WO2021103693A1 - 授权方法及装置 - Google Patents

授权方法及装置 Download PDF

Info

Publication number
WO2021103693A1
WO2021103693A1 PCT/CN2020/111408 CN2020111408W WO2021103693A1 WO 2021103693 A1 WO2021103693 A1 WO 2021103693A1 CN 2020111408 W CN2020111408 W CN 2020111408W WO 2021103693 A1 WO2021103693 A1 WO 2021103693A1
Authority
WO
WIPO (PCT)
Prior art keywords
network device
information
token
request
access
Prior art date
Application number
PCT/CN2020/111408
Other languages
English (en)
French (fr)
Inventor
赵绪文
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to EP20891581.9A priority Critical patent/EP4054141A4/en
Publication of WO2021103693A1 publication Critical patent/WO2021103693A1/zh
Priority to US17/824,101 priority patent/US20220286464A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W60/00Affiliation to network, e.g. registration; Terminating affiliation with the network, e.g. de-registration

Definitions

  • This application relates to the field of communication technology, and in particular to an authorization method and device.
  • UDR unified data storage
  • UDM unified data management
  • the UDR needs to verify the UDM.
  • This application provides an authorization method and device, which can enable UDMs located in an authorized area to access UDR data or services.
  • this application provides an authorization method, including:
  • the first network device sends a service request to the second network device, the service request includes a token, and the token is used to verify whether the first network device has permission to access the second network device, and the token It includes first information and/or second information, where the first information is used to identify the first network device, and the second information is used to identify the network devices that the second network device is allowed to access;
  • the network device receives the service response sent by the second network device.
  • the first network device receives a service response sent by the second network device, and the service response is used to respond to the service request.
  • the first information is used to identify the first network device
  • the second information is used to identify the network device that the second network device is allowed to access.
  • the second network device can check whether the first network device is located in the area allowed to be accessed by the second network device according to the first information and/or the second information. area. Therefore, the unauthorized first network device is prevented from accessing the second network device, and the security of information interaction between the first network device and the second network device is improved.
  • the first information includes the domain of the first network device, and the second information includes the domain allowed by the second network device; or, the first information includes the domain
  • the second information includes a routing instruction list; or, the first information includes a group identification of the first network device, and the second information includes a group identification list.
  • the method before the first network device sends a service request to the second network device, the method further includes: the first network device sends a token request to a third network device, and the command The card request is used to request the issuance of the token; the first network device receives the token response including the token sent by the third network device.
  • the token request includes the first information.
  • the method before the first network device sends a token request to a third network device, the method further includes: the first network device sends a first registration request to the third network device , The first registration request includes the first information.
  • this application provides an authorization method, including:
  • the second network device receives a service request from the first network device, the service request includes a token, and the token is used to verify whether the first network device has the authority to access the second network device, and the command
  • the card includes first information and/or second information, the first information is used to identify the first network device, and the second information is used to identify the network device that the second network device is allowed to access; 2.
  • the network device determines whether the first network device has the authority to access the second network device according to the token; if the first network device has the authority to access the second network device, the second network device Sending a service response to the first network device.
  • the service response is used to respond to the service request.
  • the second network device after receiving the service request including the token, can determine whether the first network device has permission to access according to the information (first information and/or second information) included in the token The second network device. If the first network device has permission to access, the second network device can send a service response to the first network device. The first network device is located in an area allowed by the second network device to access the second network device, which can improve the security of information interaction.
  • the method before the second network device receives the service request from the first network device, the method further includes: the second network device sends a second registration request to the third network device, so The second registration request includes the second information.
  • the first information includes the domain of the first network device, and the second information includes the domain allowed by the second network device; or, the first information includes the domain
  • the second information includes a routing instruction list; or, the first information includes a group identification of the first network device, and the second information includes a group identification list.
  • this application provides an authorization method, including:
  • the third network device receives a token request sent by the first network device, where the token request is used to request issuance of a token; the third network device determines whether the first network device has authority according to the token request Access the second network device; if the first network device has the authority to access the second network device, the third network device sends a token response including the token to the first network device, the
  • the token includes first information and/or second information, the first information is used to identify the first network device, and the second information is used to identify the network device that the second network device is allowed to access.
  • the method before the third network device receives the token request sent by the first network device, the method further includes: the third network device receives the first network device from the first network device.
  • a registration request the first registration request includes the first information; and the third network device receives a second registration request from the second network device, the second registration request includes the second information.
  • the first information includes the domain of the first network device, and the second information includes the domain allowed by the second network device; or, the first information includes the domain
  • the second information includes a routing instruction list; or, the first information includes a group identification of the first network device, and the second information includes a group identification list.
  • the present application provides a communication device, including:
  • the sending unit is configured to send a service request to a second network device, the service request includes a token, the token is used to verify whether the communication device has the authority to access the second network device, and the token includes The first information and/or the second information, the first information is used to identify the communication device, the second information is used to identify the network device that the second network device is allowed to access; the receiving unit is used to receive the communication device The service response sent by the second network device.
  • the communication device may be the first network device.
  • the first network device may include a service requester.
  • the first information includes the domain of the communication device, and the second information includes the domain allowed by the second network device; or, the first information includes the communication device
  • the second information includes a routing instruction list; or, the first information includes a group identification of the communication device, and the second information includes a group identification list.
  • the sending unit is further configured to send a token request to a third network device, where the token request is used to request issuance of the token; and the receiving unit is further configured to Receiving a token response including the token sent by the third network device.
  • the token request includes the first information.
  • the sending unit is further configured to send a first registration request to the third network device, where the first registration request includes the first information.
  • this application provides a communication device, including:
  • the receiving unit is configured to receive a service request from a first network device, where the service request includes a token, and the token is used to verify whether the first network device has the authority to access the communication device, and the token It includes first information and/or second information, where the first information is used to identify the first network device, and the second information is used to identify the network device that the communication device is allowed to access;
  • the token determines whether the first network device has the authority to access the communication device; the sending unit is configured to send the service to the first network device if the first network device has the authority to access the communication device response.
  • the service response is used to respond to the service request.
  • the sending unit is further configured to send a second registration request to a third network device, where the second registration request includes the second information.
  • the first information includes the domain of the first network device, and the second information includes the domain allowed by the communication device; or, the first information includes the first For routing instructions of a network device, the second information includes a routing instruction list; or, the first information includes a group identification of the first network device, and the second information includes a group identification list.
  • the communication device may be a second network device.
  • the second network device may include a service provider.
  • this application provides a communication device, including:
  • a receiving unit configured to receive a token request sent by a first network device, where the token request is used to request issuance of a token; a processing unit, configured to determine whether the first network device has authority according to the token request Access to the second network device; a sending unit, configured to send a token response including the token to the first network device if the first network device has the authority to access the second network device, and the command
  • the card includes first information and/or second information, the first information is used to identify the first network device, and the second information is used to identify the network device that the second network device is allowed to access.
  • the receiving unit is further configured to receive a first registration request from the first network device, where the first registration request includes the first information; the receiving unit is further configured to Configured to receive a second registration request from the second network device, where the second registration request includes the second information.
  • the first information includes the domain of the first network device, and the second information includes the domain allowed by the second network device; or, the first information includes the domain
  • the second information includes a routing instruction list; or, the first information includes a group identification of the first network device, and the second information includes a group identification list.
  • the communication device may be a third network device.
  • an embodiment of the present application provides a communication device.
  • the communication device includes a processor, a memory, and a transceiver.
  • the transceiver is used to receive signals or send signals; and the memory is used to store program codes;
  • the processor is configured to invoke the program code to execute the method described in the first aspect; or, the processor is configured to invoke the program code to execute the method described in the second aspect; or, the The processor is configured to call the program code to execute the method described in the third aspect.
  • an embodiment of the present application provides a communication device.
  • the communication device includes a processor and an interface circuit.
  • the interface circuit is configured to receive code instructions and transmit them to the processor; the processor runs the Code instructions to execute the method shown in the first aspect; or, the processor executes the code instructions to execute the method shown in the second aspect; or, the processor executes the code instructions to execute the method as shown in the second aspect The method shown in three aspects.
  • the present application provides a communication system, the communication system including: a first network device, a second network device, and a third network device;
  • the first network device is configured to send a first registration request to the third network device, where the first registration request includes first information; and the second network device is configured to send a first registration request to the third network device A second registration request, where the second registration request includes second information; the third network device is configured to receive the first registration request and the second registration request;
  • the first network device is also used to send a token request to the third network device, and the third network device is also used to receive the token request, and send a token request to the first network device
  • the token response of the token is also used to receive the token response including the token;
  • the first network device is further configured to send a service request to the second network device, where the service request includes the token, and the token is used to verify whether the first network device has the right to access the station.
  • the token includes first information and/or second information, the first information is used to identify the first network device, and the second information is used to identify the second network device.
  • the network device that is allowed to access; the second network device is also used to receive the service request and determine whether the first network device has permission to access the second network device, and the first network device has permission
  • the second network device sends a service response to the first network device; the first network device is further configured to receive the service response.
  • an embodiment of the present application provides a computer-readable storage medium, where the computer-readable storage medium is used to store instructions, and when the instructions are executed, the method described in the first aspect is implemented; or, When the instruction is executed, the method described in the second aspect is realized; or, when the instruction is executed, the method described in the third aspect is realized.
  • an embodiment of the present application provides a computer program product, the computer program product includes instructions, when the instructions are executed, the method described in the first aspect is realized; or, when the instructions are executed When executed, the method described in the second aspect is implemented; or, when the instruction is executed, the method described in the third aspect is implemented.
  • FIG. 1 is a schematic diagram of an IP multimedia system (IP multimedia subsystem, IMS) network architecture supporting a service-oriented interface provided by an embodiment of the present application;
  • IP multimedia system IP multimedia subsystem, IMS
  • FIG. 2 is a schematic diagram of a network architecture of a service-oriented interface provided by an embodiment of the present application
  • FIG. 3 is a schematic flowchart of an authorization method provided by an embodiment of the present application.
  • FIG. 4 is a schematic flowchart of an authorization method provided by an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of a communication device provided by an embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of a communication device provided by an embodiment of the present application.
  • FIG. 7 is a schematic flowchart of an authorization method provided by an embodiment of the present application.
  • At least one (item) refers to one or more
  • multiple refers to two or more than two
  • at least two (item) refers to two or three and three
  • “and/or” is used to describe the association relationship of associated objects, which means that there can be three kinds of relationships.
  • a and/or B can mean: only A, only B, and both A and B. In this case, A and B can be singular or plural.
  • the character “/” generally indicates that the associated objects before and after are in an "or” relationship.
