-account login method and device based on cloud platform and server
CN112055017B (en) * 2020-09-02 2022-08-30 中国平安财产保险股份有限公司 Single-account multi-application unified login method and device and computer equipment
CN112150030A (en) * 2020-10-10 2020-12-29 厦门悦讯信息科技股份有限公司 Account management method based on multiple units and multiple identities, terminal equipment and storage medium
CN112491848B (en) * 2020-11-18 2022-07-08 山东浪潮通软信息科技有限公司 Method and equipment for supporting extensible secure docking of third-party system
CN112417416A (en) * 2020-11-19 2021-02-26 深圳市德普光业科技有限公司 Authentication interaction method, system and storage medium of service system
CN112632491A (en) * 2020-12-15 2021-04-09 读书郎教育科技有限公司 Method for realizing account system shared by multiple information systems
CN112650999A (en) * 2020-12-29 2021-04-13 北京字节跳动网络技术有限公司 User identity authentication control method, device and system
CN113329010B (en) * 2021-05-27 2022-11-08 北京沃东天骏信息技术有限公司 User access management method and system
CN113328862B (en) * 2021-06-15 2022-07-22 支付宝(杭州)信息技术有限公司 Enterprise personnel authentication method, device and system
CN113765676A (en) * 2021-09-18 2021-12-07 平安国际智慧城市科技股份有限公司 Interface access control method based on multiple user identities and related equipment
CN115134112B (en) * 2022-05-12 2024-02-02 山东鲁软数字科技有限公司 Unified browser account management system and method in intranet environment
CN116846622A (en) * 2023-06-27 2023-10-03 北京一心向上科技有限公司 Account multi-identity switching method, system and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101977184A (en) * 2010-09-30 2011-02-16 西本新干线股份有限公司 Multi-identity selection landing device and service system
CN103795692A (en) * 2012-10-31 2014-05-14 中国电信股份有限公司 Open authorization method, open authorization system and authentication and authorization server
CN105207974A (en) * 2014-06-18 2015-12-30 中国电信股份有限公司 Method for realizing user resource differentiated openness, platform, application and system
US20160134599A1 (en) * 2014-11-07 2016-05-12 Brian G. Ross Computer-implemented systems and methods of device based, internet-centric, authentication
US20180159861A1 (en) * 2016-02-25 2018-06-07 Red Hat, Inc. Access guards for multi-tenant logging
CN109033774A (en) * 2018-08-31 2018-12-18 阿里巴巴集团控股有限公司 Acquisition, the method, apparatus of feedback user resource and electronic equipment
US10218678B2 (en) * 2014-08-29 2019-02-26 Citrix Systems, Inc. Method and apparatus for accessing third-party resources

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1929376A (en) * 2006-08-03 2007-03-14 张勇军 Method for establishing universal identity authentication system and user's information storage
RU2610280C2 (en) * 2014-10-31 2017-02-08 Общество С Ограниченной Ответственностью "Яндекс" Method for user authorization in a network and server used therein
CN104579681B (en) * 2014-12-29 2018-04-20 华中师范大学 Identity authorization system between mutual trust application system
CN106470190A (en) * 2015-08-19 2017-03-01 中兴通讯股份有限公司 A kind of Web real-time communication platform authentication cut-in method and device
CN108111473B (en) * 2016-11-24 2020-11-13 腾讯科技(深圳)有限公司 Unified management method, device and system for hybrid cloud
US11616771B2 (en) * 2017-08-18 2023-03-28 Transform Sr Brands Llc Application user single sign-on
CN109286627A (en) * 2018-10-10 2019-01-29 四川长虹电器股份有限公司 Identity identifying method based on double factor authentication
CN109815656A (en) * 2018-12-11 2019-05-28 平安科技(深圳)有限公司 Login authentication method, device, equipment and computer readable storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101977184A (en) * 2010-09-30 2011-02-16 西本新干线股份有限公司 Multi-identity selection landing device and service system
CN103795692A (en) * 2012-10-31 2014-05-14 中国电信股份有限公司 Open authorization method, open authorization system and authentication and authorization server
CN105207974A (en) * 2014-06-18 2015-12-30 中国电信股份有限公司 Method for realizing user resource differentiated openness, platform, application and system
US10218678B2 (en) * 2014-08-29 2019-02-26 Citrix Systems, Inc. Method and apparatus for accessing third-party resources
US20160134599A1 (en) * 2014-11-07 2016-05-12 Brian G. Ross Computer-implemented systems and methods of device based, internet-centric, authentication
US20180159861A1 (en) * 2016-02-25 2018-06-07 Red Hat, Inc. Access guards for multi-tenant logging
CN109033774A (en) * 2018-08-31 2018-12-18 阿里巴巴集团控股有限公司 Acquisition, the method, apparatus of feedback user resource and electronic equipment