  • the following at least one item (a) or similar expressions refers to any combination of these items, including any combination of a single item (a) or a plurality of items (a).
  • At least one of a, b, or c can mean: a, b, c, "a and b", “a and c", “b and c", or "a and b and c" ", where a, b, and c can be single or multiple.
  • FIG. 1 is a schematic diagram of an IMS network architecture supporting a service-oriented interface provided by an embodiment of the present application, as shown in FIG. 1.
  • PCF policy control function
  • AMF AMF, SMF network functions, etc.
  • the home subscriber server (home subscriber server, HSS) is used to store and manage user subscription data, and perform functions such as authentication and authentication vector calculations.
  • Proxy cell session control function proxy-call session control function, P-CSCF
  • P-CSCF proxy-call session control function
  • Interrogating-call session control function in the interrogating agent cell, all connection nodes in the operator's network that are sent to users of the network operator or roaming users currently located in the service area of the network operator.
  • the serving cell session control function (serving-call session control function, S-CSCF) performs session control services for the user equipment UE and maintains the service session state required by the network operator.
  • S-CSCF serving-call session control function
  • S-CSCFs may have different functions.
  • Application server as an application server, provides application services for the IMS network, and can be deployed in a home network or a third-party network (such as an application server or a network outside the home network).
  • FIG. 2 is a schematic diagram of a network architecture of a service-oriented interface provided by an embodiment of the present application, as shown in FIG. 2.
  • Network storage network functions such as network storage function (network repository function, NRF) can be used to maintain real-time information of all network functions and services in the network.
  • NRF network repository function
  • NRF can complete network function (NF) registration and network function discovery, as well as save the registration information of each NF in the same PLMN, as an authorization server to complete authorization and generate tokens, and also have verification tokens Function.
  • NF network function
  • each network function in the core network is a service-oriented interface, and the communication method between each other can adopt the method of service invocation.
  • NF can be divided into service requester (NF service consumer) and service provider (NF service producer).
  • the service requester may include a unified data management (UDM) network function, and the service provider may include a unified data repository (UDF) network function.
  • the service requester may also include CSCF or AS, and the service provider may also include HSS. It is understandable that the service requester in the embodiment of the present application does not only include the above examples, and the service provider does not only include the above examples, and the embodiment of the present application does not limit other types of service requesters and service providers.
  • the unified data management (UDM) network function can be used to process user equipment identification, access authentication, registration, and mobility management. It can be understood that the UDM network function is referred to as UDM hereinafter.
  • the unified data repository (UDR) network function can be used to store and manage user subscription data, etc., and other network functions NF can obtain or update the UDR data.
  • UDR unified data repository
  • the network architecture shown in Figures 1 and 2 adopts a service-based architecture, and traditional network element functions (or network functions) are split into several self-contained, self-contained and self-contained based on network function virtualization (NFV) technology.
  • NFV network function virtualization
  • Managed and reusable network function service modules By flexibly defining the service module set, customized network function reconstruction can be realized, and the business process can be formed through a unified service call interface externally.
  • the schematic diagram of the network architecture shown in FIG. 1 or FIG. 2 can be understood as a schematic diagram of a service-based network architecture in a non-roaming scenario. For roaming scenarios, the embodiments of this application are also applicable.
  • the above-mentioned network function or function can be either a network element in a hardware device, a software function running on dedicated hardware, or a virtualization function instantiated on a platform (for example, a cloud platform).
  • this application proposes an area-related authorization method, which can access multiple UDMs and UDRs in a PLMN (as shown in Figure 2), or in a scenario where there are multiple CSCFs, ASs, and HSSs (as shown in Figure 1).
  • UDR or HSS NF performs area-related authorization to prevent UDR or HSS from being accessed by NFs located in unauthorized areas.
  • NFs are based on a service-oriented architecture, and each NF uses service-oriented interfaces to call services for communication.
  • NRF provides services such as registration, service discovery, and authorization for the NFs it manages.
  • the embodiments of this application are specific to specific The network architecture or NF is not limited. As long as the communication system includes service providers, service requesters, and NFs (such as NRF) that provide services such as registration authorization, the methods provided in this application can be applied.
  • FIG. 3 is a schematic flowchart of an authorization method provided by an embodiment of the present application, and the method can be applied to the network architecture shown in FIG. 2. As shown in Figure 3, the method includes:
  • the UDM sends a first registration request to the NRF, where the first registration request includes first information, and the first information is used to identify the UDM.
  • the NRF receives the first registration request.
  • the first information is used to identify UDM.
  • the first information may include the UDM domain (NF domain), and the UDM domain may indicate the area where the UDM is located, or a specific range , Or a specific collection.
  • the first information may include routing indicator (routing indicator, RI) information of the UDM.
  • the routing indicator information may be used by other NFs to discover one or more UDMs, that is, the routing indicator information may be used to indicate one or more UDMs.
  • the first information may include group ID information of the UDM, and the group ID information may be used to indicate a group composed of one or more UDMs.
  • the first registration request may also include UDM profile (NF profile) parameters.
  • the UDM profile parameters may include UDM network function instance ID (NF instance ID) and UDM network function type (NF type). ), UDM group ID (group ID), UDM contract permanent identifier range (range(s) of (subscriber permanent identifier, SUPI)s) and other parameters. It can be understood that the embodiment of the present application does not limit the specific parameters of the UDM profile parameters.
  • the first registration request is used to register UDM related information parameters (for example, network function profile, NF profile) into the NRF, so that the NRF can perform service discovery and authorization.
  • UDM related information parameters for example, network function profile, NF profile
  • the UDR sends a second registration request to the NRF, where the second registration request includes second information, and the second information is used to identify the UDM that the UDR is allowed to access.
  • the NRF receives the second registration request.
  • the second information is used to identify the UDM that the UDR is allowed to access, that is, the second information can be used to indicate one or more UDMs, and the one or more UDMs indicated by the second information are the The UDM that the UDR is allowed to access.
  • the UDM allowed to be accessed by the UDR can be located in the same area as the UDR, thereby reducing the time delay for the UDM to access the UDR and improving the access efficiency.
  • the UDM allowed to be accessed by the UDR may not belong to the same area as the UDR, etc.
  • the embodiment of the present application does not limit whether the UDR and the corresponding UDM are located in the same area.
  • the second information may be allowed NF domains (allowed NF domains).
  • the second information may be a routing indication list (RI list), and the routing indication list may include routing indications of one or more UDMs allowed to be accessed by the UDR.
  • the second information may be a set of routing instructions, and the set of routing instructions includes routing instructions of one or more UDMs allowed to be accessed by the UDR.
  • each RI in the RI list can be used to identify a UDM in a specific area (it can be one UDM or multiple UDMs).
  • the second information may be a group ID list (group ID list), or the second information may be a group ID set or the like.
  • each group ID in the group ID list can be used to identify a specific UDM group (it can include one UDM or multiple UDMs).
  • the second information may include allowed NF domains; when the first information includes RI, the second information includes an RI list; when the first information includes a group identifier, the second information includes a group identifier list.
  • the operator may also configure the second information for the UDR, etc.
  • the application embodiment does not limit how to configure the second information for the UDR.
  • the second registration request may also include UDR profile parameters
  • the second NF profile parameters may include UDR network function instance ID (NF instance ID), UDR network function type (NF type) ), UDR group ID (group ID), UDR contract permanent identifier range (range(s) of (subscriber permanent identifier, SUPI)s) and other parameters. It can be understood that the embodiment of the present application does not limit the specific parameters of the UDR profile parameters.
  • the second registration request is used to register UDR related information parameters (for example, network function profile, NF profile) into the NRF, so that the NRF can perform service discovery and authorization.
  • UDR related information parameters for example, network function profile, NF profile
  • the UDM sends a token request to the NRF, where the token request is used to request issuance of a token.
  • the NRF receives the token request.
  • the token request may include one or more of the UDM profile parameters.
  • the parameter types included in the UDM profile parameters reference may be made to the foregoing description, which will not be described in detail here.
  • the token request may further include first information.
  • first information reference may be made to the foregoing description, which will not be described in detail here.
  • the above 301 and 302 may not be executed every time, that is, after UDM sends the first registration request to NRF and UDR sends the second registration request to NRF, within a certain validity period, this application is implemented
  • the authorization method provided in the example can also only include 303-306.
  • the NRF determines whether the UDM has the authority to access the UDR according to the token request; if so, it sends a token response (token response) to the UDM. Correspondingly, the UDM receives the token response.
  • the token request may also include indication information.
  • the indication information is used to indicate that the NRF needs to determine whether the UDM has the authority to access the UDR, or the indication information is used to indicate The NRF needs to determine whether the UDM is located in an area allowed by the UDR, or the indication information is used to instruct the NRF to perform area-related authorization operations.
  • the NRF can also determine whether it is necessary to determine whether the UDM has the authority to access the UDR.
  • the NRF may determine, according to the first information, whether it is necessary to determine whether the UDM has the authority to access the UDR.
  • the NRF may determine whether the UDM has the authority to access the UDR according to one or more of the UDM profile parameters included in the token request. For example, the NRF may obtain the first information of the UDM according to the profile parameters of the UDM in the token request. It can be understood that the profile parameter of the UDM has an association relationship with the domain of the UDM, that is, the NRF can obtain the first information of the UDM according to the profile parameter of the UDM. For example, the NRF may query the UDM-related parameters saved by the NRF according to one or more of the UDM profile parameters, such as the UDM instance identifier, to obtain the first information of the UDM. Alternatively, the NRF may also obtain the profile parameters of the UDM and so on according to the first information of the UDM.
  • the NRF may determine whether the UDM has the authority to access the UDR according to the first information. It can be understood that the method for determining whether the UDM has the authority to access the UDR by the NRF can refer to the following descriptions of Manner One, Manner Two, and Manner Three, which will not be described in detail here.
  • the token request may include the identification information of the UDR, and the identification information of the UDR may be used to indicate the UDR that the UDM needs to access. That is, the NRF can know which UDR the UDM needs to access through the identification information of the UDR. For example, as shown in Figure 2, UDM1 needs to access UDR1 in the same area, and the token request may include the identification information of UDR1. For another example, if UDM1 needs to access UDR2 that does not belong to the same area, the token request may include the identification information of UDR2. It can be understood that the token request in the manner 1, manner 2, and manner 3 shown below may all include the identification information of the UDR.
  • the method for the NRF to determine whether the UDM has the authority to access the UDR may be as follows:
  • the NRF can obtain the allowed NF domain of the UDR according to the identification information of the UDR contained in the token request, and determine whether the allowed NF domain of the UDR includes the NF domain of the UDM. If the allowed NF domain of the UDR includes the NF domain of the UDM, the NRF generates/generates a token. If the allowed NF domain of the UDR does not include the NF domain, the NRF does not generate a token, and thus does not return a token response to the UDM.
  • the NRF may return a token response to the UDM, and the token response may include a failure reason value and/or exception information, etc., and the failure reason value is used to indicate the reason why the UDM cannot access the UDR.
  • the NRF may return a rejection message to the UDM.
  • the token may include the NF domain of UDM; or, the token may include the allowed NF domain of UDR; or, the token may include the NF domain of UDM and the allowed NF domain of UDR.
  • NF domain of the UDM and/or the allowed NF domain of the UDR included in the token can be located in any of the claims shown above.
  • NF domain and allowed NF domain can be located in the same claim, or NF domain and allowed NF domain can be located in different claims.
  • the token request includes the RI of the UDM
  • the NRF can determine whether the RI of the UDM is included in the RI list of the UDR; if it is included in the RI list of the UDR, the NRF generates the token. If the RI of the UDM is not included in the RI list of the UDR, the NRF does not generate a token, and thus does not return a token response to the UDM.
  • the NRF may return a token response to the UDM, and the token response may include the failure reason value and/or exception information and so on.
  • the NRF may return a rejection message to the UDM.
  • the token may include the RI of the UDM; or, the token may include the RI list of the UDR; or, the token may include the RI of the UDM and the RI list of the UDR.
  • the NRF determines whether the UDM group ID is included in the UDM group ID list of the UDR, where the UDM group ID list of the UDR contains one or more UDM group IDs, and each UDM group ID
  • the identifier refers to a UDM group that is allowed to access the UDR; if it is included in the UDM group identifier list of the UDR, the NRF generates a token. If the UDM group ID list of the UDR does not include the UDM group ID, the NRF may not return a token response to the UDM. Alternatively, the NRF may return a token response to the UDM, and the token response may include the failure reason value and/or exception information and so on. Alternatively, the NRF may return a rejection message to the UDM.
  • the token may include the UDM group identifier; or, the token includes the UDM group identifier list of the UDR; or, the token includes the UDM group identifier and the UDM group identifier list of the UDR.
  • the NRF can also perform integrity protection on the token, that is, the NRF can generate the token according to the identification information of the UDR included in the token request, that is, the NRF can use the identification information of the UDR included in the token request.
  • the UDM sends a service request to the UDR, where the service request includes a token, and the token is used to verify whether the UDM has the authority to access the UDR, and the token includes the first information and/or the second information.
  • the UDR receives the service request.
  • the UDR determines whether the UDM has the authority to access the UDR according to the token in the service request; if so, sends a service response to the UDM. Correspondingly, the UDM receives the service response.
  • the UDR may determine whether the UDM has the authority to access the UDR according to the first information and/or the second information included in the token. For example, the UDR can determine whether the NF domain of the UDM belongs to the allowed NF domain of the UDR according to the NF domain of the UDM in the token. If it belongs to the allowed NF domain of the UDR, the UDM has the right to access the UDR. Alternatively, the UDR may also determine whether the allowed NF domain of the UDR is the same as the allowed NF domain of the UDF itself according to the allowed NF domain of the UDR in the token, and if they are the same, it is determined that the UDM has the authority to access the UDR.
  • the UDR can determine whether the RI of the UDM belongs to the RI list of the UDR according to the RI of the UDM in the token. If it belongs to the RI list of the UDR, the UDM has the right to access the UDR.
  • the UDR may also determine whether the RI list of the UDR is the same as the RI list of the UDR itself according to the RI list of the UDR in the token, and if they are the same, it is determined that the UDM has the authority to access the UDR.
  • the UDR can determine whether the group ID of the UDM belongs to the UDM group ID list of the UDR according to the group ID of the UDM in the token; or, the UDR can also compare the UDM group ID list of the UDR included in the token with the UDM group ID list of the UDR included in the token. Whether the UDM group identification list of the UDR itself is the same, so as to determine whether the UDM has the authority to access the UDR. If the UDR determines that the UDM has the authority to access the UDR, it returns a service response to the UDM.
  • the UDR can also perform an integrity check on the token, and if the check passes, it returns a service response to the UDM.
  • the UDR can use the shared secret key with the NRF, or use the NRF public key to verify the integrity of the token.
  • the UDR responds to the UDM with the related service requested by the service request.
  • the UDR can first perform an integrity check on the token; and then check whether the UDM has the authority to access the UDR.
  • the UDR may first verify whether the UDM has the authority to access the UDR, and then perform integrity verification on the token, etc., which is not limited in the embodiment of the present application.
  • the authorization method provided in the embodiment of this application may also only include 305 and 306.
  • the service request can be used to request to query user subscription data, so that the UDR returns the user subscription data; for another example, the service request can be used to request to update the policy data, so that the UDR updates the policy data and then returns the update status to the UDM (update Success or failure) and so on, the embodiment of the present application does not limit the content requested by the service request.
  • UDM can be replaced with CSCF (such as P-CSCF, S-CSCF, or I-CSCF in FIG. 1) or AS; UDR can be replaced with HSS.
  • CSCF such as P-CSCF, S-CSCF, or I-CSCF in FIG. 1
  • AS can be replaced with HSS.
  • the first information is used to identify the CSCF
  • the second information is used to identify the CSCF allowed by the HSS.
  • the first information may include the CSCF domain
  • the second information may include the domain allowed by the HSS.
  • the first information may include a routing indication of the CSCF
  • the second information may include a routing indication list of the HSS, and so on.
  • the first information is used to identify the first network device (such as UDM), and the second information is used to identify the network device that the second network device (such as UDR) is allowed to access.
  • the second network device can check whether the first network device is located in the area allowed to be accessed by the second network device according to the first information and/or the second information. area. Therefore, the unauthorized first network device is prevented from accessing the second network device, and the security of information interaction between the first network device and the second network device is improved. Further, by authorizing the first network device in the same area to access the second network device in the same area, the time delay for the first network device to access the second network device can also be reduced, and efficiency can be improved.
  • FIG. 4 is a schematic flowchart of an authorization method provided by an embodiment of the present application, and the method can be applied to the network architecture shown in FIG. 2. As shown in Figure 4, the method includes:
  • the UDM sends a first registration request to the NRF, where the first registration request includes profile parameters of the UDM.
  • the NRF receives the first registration request.
  • the profile parameters of the UDM include the user identification range of the UDM, and the user identification range of the UDM indicates the range of SUPI managed or served by the UDM, where SUPI is the user's contract permanent identification.
  • the NRF can also save the user identification range of the UDM.
  • the UDR sends a second registration request to the NRF, where the second registration request includes the profile parameters of the UDR.
  • the NRF receives the second registration request.
  • the profile parameter of the UDR includes the user identification range of the UDR, and the user identification range of the UDR represents the range of SUPI managed or served by the UDR.
  • the UDM sends a token request (token request) to the NRF, where the token request is used to request issuance of a token (token).
  • the NRF receives the token request.
  • the token request may include one or more of the UDM profile parameters.
  • the parameter types included in the UDM profile parameters reference may be made to the foregoing description, which will not be described in detail here.
  • the token request may include the UDM user identification range (range(s) of SUPIs).
  • the token request may not include the UDM user identification range.
  • the NRF can be based on the information in the token request. (Such as the UDM's network function instance ID, etc.) Query the UDM's profile parameters to obtain the UDM's user identification range. And, when the token request includes the user identification range of the UDM, there is no limitation on whether the token request includes one or more of the UDM profile parameters.
  • the above 401 and 402 may not be executed every time, that is, after UDM sends the first registration request to NRF and UDR sends the second registration request to NRF, within a certain validity period, this application is implemented
  • the authorization method provided in the example can only include 403-406.
  • the NRF determines whether the UDM has the authority to access the UDR according to the token request; if so, it sends a token response (token response) to the UDM. Correspondingly, the UDM receives the token response.
  • the token request when the token request includes one or more of the UDM profile parameters, the token request may not include the UDM user identification range.
  • the token request may also include indication information .
  • the indication information is used to indicate that the NRF needs to determine whether the UDM has the authority to access the UDR, or indicates that the NRF needs to determine whether the UDM is located in an area allowed by the UDR, or indicates that the NRF is currently authorized by the area. In other words, before the NRF determines whether the UDM has the authority to access the UDR, the NRF also needs to determine whether the UDM has the authority to access the UDR.
  • the NRF may determine whether the UDM has the authority to access the UDR according to the user ID range of the UDM included in the token request.
  • the token request may include the identification information of the UDR, and the identification information of the UDR may be used to indicate the UDR that the UDM needs to access. That is, the NRF can know which UDR the UDM needs to access through the identification information of the UDR. For example, as shown in Figure 2, UDM1 needs to access UDR1 in the same area, and the token request may include the identification information of UDR1. For another example, if UDM1 needs to access UDR2 that does not belong to the same area, the token request may include the identification information of UDR2.
  • the NRF can obtain the user ID range of the UDR according to the UDR identification information contained in the request, and determine whether the user ID range of the UDM falls within the user ID range of the UDR; if so, it generates a token, which includes the UDM Or, the token includes the user ID range of the UDR; or, the token includes the user ID range of the UDM and the user ID range of the UDR. If the user ID range of the UDM does not belong to the user ID range of the UDR, the NRF does not generate a token, and thus does not return a token response to the UDM.
  • the NRF may return a token response to the UDM, and the token response may include a failure reason value and/or exception information, etc., and the failure reason value is used to indicate the reason why the UDM cannot access the UDR.
  • the NRF may return a rejection message to the UDM.
  • the NRF can also perform integrity protection on the token, that is, the NRF can generate the token according to the identification information of the UDR included in the token request, that is, the NRF can use the identification information of the UDR included in the token request.
  • the UDM sends a service request to the UDR, the service request includes a token, the token is used to verify whether the UDM has the authority to access the UDR, and the token includes the user identification range of the UDM and/or the user identification range of the UDR .
  • the UDR receives the service request.
  • the UDR determines whether the UDM has the authority to access the UDR according to the token in the service request; if so, sends a service response to the UDM. Correspondingly, the UDM receives the service response.
  • the UDR can verify whether the UDM user ID range in the token belongs to the user ID range of the UDR. If it falls within the user ID range of the UDR, the UDM has the authority to access the UDR; or the UDR can verify the token Whether the user ID range of the included UDR is the same as its own user ID range, if they are the same, it is determined that the UDM has the authority to access the UDR. If the UDR determines that the UDM has the authority to access the UDR, it returns a service response to the UDM.
  • the UDR can also perform integrity verification on the token.
  • the UDR can first perform an integrity check on the token; and then check whether the UDM has the authority to access the UDR.
  • the UDR may first verify whether the UDM has the authority to access the UDR, and then perform integrity verification on the token, etc., which is not limited in the embodiment of the present application.