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112929391A (en) * 2021-03-15 2021-06-08 浪潮云信息技术股份公司 Method for realizing cross-platform identity authentication based on single sign-on
CN113159803A (en) * 2021-04-25 2021-07-23 呼和浩特中燃城市燃气发展有限公司 Gas reinstallation system and method
CN113190813A (en) * 2021-05-25 2021-07-30 数字广东网络建设有限公司 Dual-authentication processing method, device, equipment and medium
CN113660204B (en) * 2021-07-09 2024-01-23 北京航天云路有限公司 Method for realizing unified integrated binding service
CN113660204A (en) * 2021-07-09 2021-11-16 北京航天云路有限公司 Method for realizing unified integrated binding service
CN113792310A (en) * 2021-09-01 2021-12-14 百融至信(北京)征信有限公司 Automatic data matching system and method
CN113904825A (en) * 2021-09-29 2022-01-07 百融至信(北京)征信有限公司 Multi-application unified access gateway method and system
CN113922959A (en) * 2021-11-12 2022-01-11 中国国家博物馆 Unified identity authentication system and method for multi-application system
CN114285595A (en) * 2021-11-12 2022-04-05 珠海大横琴科技发展有限公司 Data processing method and device
CN114239015A (en) * 2021-12-15 2022-03-25 成都飞机工业(集团)有限责任公司 Data security management method and device, data cloud platform and storage medium
CN114745203A (en) * 2022-05-13 2022-07-12 长扬科技(北京)有限公司 Method and device for monitoring full life cycle of user account
CN115189958A (en) * 2022-07-18 2022-10-14 西安热工研究院有限公司 Method for realizing authentication roaming and authentication between multi-level architectures
CN115189958B (en) * 2022-07-18 2024-01-19 西安热工研究院有限公司 Method for realizing authentication roaming and authentication between multi-level architectures
CN115422514B (en) * 2022-09-22 2023-07-18 北京广知大为科技有限公司 Information interaction method, system, equipment and storage medium
CN115422514A (en) * 2022-09-22 2022-12-02 北京广知大为科技有限公司 Information interaction method, system, equipment and program product
CN115630387A (en) * 2022-12-08 2023-01-20 爱集微咨询(厦门)有限公司 Data processing method and device, electronic equipment and readable storage medium
CN115630387B (en) * 2022-12-08 2024-02-20 爱集微咨询(厦门)有限公司 Data processing method, device, electronic equipment and readable storage medium
CN115604039A (en) * 2022-12-15 2023-01-13 江苏金智教育信息股份有限公司(Cn) Third-party assisted identity verification login method and system
CN116346504A (en) * 2023-05-30 2023-06-27 北京安博通科技股份有限公司 Method and device for simulating CAS (control and architecture) authentication login and pressure test and electronic equipment
CN116797266A (en) * 2023-08-22 2023-09-22 深圳市百慧文化发展有限公司 Ticketing system and account management method thereof
CN116797266B (en) * 2023-08-22 2023-11-21 深圳市百慧文化发展有限公司 Ticketing system and account management method thereof
CN117093880A (en) * 2023-10-19 2023-11-21 四川互慧软件有限公司 Single sign-on user management method and system based on medical integrated platform
CN117093880B (en) * 2023-10-19 2023-12-26 四川互慧软件有限公司 Single sign-on user management method and system based on medical integrated platform

Also Published As

Publication number Publication date
CN110582769A (en) 2019-12-17

Similar Documents

Publication Publication Date Title
WO2021003751A1 (en) Single-account multi-identity login method and apparatus, server, and storage medium
CA2975843C (en) Apparatus, system, and methods for a blockchain identity translator
TWI706263B (en) Trust registration method, server and system
CN110768967B (en) Service authorization method, device, equipment, system and storage medium
CN110768968B (en) Authorization method, device, equipment and system based on verifiable statement
US10462120B2 (en) Authentication system and method
US11601412B2 (en) Securely managing digital assistants that access third-party applications
US7024689B2 (en) Granting access rights to unattended software
US20210273931A1 (en) Decentralized authentication anchored by decentralized identifiers
US20190132321A1 (en) Securely Managing Digital Assistants that Access Third-Party Applications
US20200349256A1 (en) Self-help for did claims
Chadwick et al. Improved identity management with verifiable credentials and fido
US8590026B2 (en) Method and system for generating a touch CAPTCHA
CN105659558A (en) Multiple resource servers with single, flexible, pluggable OAuth server and OAuth-protected RESTful OAuth consent management service, and mobile application single sign on OAuth service
US10375177B1 (en) Identity mapping for federated user authentication
JP2008146682A (en) Method and system for account management
US20140053251A1 (en) User account recovery
CN111369242A (en) Method for recovering block chain assets through intelligent contracts, wallet and block chain link points
US20120311331A1 (en) Logon verification apparatus, system and method for performing logon verification
CN114254289A (en) Cloud platform access method and device
CN105656856A (en) Resource management method and device
US8104084B2 (en) Authorizing a user to a device
US20230179402A1 (en) Device asserted verifiable credential
CN114006751A (en) Campus system single sign-on method using temporary authentication code
WO2018217204A1 (en) Authentication system and method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19937295

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 19937295

Country of ref document: EP

Kind code of ref document: A1