  • the authorization method provided in the embodiment of this application may also only include 405 and 406.
  • UDM can be replaced by CSCF or AS; UDR can be replaced by HSS.
  • the user identification range can be replaced with (range(s) of IMPI (IP multimedia private identity, IMPI)/(IMS public user identity, IMPU)) and so on.
  • IMPI IP multimedia private identity
  • IMS public user identity IMPU
  • the implementation of the embodiments of the present application can prevent an unauthorized first network device from accessing the second network device, and improve the security of information interaction between the first network device and the second network device. Further, by authorizing the first network device in the same area to access the second network device in the same area, the time delay for the first network device to access the second network device can also be reduced, and efficiency can be improved.
  • FIG. 3 and FIG. 4 have their respective focuses, and the implementation manners that are not described in detail in one embodiment can be referred to another embodiment.
  • FIG. 7 is a schematic flowchart of another authorization method provided by an embodiment of the present application, and the method can be applied to the network architecture shown in FIG. 2. As shown in Figure 7, the method includes:
  • a service requester for example, UDM, PCF, NEF, etc. sends a first registration request to an NRF, and correspondingly, the NRF receives the first registration request.
  • the first registration request may include the NF profile parameter of the service requester
  • the profile parameter of the service requester may include the network function instance ID (NF instance ID) of the service requester, and the service requester
  • the first registration request is used to register relevant information parameters (for example, network function profile, NF profile) of the service requester into the NRF, so that the NRF can perform service discovery and authorization.
  • relevant information parameters for example, network function profile, NF profile
  • the service provider (for example, UDR) sends a second registration request to the NRF.
  • the NRF receives the second registration request.
  • the second registration request may include the profile parameter of the service provider
  • the second NF profile parameter may include the network function instance ID (NF instance ID) of the service provider, and the network of the service provider Function type (NF type), service provider group ID (group ID), service provider's contract permanent identifier range (range(s) of (subscriber permanent identifier, SUPI)s) and other parameters.
  • NF instance ID network function instance ID
  • group ID network of the service provider Function type
  • group ID service provider group ID
  • service provider's contract permanent identifier range range(s) of (subscriber permanent identifier, SUPI)s) and other parameters.
  • the second registration request may include the correspondence between the NF type of the service requester that can access the service provider and the type of data that the service requester can access.
  • the correspondence between the NF type of the service requester and the type of data accessible by the service requester may be a matching list of the NF type of the service provider and the data type identifier, or it may be the NF type of the service provider and the data type identifier. Map list.
  • the data type identifier is used to identify the type of data stored in the service provider.
  • the data type identifier may include a data set identifier (Data Set Identifier), and/or a data subset identifier (Data Subset Identifier), and/ Or Data Key, and/or Data Sub Key, etc.
  • the data set identifier is used to identify the data set that the service requester needs to request, and the data set can be expressed as a data type.
  • the data set can be subscription data (Subscription Data), or application data (Application data), or policy data ( Policy Data), or Open Data (Exposure Data);
  • the data sub-collection identifier is used to identify the data sub-collection that the service requester needs to request.
  • the data sub-collection is the next level of the data collection and can be expressed as a more specific data type, for example
  • the data subset can be Access and Mobility Subscription Data, or Packet Flow Descriptions, or UE context policy control data (UE context policy control data), or Access and mobility information (Access and Mobility Information) etc.
  • the second registration request is used to register relevant information parameters (for example, network function profile, NF profile) of the service provider in the NRF, so that the NRF can perform service discovery and authorization.
  • relevant information parameters for example, network function profile, NF profile
  • the service requester sends a token request (token request) to the NRF, where the token request is used to request issuance of a token (token).
  • the NRF receives the token request.
  • the token request may include one or more parameters in the profile parameters of the service requester.
  • the parameter types included in the profile parameters of the service requester please refer to the foregoing description, which will not be described in detail here. .
  • the token request may also include the data type identifier (for example, Data Set Identifier, and/or Data Subset Identifier, and/or Data Key, and/or Data Sub Key, etc.).
  • the data type identifier for example, Data Set Identifier, and/or Data Subset Identifier, and/or Data Key, and/or Data Sub Key, etc.
  • the above 701 and 702 may not be executed every time, that is, after the service requester sends the first registration request to the NRF and the service provider sends the second registration request to the NRF, within a certain validity period
  • the authorization method provided in the embodiment of this application may also only include 703-706.
  • the NRF determines whether the service requester is authorized to access the service of the service provider according to the token request. For example, the NRF determines whether the service requester has the authority to access the service provided by the service provider according to the token request. If it is determined that the service requester is authorized to access the service of the service provider, a token response (token response) is sent to the service requester, and the token response includes the token. Correspondingly, the service requester receives the token response.
  • the NRF may determine whether the service requester is authorized to access the service provided by the service provider according to one or more of the service requester's profile parameters included in the token request, combined with local configuration or local policy information.
  • the NRF may further based on the NF type of the NF producer in the token request, and/or The data type identifier in the service request (for example, Data Set Identifier, and/or Data Subset Identifier, and/or Data Key, and/or Data Sub Key, etc.), and/or the NF type of the service requester and the service requester
  • the correspondence between the accessible data types, and/or local configuration or local policy information determines whether the service requester is authorized to access the data of the data type. For example, NRF determines whether the service requester has the authority to access the data of the data type. If it is determined that the service requester is authorized to access the data of the data type, the service provider sends a service response to the service requester, and the service response contains the aforementioned type of data.
  • the token request may include the identification information of the service provider, and the identification information of the service provider may be used to indicate the service provider that the service requester needs to access. That is, the NRF can know which service provider the service requester needs to visit through the identification information of the service provider.
  • the NRF can also protect the integrity of the token, that is, the NRF can generate the token according to the identification information of the service provider included in the token request, that is, the NRF can use the service provider included in the token request.
  • the service requester sends a service request to the service provider
  • the service request includes a token.
  • the service provider uses this to verify whether the service requester has the authority to access the service provider.
  • the service request may also include a data type identifier (for example, Data Set Identifier, and/or Data Subset Identifier, and/or Data Key, and/or Data Sub Key, etc.).
  • a data type identifier for example, Data Set Identifier, and/or Data Subset Identifier, and/or Data Key, and/or Data Sub Key, etc.
  • the service provider receives the service request.
  • the service provider determines whether the service requester is authorized to access the service provider according to the token in the service request; if it is determined that the service requester is authorized to access the service provider, the service provider continues to follow the service request in the token
  • the network function type (NF type) of the service provider and the data type identification in the service request determine whether the service requester is authorized to access this type of data. If it is determined that the service requester is authorized to access this type of data, the service provider will The service requester sends a service response, and the service response contains the aforementioned types of data. Correspondingly, the service requester receives the service response.
  • the service provider can determine whether the service requester is authorized to access this type of data according to the network function type of the service requester included in the token and the data type identifier in the service request. For example, if the service provider is UDR, the service provider can determine the service requester as UDM according to the network function type of the service requester in the token; optionally, the service provider can determine the service requester as UDM according to the data collection identifier in the service request.
  • this type of service requester ie, UDM
  • UDM this type of service requester
  • the service provider is UDR
  • the network function type of the service requester is PCF/NEF
  • the data set identifier indicates that the data type is contracted data.
  • the service provider determines the type of service requester (That is, PCF/NEF) cannot request this type of data (ie, contract data), that is, PCF/NEF cannot request contract data in UDR.
  • the service provider is UDR, and the data set identifier indicates that the data type is policy data.
  • the service provider determines that the type of service requester (ie, PCF) can request this type If the service requester’s network function type is UDM/NEF, the service provider determines that the service requester of this type (ie UDM/NEF) cannot request this type of data (ie, Contract data), that is, only the PCF can request the policy data in the UDR, and the UDM/NEF cannot request the policy data in the UDR. If the service provider determines that the service requester has the right to request access to this type of data, the service provider returns a service response to the service requester, and the service response contains the aforementioned type of data.
  • the service provider can determine whether the service requester of this type is authorized to request/access this type of data according to the NF type of the service provider and the data type identification in the service request, combined with local configuration or local policy.
  • the service provider can also determine the type of service based on the NF type of the service provider and the data type identifier in the service request, and the correspondence between the NF type of the service requester and the type of data accessible by the service requester. Whether the requester is authorized to request/access this type of data.
  • the service provider may also verify whether the data type identifier contained in the token is consistent with the data type identifier in the service request, and if they are consistent, it is determined that the service provider is authorized to access this type of data.
  • the service provider can also verify whether the data type identifier contained in the token is consistent with the data type identifier stored locally, and if they are consistent, it is determined that the service provider is authorized to access this type of data.
  • the service provider may also combine the NF type of the service requester with the data type that can be accessed by the service requester according to the NF type and data type identification of the service provider in the token, and/or combine the local Configure or local policy to determine whether the service requester of this type is authorized to request/access this type of data.
  • the service provider can also perform an integrity check on the token, and if the check passes, it will return a service response to the service requester.
  • the service provider can use the shared secret key with the NRF, or use the NRF public key to verify the integrity of the token. After the verification is passed, the service provider responds to the service requester with the relevant information requested by the service request. service.
  • the service provider may first perform an integrity check on the token; and then check whether the service requester is authorized to access the service provider. Alternatively, the service provider may first verify whether the service requester has the authority to access the service provider, and then perform integrity verification on the token, etc., which is not limited in the embodiment of the present application.
  • the above-mentioned 703 and 704 may not be executed every time, that is, after the service requester requests the token from the NRF, the authorization method provided in the embodiment of this application can also be used within the validity period of the token. Only 705 and 706 are included.
  • the service request can be used to request to query user subscription data, so that the service provider returns the user subscription data; for another example, the service request can be used to request to update the policy data, so that the service provider can request the service after updating the policy data.
  • the user returns the update status (update success or failure), etc.
  • the embodiment of this application does not limit the content requested by the service request.
  • NF type network function type
  • FIG. 5 is a schematic structural diagram of a communication device provided by an embodiment of the present application.
  • the communication device can be used to perform the functions implemented by the first network device in FIG. 3, FIG. 4, and FIG. 7.
  • the communication device includes:
  • the sending unit 501 is configured to send a service request to a second network device, the service request includes a token, and the token is used to verify whether the communication device has permission to access the second network device, and the token includes first information and / Or second information, the first information is used to identify the communication device, and the second information is used to identify the network devices that the second network device is allowed to access;
  • the receiving unit 502 is configured to receive a service response sent by the second network device when the second network device passes the token verification, and the service response is used to respond to the service request.
  • the first information includes the domain of the communication device, and the second information includes the domain allowed by the second network device;
  • the first information includes a routing instruction of the communication device, and the second information includes a routing instruction list;
  • the first information includes a group identification of the communication device
  • the second information includes a group identification list.
  • the sending unit 501 is further configured to send a token request to a third network device, where the token request is used to request issuance of the token;
  • the receiving unit 502 is further configured to receive a token response including the token sent by the third network device.
  • the token request includes the first information.
  • the sending unit 501 is further configured to send a first registration request to the third network device, where the first registration request includes the first information.
  • the communication device may further include a processing unit 503.
  • the processing unit 503 may be one or more processors, the sending unit 501 may be a transmitter, and the receiving unit 502 may be a receiver, or the sending unit 501 and the receiving unit 502 are integrated into one device, such as a transceiver.
  • the processing unit 503 may be one or more processors, the sending unit 501 may be an output interface, and the receiving unit 502 may be an input interface, or the sending unit 501 and the receiving unit 502 are integrated into one unit, for example
  • the input and output interface is also called a communication interface, or an interface circuit, or an interface, and so on.
  • FIG. 5 is a schematic structural diagram of a communication device provided by an embodiment of the present application.
  • the communication device can be used to perform the functions implemented by the second network device in FIG. 3, FIG. 4, and FIG. As shown in Figure 5, the communication device includes:
  • the receiving unit 502 is configured to receive a service request from a first network device, the service request includes a token, the token is used to verify whether the first network device has the authority to access the communication device, and the token includes first information And/or second information, the first information is used to identify the first network device, and the second information is used to identify the network device that the communication device is allowed to access;
  • the processing unit 503 is configured to determine whether the first network device has the authority to access the communication device according to the token;
  • the sending unit 501 is configured to send a service response to the first network device if the first network device has permission to access the communication device, and the service response is used to respond to the service request.
  • the sending unit 501 is further configured to send a second registration request to a third network device, where the second registration request includes the second information.
  • the first information includes the domain of the first network device, and the second information includes the domain allowed by the communication device;
  • the first information includes a routing indication of the first network device, and the second information includes a routing indication list;
  • the first information includes a group identification of the first network device
  • the second information includes a group identification list.
  • the communication device may further include a processing unit 503.
  • the processing unit 503 may be one or more processors, the sending unit 501 may be a transmitter, and the receiving unit 502 may be a receiver, or the sending unit 501 and the receiving unit 502 are integrated into one device, such as a transceiver.
  • the processing unit 503 may be one or more processors, the sending unit 501 may be an output interface, and the receiving unit 502 may be an input interface, or the sending unit 501 and the receiving unit 502 are integrated into one unit, for example
  • the input and output interface is also called a communication interface, or an interface circuit, or an interface, and so on.
  • FIG. 5 is a schematic structural diagram of a communication device provided by an embodiment of the present application.
  • the communication device can be used to perform the functions implemented by the third network device (such as NRF) in FIG. 3, FIG. 4, and FIG. .
  • the communication device includes:
  • the receiving unit 502 is configured to receive a token request sent by the first network device, where the token request is used to request issuance of a token;
  • the processing unit 503 is configured to determine whether the first network device has permission to access the second network device according to the token request;
  • the sending unit 501 is configured to send a token response including the token to the first network device if the first network device has the authority to access the second network device, and the token includes the first information and/or the second network device.
  • Information the first information is used to identify the first network device, and the second information is used to identify the network devices that the second network device is allowed to access.
  • the receiving unit 502 is further configured to receive a first registration request from the first network device, where the first registration request includes the first information;
  • the receiving unit 502 is further configured to receive a second registration request from the second network device, where the second registration request includes the second information.
  • the first information includes a domain of the first network device, and the second information includes a domain allowed by the second network device;
  • the first information includes a routing indication of the first network device, and the second information includes a routing indication list;
  • the first information includes a group identification of the first network device
  • the second information includes a group identification list.
  • the communication device may further include a processing unit 503.
  • the processing unit 503 may be one or more processors, the sending unit 501 may be a transmitter, and the receiving unit 502 may be a receiver, or the sending unit 501 and the receiving unit 502 are integrated into one device, such as a transceiver.
  • the processing unit 503 may be one or more processors, the sending unit 501 may be an output interface, and the receiving unit 502 may be an input interface, or the sending unit 501 and the receiving unit 502 are integrated into one unit, for example
  • the input and output interface is also called a communication interface, or an interface circuit, or an interface, and so on.
  • FIG. 6 is a schematic structural diagram of a communication device according to an embodiment of the present application, which is used to implement any function of the first network device, the second network device, and the third network device in the foregoing method.
  • the device may be the first network device, may also be a device in the first network device, or a device that can be matched and used with the first network device.
  • the device may be the second network device, may also be a device in the second network device, or a device that can be matched and used with the second network device.
  • the device may be the third network device, may also be a device in the third network device, or a device that can be matched and used with the third network device.
  • the communication device may also be a chip system.
  • the chip system may be composed of chips, or may include chips and other discrete devices.
  • the communication device includes at least one processor 620, configured to implement any function of the first network device, the second network device, and the third network device in the method provided in the embodiment of the present application.
  • the communication device may also include a communication interface 610.
  • the communication interface may be a transceiver, circuit, bus, module, or other type of communication interface, which is used to communicate with other devices through a transmission medium.
  • the communication interface 610 is used in the communication device to communicate with other devices.
  • the processor 620 uses the communication interface 610 to send and receive data, and is used to implement the method described in the foregoing method embodiment.
  • the communication device may also include at least one memory 630 for storing program instructions and/or data.
  • the memory 630 and the processor 620 are coupled.
  • the coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units or modules, and may be in electrical, mechanical or other forms, and is used for information exchange between devices, units or modules.
  • the processor 620 may cooperate with the memory 630 to operate.
  • the processor 620 may execute program instructions stored in the memory 630. At least one of the at least one memory may be included in the processor.
  • connection medium between the above-mentioned communication interface 610, the processor 620 and the memory 630 is not limited in the embodiment of the present application.
  • the memory 630, the processor 620, and the communication interface 610 are connected by a bus 640 in FIG. 6.
  • the bus is represented by a thick line in FIG. 6, and the connection modes between other components are only for schematic illustration. , Is not limited.
  • the bus can be divided into an address bus, a data bus, a control bus, and so on. For ease of representation, only one thick line is used in FIG. 6, but it does not mean that there is only one bus or one type of bus.
  • the processor may be a general-purpose processor, a digital signal processor, an application specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, a discrete hardware component, and may implement or Perform the methods, steps, and logic block diagrams disclosed in the embodiments of the present application.
  • the general-purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in combination with the embodiments of the present application may be directly embodied as being executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.
  • the present application also provides a computer program product, the computer program product includes: computer program code, when the computer program code runs on a computer, the computer executes Figure 3, Figure 4 or Figure 7 shows the method in the embodiment.
  • the present application also provides a computer-readable medium that stores program code, and when the program code runs on a computer, the computer executes FIG. 3, FIG. 4 or Figure 7 shows the method in the embodiment.
  • the present application also provides a system, which includes the aforementioned first network device, second network device, and third network device.
  • the computer program product includes one or more computer instructions.
  • the computer may be a general-purpose computer, a special-purpose computer, a computer network, or other programmable devices.
  • the computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer instructions may be transmitted from a website, computer, server, or data center.
  • the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server or a data center integrated with one or more available media.
  • the usable medium may be a magnetic medium (for example, a floppy disk, a hard disk, and a magnetic tape), an optical medium (for example, a high-density digital video disc (digital video disc, DVD)), or a semiconductor medium (for example, a solid state disk (solid state disc, SSD)) etc.
  • component used in this specification are used to denote computer-related entities, hardware, firmware, a combination of hardware and software, software, or software in execution.
  • the component may be, but is not limited to, a process, a processor, an object, an executable file, an execution thread, a program, and/or a computer running on a processor.
  • the application running on the computing device and the computing device can be components.
  • One or more components may reside in processes and/or threads of execution, and components may be located on one computer and/or distributed between two or more computers.
  • these components can be executed from various computer readable media having various data structures stored thereon.
  • a component can be based on a signal having one or more data packets (for example, data from two components that interact with another component in a local system, a distributed system, and/or a network, such as the Internet that interacts with other systems through signals). Communicate through local and/or remote processes.
  • data packets for example, data from two components that interact with another component in a local system, a distributed system, and/or a network, such as the Internet that interacts with other systems through signals.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本申请实施例公开了一种授权方法及装置,该授权方法包括:第一网络设备向第二网络设备发送服务请求,该服务请求包括令牌,该令牌用于校验该第一网络设备是否有权限访问该第二网络设备,该令牌包括第一信息和/或第二信息,该第一信息用于标识该第一网络设备,该第二信息用于标识该第二网络设备允许访问的网络设备;该第一网络设备接收该第二网络设备发送的服务响应。

Description

授权方法及装置
本申请要求于2019年11月30日提交中国专利局、申请号201911209163.X以及2020年02月12日提交中国专利局、申请号为202010088956.7,申请名称为“授权方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本申请涉及通信技术领域,尤其涉及一种授权方法及装置。
背景技术
目前,在讨论统一数据存储(unified data repository,UDR)和统一数据管理(unified data management,UDM)分设场景下的安全问题时,一些国家或者运营商可能会在同一公共陆地移动网络(public land mobile network,PLMN)内部署多个UDM和UDR。
一般的,UDM需要请求UDR的服务时,该UDR需要对该UDM进行校验。
由此,UDR如何校验UDM是需要解决的问题。
发明内容
本申请提供一种授权方法及装置,可使得位于授权区域内的UDM可以访问UDR的数据或服务。
第一方面,本申请提供一种授权方法,包括:
第一网络设备向第二网络设备发送服务请求,所述服务请求包括令牌,所述令牌用于校验所述第一网络设备是否有权限访问所述第二网络设备,所述令牌包括第一信息和/或第二信息,所述第一信息用于标识所述第一网络设备,所述第二信息用于标识所述第二网络设备允许访问的网络设备;所述第一网络设备接收所述第二网络设备发送的服务响应。
举例来说,在所述第二网络设备校验通过所述令牌的情况下,所述第一网络设备接收所述第二网络设备发送的服务响应,所述服务响应用于响应所述服务请求。
本申请实施例中,第一信息用于标识第一网络设备,第二信息用于标识第二网络设备允许访问的网络设备。通过在令牌中包括第一信息和/或第二信息,可使得第二网络设备根据该第一信息和/或该第二信息校验第一网络设备是否位于第二网络设备所允许访问的区域。从而避免未经授权的第一网络设备访问第二网络设备,提高第一网络设备与第二网络设备之间信息交互的安全性。
在一种可能的实现方式中,所述第一信息包括所述第一网络设备的域,所述第二信息包括所述第二网络设备允许的域;或者,所述第一信息包括所述第一网络设备的路由指示,所述第二信息包括路由指示列表;或者,所述第一信息包括所述第一网络设备的组标识,所述第二信息包括组标识列表。
在一种可能的实现方式中,所述第一网络设备向第二网络设备发送服务请求之前,所述方法还包括:所述第一网络设备向第三网络设备发送令牌请求,所述令牌请求用于请求下发所述令牌;所述第一网络设备接收所述第三网络设备发送的包括所述令牌的令牌响应。
在一种可能的实现方式中,所述令牌请求包括所述第一信息。
在一种可能的实现方式中,所述第一网络设备向第三网络设备发送令牌请求之前,所述方法还包括:所述第一网络设备向所述第三网络设备发送第一注册请求,所述第一注册请求包括所述第一信息。
第二方面,本申请提供一种授权方法,包括:
第二网络设备接收来自第一网络设备的服务请求,所述服务请求包括令牌,所述令牌用于校验所述第一网络设备是否有权限访问所述第二网络设备,所述令牌包括第一信息和/或第二信息,所述第一信息用于标识所述第一网络设备,所述第二信息用于标识所述第二网络设备允许访问的网络设备;所述第二网络设备根据所述令牌确定所述第一网络设备是否有权限访问所述第二网络设备;若所述第一网络设备有权限访问所述第二网络设备,则所述第二网络设备向所述第一网络设备发送服务响应。
可以理解的是,所述服务响应用于响应所述服务请求。
本申请实施例中,第二网络设备接收到包括令牌的服务请求后,可根据该令牌中所包括的信息(第一信息和/或第二信息)确定第一网络设备是否有权限访问第二网络设备。如果第一网络设备有权限访问,则第二网络设备便可向第一网络设备发送服务响应。第一网络设备位于第二网络设备所允许访问的区域,便可访问第二网络设备,可提高信息交互的安全性。
在一种可能的实现方式中,所述第二网络设备接收来自第一网络设备的服务请求之前,所述方法还包括:所述第二网络设备向第三网络设备发送第二注册请求,所述第二注册请求包括所述第二信息。
在一种可能的实现方式中,所述第一信息包括所述第一网络设备的域,所述第二信息包括所述第二网络设备允许的域;或者,所述第一信息包括所述第一网络设备的路由指示,所述第二信息包括路由指示列表;或者,所述第一信息包括所述第一网络设备的组标识,所述第二信息包括组标识列表。
第三方面,本申请提供一种授权方法,包括:
第三网络设备接收第一网络设备发送的令牌请求,所述令牌请求用于请求下发令牌;所述第三网络设备根据所述令牌请求确定所述第一网络设备是否有权限访问第二网络设备;若所述第一网络设备有权限访问所述第二网络设备,则所述第三网络设备向所述第一网络设备发送包括所述令牌的令牌响应,所述令牌包括第一信息和/或第二信息,所述第一信息用于标识所述第一网络设备,所述第二信息用于标识所述第二网络设备允许访问的网络设备。
在一种可能的实现方式中,所述第三网络设备接收第一网络设备发送的令牌请求之前,所述方法还包括:所述第三网络设备接收来自所述第一网络设备的第一注册请求,所述第一注册请求包括所述第一信息;以及所述第三网络设备接收来自所述第二网络设备的第二注册请求,所述第二注册请求包括所述第二信息。
在一种可能的实现方式中,所述第一信息包括所述第一网络设备的域,所述第二信息包括所述第二网络设备允许的域;或者,所述第一信息包括所述第一网络设备的路由指示,所述第二信息包括路由指示列表;或者,所述第一信息包括所述第一网络设备的组标识,所述第二信息包括组标识列表。
第四方面,本申请提供一种通信装置,包括:
发送单元,用于向第二网络设备发送服务请求,所述服务请求包括令牌,所述令牌用 于校验所述通信装置是否有权限访问所述第二网络设备,所述令牌包括第一信息和/或第二信息,所述第一信息用于标识所述通信装置,所述第二信息用于标识所述第二网络设备允许访问的网络设备;接收单元,用于接收所述第二网络设备发送的服务响应。
本申请实施例中,通信装置可为第一网络设备。可选的,该第一网络设备可以包括服务请求者。
在一种可能的实现方式中,所述第一信息包括所述通信装置的域,所述第二信息包括所述第二网络设备允许的域;或者,所述第一信息包括所述通信装置的路由指示,所述第二信息包括路由指示列表;或者,所述第一信息包括所述通信装置的组标识,所述第二信息包括组标识列表。
在一种可能的实现方式中,所述发送单元,还用于向第三网络设备发送令牌请求,所述令牌请求用于请求下发所述令牌;所述接收单元,还用于接收所述第三网络设备发送的包括所述令牌的令牌响应。
在一种可能的实现方式中,所述令牌请求包括所述第一信息。
在一种可能的实现方式中,所述发送单元,还用于向所述第三网络设备发送第一注册请求,所述第一注册请求包括所述第一信息。
第五方面,本申请提供一种通信装置,包括:
接收单元,用于接收来自第一网络设备的服务请求,所述服务请求包括令牌,所述令牌用于校验所述第一网络设备是否有权限访问所述通信装置,所述令牌包括第一信息和/或第二信息,所述第一信息用于标识所述第一网络设备,所述第二信息用于标识所述通信装置允许访问的网络设备;处理单元,用于根据所述令牌确定所述第一网络设备是否有权限访问所述通信装置;发送单元,用于若所述第一网络设备有权限访问所述通信装置,则向所述第一网络设备发送服务响应。
可以理解的是,所述服务响应用于响应所述服务请求。
在一种可能的实现方式中,所述发送单元,还用于向第三网络设备发送第二注册请求,所述第二注册请求包括所述第二信息。
在一种可能的实现方式中,所述第一信息包括所述第一网络设备的域,所述第二信息包括所述通信装置允许的域;或者,所述第一信息包括所述第一网络设备的路由指示,所述第二信息包括路由指示列表;或者,所述第一信息包括所述第一网络设备的组标识,所述第二信息包括组标识列表。
本申请实施例中,通信装置可为第二网络设备。可选的,该第二网络设备可以包括服务提供者。
第六方面,本申请提供一种通信装置,包括:
接收单元,用于接收第一网络设备发送的令牌请求,所述令牌请求用于请求下发令牌;处理单元,用于根据所述令牌请求确定所述第一网络设备是否有权限访问第二网络设备;发送单元,用于若所述第一网络设备有权限访问所述第二网络设备,则向所述第一网络设备发送包括所述令牌的令牌响应,所述令牌包括第一信息和/或第二信息,所述第一信息用于标识所述第一网络设备,所述第二信息用于标识所述第二网络设备允许访问的网络设备。
在一种可能的实现方式中,所述接收单元,还用于接收来自所述第一网络设备的第一注册请求,所述第一注册请求包括所述第一信息;所述接收单元,还用于接收来自所述第二网络设备的第二注册请求,所述第二注册请求包括所述第二信息。
在一种可能的实现方式中,所述第一信息包括所述第一网络设备的域,所述第二信息包括所述第二网络设备允许的域;或者,所述第一信息包括所述第一网络设备的路由指示,所述第二信息包括路由指示列表;或者,所述第一信息包括所述第一网络设备的组标识,所述第二信息包括组标识列表。
本申请实施例中,通信装置可为第三网络设备。
第七方面,本申请实施例提供一种通信装置,所述通信装置包括处理器、存储器和收发器,所述收发器,用于接收信号或者发送信号;所述存储器,用于存储程序代码;所述处理器,用于调用所述程序代码执行如第一方面所述的方法;或者,所述处理器,用于调用所述程序代码执行如第二方面所述的方法;或者,所述处理器,用于调用所述程序代码执行如第三方面所述的方法。
第八方面,本申请实施例提供一种通信装置,所述通信装置包括处理器和接口电路,所述接口电路,用于接收代码指令并传输至所述处理器;所述处理器运行所述代码指令以执行如第一方面所示的方法;或者,所述处理器运行所述代码指令以执行如第二方面所示的方法;或者,所述处理器运行所述代码指令以执行如第三方面所示的方法。
第九方面,本申请提供一种通信系统,所述通信系统包括:第一网络设备、第二网络设备和第三网络设备;
所述第一网络设备,用于向所述第三网络设备发送第一注册请求,所述第一注册请求包括第一信息;所述第二网络设备,用于向所述第三网络设备发送第二注册请求,所述第二注册请求包括第二信息;所述第三网络设备,用于接收所述第一注册请求和所述第二注册请求;
所述第一网络设备,还用于向所述第三网络设备发送令牌请求,所述第三网络设备,还用于接收所述令牌请求,以及向所述第一网络设备发送包括令牌的令牌响应;所述第一网络设备,还用于接收包括所述令牌的令牌响应;
所述第一网络设备,还用于向所述第二网络设备发送服务请求,所述服务请求包括所述令牌,所述令牌用于校验所述第一网络设备是否有权限访问所述第二网络设备,所述令牌包括第一信息和/或第二信息,所述第一信息用于标识所述第一网络设备,所述第二信息用于标识所述第二网络设备允许访问的网络设备;所述第二网络设备,还用于接收所述服务请求,以及确定所述第一网络设备是否有权限访问所述第二网络设备,在所述第一网络设备有权限访问所述第二网络设备的情况下,所述第二网络设备向所述第一网络设备发送服务响应;所述第一网络设备,还用于接收所述服务响应。
第十方面,本申请实施例提供一种计算机可读存储介质,所述计算机可读存储介质用于存储指令,当所述指令被执行时,使得第一方面所述的方法被实现;或者,当所述指令被执行时,使得第二方面所述的方法被实现;或者,当所述指令被执行时,使得第三方面所述的方法被实现。
第十一方面,本申请实施例提供一种计算机程序产品,所述计算机程序产品包括指令,当所述指令被执行时,使得第一方面所述的方法被实现;或者,当所述指令被执行时,使得第二方面所述的方法被实现;或者,当所述指令被执行时,使得第三方面所述的方法被实现。
附图说明
图1是本申请实施例提供的一种支持服务化接口的IP多媒体系统(IP multimedia subsystem,IMS)网络架构示意图;
图2是本申请实施例提供的一种服务化接口的网络架构示意图;
图3是本申请实施例提供的一种授权方法的流程示意图;
图4是本申请实施例提供的一种授权方法的流程示意图;
图5是本申请实施例提供的一种通信装置的结构示意图;
图6是本申请实施例提供的一种通信装置的结构示意图;
图7是本申请实施例提供的一种授权方法的流程示意图。
具体实施方式
以下分别进行详细说明。
本申请的说明书和权利要求书及所述附图中的术语“第一”、“第二”、“第三”和“第四”等是用于区别不同对象,而不是用于描述特定顺序。此外,术语“包括”和“具有”以及它们任何变形,意图在于覆盖不排他的包含。例如包含了一系列步骤或单元的过程、方法、系统、产品或设备没有限定于已列出的步骤或单元,而是可选地还包括没有列出的步骤或单元,或可选地还包括对于这些过程、方法、产品或设备固有的其它步骤或单元。
在本文中提及“实施例”意味着,结合实施例描述的特定特征、结构或特性可以包含在本申请的至少一个实施例中。在说明书中的各个位置出现该短语并不一定均是指相同的实施例,也不是与其它实施例互斥的独立的或备选的实施例。本领域技术人员显式地和隐式地理解的是,本文所描述的实施例可以与其它实施例相结合。
在本申请中,“至少一个(项)”是指一个或者多个,“多个”是指两个或两个以上,“至少两个(项)”是指两个或三个及三个以上,“和/或”,用于描述关联对象的关联关系,表示可以存在三种关系,例如,“A和/或B”可以表示:只存在A,只存在B以及同时存在A和B三种情况,其中A,B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。“以下至少一项(个)”或其类似表达,是指这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b或c中的至少一项(个),可以表示:a,b,c,“a和b”,“a和c”,“b和c”,或“a和b和c”,其中a,b,c可以是单个,也可以是多个。
下面结合附图对本申请的实施例进行描述。
首先,介绍本申请实施例所涉及的网络架构。
请参阅图1,图1是本申请实施例提供的一种支持服务化接口的IMS网络架构示意图,如图1所示,
略控制网络功能,如策略控制功能(policy control function,PCF),用于指导网络行为的统一策略框架,为控制面功能(例如AMF,SMF网络功能等)提供策略规则信息等。
归属签约用户服务器(home subscriber server,HSS),用于存储和管理用户签约数据,执行认证和鉴权向量计算等功能。
代理小区会话控制功能(proxy-call session control function,P-CSCF),IP多媒体核心网内的首个网络节点,其功能类似于代理,即接收UE的请求消息并向网络内部(如核心网)转发。
询问代理小区会话控制功能(Interrogating-call session control function,I-CSCF),运营商网络内所有发往该网络运营商用户或当前位于该网络运营商服务区域内的漫游用户的 连接节点。
服务小区会话控制功能(serving-call session control function,S-CSCF),为用户设备UE执行会话控制服务,维护网络运营商所需的服务会话状态。在运营商网络内,不同的S-CSCF可能具有不同的功能。
应用服务器(application server,AS),作为应用程序的服务器,为IMS网络提供应用服务,可部署在归属网络或者第三方网络(如应用服务器或归属网络之外的网络)内。
请参阅图2,图2是本申请实施例提供的一种服务化接口的网络架构示意图,如图2所示,
网络存储网络功能,如包括网络存储功能(network repository function,NRF),可用于维护网络中所有网络功能服务的实时信息。本申请实施例中,NRF可完成网络功能(network function,NF)的注册和网络功能的发现,以及保存同一PLMN内各NF的注册信息,作为授权服务器完成授权并生成token,也具备校验token的功能。作为示例,核心网内的各网络功能之间是服务化接口,相互间的通信方式可采用服务调用的方式。根据服务请求和服务提供方的不同,NF可分为服务请求者(NF service consumer)和服务提供者(NF service producer)。作为示例,服务请求者可包括统一数据管理(unified data management,UDM)网络功能,服务提供者可包括统一数据存储(unified data repository,UDF)网络功能。作为示例,服务请求者还可包括CSCF或AS,服务提供者还可包括HSS。可理解,本申请实施例中的服务请求者不止包括以上示例,以及服务提供者不止包括以上示例,对于其他类型的服务请求者和服务提供者,本申请实施例不作限定。
统一数据管理(unified data management,UDM)网络功能,可用于处理用户设备标识,接入鉴权,注册以及移动性管理等。可理解,以下简称UDM网络功能为UDM。
统一数据存储(unified data repository,UDR)网络功能,可用于存储和管理用户签约数据等等,其他网络功能NF可以获取或者更新该UDR的数据。
应理解,图1和图2示出的网络架构采用基于服务化架构,传统网元功能(或网络功能)基于网络功能虚拟化(network function virtualization,NFV)技术拆分成若干个自包含、自管理、可重用的网络功能服务模块,通过灵活定义服务模块集合,可以实现定制化的网络功能重构,对外通过统一的服务调用接口组成业务流程。图1或图2示出的网络架构示意图可以理解为一种非漫游场景下基于服务的网络架构示意图。对于漫游场景,本申请实施例同样适用。
可理解,以上所介绍的术语在不同的领域或不同的标准中,可能有不同的名称,因此不应将以上所示的名称理解为对本申请实施例的限定。上述网络功能或者功能既可以是硬件设备中的网络元件,也可以是在专用硬件上运行软件功能,或者是平台(例如,云平台)上实例化的虚拟化功能。
进一步的,在服务请求者(如UDM)调用服务提供者(如UDR)的服务时,服务提供者往往无法确定服务请求者是否位于具有访问权限的区域内。例如,图2中UDM3访问UDR2时,UDR2往往无法确定UDM3是否有权限访问UDR2。因此,本申请提出一种区域相关的授权方法,可在一个PLMN内存在多个UDM和UDR(如图2),或者存在多个CSCF、AS和HSS(如图1)的场景下,对访问UDR或HSS的NF进行区域相关的授权,防止UDR或HSS被位于未经授权区域的NF访问。
本申请主要应用于同一PLMN内部署多个UDM和UDR的5G网络,或者同一PLMN内部署有多个CSCF、AS和HSS的支持服务化接口的IMS网络,或者其他对NF之间访问有区域限制的网络,例如,位于区域a的UDR,仅允许区域b和区域c的UDM访问。本申请实施例中,NF基于服务化架构,各NF之间使用服务化接口调用服务的方式进行通信,NRF为其管理的NF提供注册、服务发现和授权等服务,本申请实施例对于具体的网络架构或NF不作限定。只要通信系统中包括服务提供者、服务请求者以及提供注册授权等服务的NF(如NRF),均可应用本申请所提供的方法。
以下将以服务请求者(NF service consumer)为UDM和服务提供者(NF service producer)为UDR为例,详细介绍本申请提供的授权方法。
请参阅图3,图3是本申请实施例提供的一种授权方法的流程示意图,该方法可应用于图2所示的网络架构。如图3所示,该方法包括:
301、UDM向NRF发送第一注册请求,该第一注册请求包括第一信息,该第一信息用于标识UDM。相应的,该NRF接收该第一注册请求。
本申请实施例中,第一信息用于标识UDM,例如,该第一信息可包括该UDM的域(NF domain),该UDM的域可以表示该UDM所处的区域,或者某一特定的范围,或者某一特定的集合。又例如,该第一信息可包括该UDM的路由指示(routing indicator,RI)信息,该路由指示信息可以用于其他NF发现一个或者多个UDM,即该路由指示信息可以用于指示一个或者多个UDM的集合。又例如,该第一信息可包括该UDM的组标识(group ID)信息,该组标识信息可以用于指示由一个或者多个UDM构成的组。
除了上述第一信息,该第一注册请求还可包括UDM的简况(NF profile)参数,该UDM的简况参数可包括UDM的网络功能实例ID(NF instance ID)、UDM的网络功能类型(NF type)、UDM的组标识(group ID)、UDM的签约永久标识范围(range(s)of(subscriber permanent identifier,SUPI)s)等等参数。可理解,本申请实施例对于该UDM的简况参数具体有哪些参数不作限定。
本申请实施例中,该第一注册请求用于将UDM的相关信息参数(例如,网络功能简况,NF profile)注册到NRF中,以便于NRF执行服务发现和授权。
302、UDR向NRF发送第二注册请求,该第二注册请求包括第二信息,该第二信息用于标识UDR所允许访问的UDM。相应的,该NRF接收该第二注册请求。
本申请实施例中,第二信息用于标识UDR所允许访问的UDM,也就是说,该第二信息可用于指示一个或多个UDM,该第二信息所指示的一个或多个UDM为该UDR所允许访问的UDM。可理解,该UDR所允许访问的UDM可与该UDR位于同一个区域,从而可减少UDM访问UDR的时延,提高访问效率。或者,该UDR所允许访问的UDM可与该UDR不属于同一个区域等等,本申请实施例对于UDR与相应的UDM是否位于同一区域不作限定。
例如,该第二信息可为UDR允许的域(allowed NF domains)。又例如,该第二信息可为路由指示列表(RI list),该路由指示列表可包含该UDR所允许访问的一个或多个UDM的路由指示。又例如,该第二信息可为路由指示集合,该路由指示集合包括该UDR所允许访问的一个或多个UDM的路由指示。例如,RI列表中的每一个RI可用于标识特定区域的UDM(可为一个UDM,也可为多个UDM)。又例如,该第二信息可为组标识列表(group ID列表),或者,该第二信息可为组标识集合等等。例如,组标识列表中的每一个组标识 可用于标识特定的UDM组(可包含一个UDM,也可包含多个UDM)。
作为示例,第一信息包括NF domain时,第二信息可包括allowed NF domains;第一信息包括RI时,第二信息包括RI list;第一信息包括组标识时,第二信息包括组标识列表。
可选的,在第二信息包括路由指示列表、路由指示集合、组标识列表或组标识集合中的任一项时,在上述302之前,运营商还可为UDR配置第二信息等等,本申请实施例对于如何为UDR配置第二信息不作限定。
除了上述第二信息,该第二注册请求还可包括UDR的简况(profile)参数,该第二NF简况参数可包括UDR的网络功能实例ID(NF instance ID)、UDR的网络功能类型(NF type)、UDR的组标识(group ID)、UDR的签约永久标识范围(range(s)of(subscriber permanent identifier,SUPI)s)等等参数。可理解,本申请实施例对于该UDR的简况参数具体有哪些参数不作限定。
本申请实施例中,该第二注册请求用于将UDR的相关信息参数(例如,网络功能简况,NF profile)注册到NRF中,以便于NRF执行服务发现和授权。
303、UDM向NRF发送令牌请求(token request),该令牌请求用于请求下发令牌(token)。相应的,该NRF接收该令牌请求。
本申请实施例中,该令牌请求可包括UDM的简况参数中的一项或多项参数,对于该UDM的简况参数所包括的参数类型可参考前述描述,这里不再详述。
可选的,该令牌请求还可包括第一信息,对于该第一信息可参考前述描述,这里不再详述。
可理解,在具体实现中,上述301和302不一定每一次都执行,即UDM向NRF发送了第一注册请求以及UDR向NRF发送了第二注册请求之后,在一定的有效期内,本申请实施例所提供的授权方法还可只包括303-306。
304、NRF根据令牌请求确定UDM是否有权限访问UDR;若有,则向该UDM发送令牌响应(token response)。相应的,该UDM接收该令牌响应。
可选的,在令牌请求不包括第一信息的情况下,该令牌请求还可包括指示信息,该指示信息用于指示NRF需要判断UDM是否有权限访问UDR,或者该指示信息用于指示NRF需要判断UDM是否位于UDR允许访问的区域,或者该指示信息用于指示NRF执行区域相关授权操作。也就是说,NRF确定UDM是否有权限访问UDR之前,该NRF还可以判断是否需要确定UDM是否有权限访问UDR。
可选的,在令牌请求包括第一信息的情况下,该NRF可根据该第一信息来确定需要判断UDM是否有权限访问UDR。
可选的,令牌请求中不包括第一信息时,NRF可根据令牌请求包括的UDM的简况参数中的一项或多项参数来确定该UDM是否有权限访问UDR。例如,NRF可根据令牌请求中的UDM的简况参数得到该UDM的第一信息。可理解,该UDM的简况参数与该UDM的域具有关联关系,即NRF可根据UDM的简况参数来得到该UDM的第一信息。例如,NRF可根据UDM的简况参数中的一项或多项参数,比如UDM的实例标识,查询NRF保存的UDM相关参数,得到该UDM的第一信息。或者,该NRF还可根据该UDM的第一信息得到该UDM的简况参数等等。
可选的,令牌请求中包括第一信息时,NRF可根据该第一信息确定UDM是否有权限访问UDR。可理解,对于NRF确定UDM是否有权限访问UDR的方法可参考以下方式一、 方式二和方式三的描述,这里先不详述。
可理解,该令牌请求中可包括UDR的标识信息,该UDR的标识信息可用于指示UDM需要访问的UDR。即NRF可通过该UDR的标识信息得知UDM需要访问哪个UDR。例如,如图2,UDM1需要访问同一个区域的UDR1,则令牌请求中可包括UDR1的标识信息。又例如,UDM1需要访问不属于同一个区域的UDR2,则令牌请求中可包括UDR2的标识信息。可理解,以下所示的方式一、方式二和方式三中令牌请求均可包括UDR的标识信息。
本申请实施例中,根据令牌请求所包括的第一信息的不同,NRF确定UDM是否有权限访问UDR的方法可如下所示:
方式一、
令牌请求中包括UDM的NF domain,则NRF可根据令牌请求中包含的UDR的标识信息获取UDR的allowed NF domain,并确定UDR的allowed NF domain中是否包括UDM的NF domain。若UDR的allowed NF domain中包括该UDM的NF domain,则该NRF生成/产生令牌。若UDR的allowed NF domain中不包括该NF domain,则该NRF不生成令牌,从而不向该UDM返回令牌响应。或者,该NRF可以向该UDM返回令牌响应,该令牌响应中可包括失败原因值和/或异常信息等等,该失败原因值用于表示该UDM无法访问UDR的原因。或者,该NRF可以向该UDM返回拒绝消息。
可选的,令牌中可包括UDM的NF domain;或者,令牌中包括UDR的allowed NF domain;或者,令牌中包括UDM的NF domain和UDR的allowed NF domain。
作为示例,对于令牌的具体格式可参考表1。
表1
Figure PCTCN2020111408-appb-000001
该令牌中所包括的UDM的NF domain和/或UDR的allowed NF domain可位于以上所示的任一Claim。例如,NF domain和allowed NF domain可位于同一claim,或者,NF domain和allowed NF domain可位于不同的claim等。
方式二、
令牌请求中包括UDM的RI,则NRF可确定该UDM的RI是否包含在UDR的RI列表中;若包含在UDR的RI列表中,则该NRF生成令牌。若UDR的RI列表中不包括该UDM的RI,则该NRF不生成令牌,从而不向该UDM返回令牌响应。或者,该NRF可以向该UDM返回令牌响应,该令牌响应中可包括失败原因值和/或异常信息等等。或者,该NRF可以向该UDM返回拒绝消息。
可选的,令牌中可包括UDM的RI;或者,令牌中包括UDR的RI列表;或者,令牌中包括该UDM的RI和该UDR的RI列表。
对于该RI或该RI列表的具体位置,可参考表1的相关描述。
方式三、
令牌请求中包括UDM的组标识,则NRF确定该UDM的组标识是否包含在UDR的UDM组标识列表,其中UDR的UDM组标识列表包含一个或者多个UDM组的标识,每一个UDM组的标识指代一个被允许访问该UDR的UDM组;若包含在该UDR的UDM组标识列表中,则该NRF生成令牌。若UDR的UDM组标识列表中不包括该UDM的组标识,则该NRF可不向该UDM返回令牌响应。或者,该NRF可以向该UDM返回令牌响应,该令牌响应中可包括失败原因值和/或异常信息等等。或者,该NRF可以向该UDM返回拒绝消息。
可选的,令牌中可包括UDM的组标识;或者,令牌中包括UDR的UDM组标识列表;或者,令牌中包括该UDM的组标识和该UDR的UDM组标识列表。
对于该组标识和该组标识列表的具体位置,可参考表1的相关描述。
可理解,NRF还可对该令牌进行完整性保护,即NRF可根据令牌请求中包括的UDR的标识信息生成令牌,即该NRF可使用与该令牌请求中包括的UDR的标识信息所指示的UDR之间的共享秘钥、或者使用私钥对该令牌进行完整性保护等等。
305、UDM向UDR发送服务请求,该服务请求包括令牌,该令牌用于校验该UDM是否有权限访问该UDR,且该令牌包括第一信息和/或第二信息。相应的,该UDR接收该服务请求。
306、UDR根据服务请求中的令牌确定UDM是否有权限访问该UDR;若有,则向该UDM发送服务响应。相应的,该UDM接收该服务响应。
本申请实施例中,UDR可根据令牌中包括的第一信息和/或第二信息来确定UDM是否有权限访问该UDR。例如,UDR可根据令牌中的UDM的NF domain来确定该UDM的NF domain是否属于UDR的allowed NF domain范围内,如果属于该UDR的allowed NF domain范围内,则该UDM有权限访问该UDR。或者,该UDR还可根据令牌中的UDR的allowed NF domain来确定该UDR的allowed NF domain是否与该UDF本身的allowed NF domain相同,如果相同,则确定UDM有权限访问该UDR。又例如,UDR可根据令牌中的UDM的RI来确定该UDM的RI是否属于该UDR的RI列表中,如果属于该UDR的RI列表中,则该UDM有权限访问该UDR。或者,该UDR还可根据令牌中的UDR的RI列表来确定该UDR的RI列表与该UDR本身的RI列表是否相同,如果相同,则确定该UDM有权限访问该UDR。又例如,UDR可根据令牌中的UDM的组标识确定该UDM的组标识是否属于该UDR的UDM组标识列表中;或者,该UDR还可对比令牌中包括的UDR的UDM组标识列表与该UDR本身的UDM组标识列表是否相同,从而确定该UDM是否有权限访问该UDR。若UDR确定UDM有权限访问该UDR,则向UDM返回服务响应。
可理解,UDR接收到包括令牌的服务请求后,还可对该令牌进行完整性校验,如果校验通过,则向该UDM返回服务响应。例如,该UDR可使用与NRF之间的共享秘钥,或者使用NRF的公钥对令牌进行完整性校验,校验通过后UDR向UDM响应服务请求所请求的相关服务。可理解,该UDR可先对令牌进行完整性校验;然后再校验UDM是否有权限访问该UDR。或者,该UDR也可先校验该UDM是否有权限访问该UDR,再对令牌进行完整性校验等等,本申请实施例不作限定。
可理解,在具体实现中,上述303和304不一定每一次都执行,即UDM向NRF请求了令牌后,在该令牌的有效期内,本申请实施例所提供的授权方法还可只包括305和306。
本申请实施例中,例如,服务请求可用于请求查询用户签约数据,从而UDR返回用户签约数据;又例如,服务请求可用于请求更新策略数据,从而UDR更新策略数据后向UDM返回更新情况(更新成功或者失败)等等,本申请实施例对于服务请求所请求的内容不作限定。
可理解,对于图3所示的方法同样适用于图1所示的网络架构,例如,UDM可替换为CSCF(例如图1中P-CSCF、S-CSCF或I-CSCF等等)或AS;UDR可替换为HSS。例如,第一信息用于标识CSCF,第二信息用于标识HSS所允许的CSCF。又例如,第一信息可包括CSCF的域,第二信息可包括HSS所允许的域。又例如,第一信息可包括CSCF的路由指示,第二信息可包括HSS的路由指示列表等等。对于具体的实现方式可参考图3所示的方法,这里不再一一详述。
本申请实施例中,第一信息用于标识第一网络设备(如UDM),第二信息用于标识第二网络设备(如UDR)允许访问的网络设备。通过在令牌中包括第一信息和/或第二信息,可使得第二网络设备根据该第一信息和/或该第二信息校验第一网络设备是否位于第二网络设备所允许访问的区域。从而避免未经授权的第一网络设备访问第二网络设备,提高第一网络设备与第二网络设备之间信息交互的安全性。进一步的,通过授权同一区域的第一网络设备访问该同区域的第二网络设备,还可减少第一网络设备访问第二网络设备的时延,提高效率。
请参阅图4,图4是本申请实施例提供的一种授权方法的流程示意图,该方法可应用于图2所示的网络架构。如图4所示,该方法包括:
401、UDM向NRF发送第一注册请求,该第一注册请求包括该UDM的简况参数。相应的,该NRF接收该第一注册请求。
该UDM的简况参数包括该UDM的用户标识范围,该UDM的用户标识范围表示该UDM所管理或服务的SUPI的范围,其中SUPI为用户的签约永久标识。
可选的,NRF还可保存该UDM的用户标识范围。
402、UDR向NRF发送第二注册请求,该第二注册请求包括UDR的简况参数。相应的,该NRF接收该第二注册请求。
该UDR的简况参数包括该UDR的用户标识范围,该UDR的用户标识范围表示该UDR所管理或服务的SUPI的范围。
403、UDM向NRF发送令牌请求(token request),该令牌请求用于请求下发令牌(token)。相应的,该NRF接收该令牌请求。
可选的,该令牌请求可包括UDM的简况参数中的一项或多项,对于该UDM的简况参数所包括的参数类型可参考前述描述,这里不再详述。
可选的,该令牌请求可包括UDM的用户标识范围(range(s)of SUPIs)。
可理解,该令牌请求中在包括UDM的简况参数中的一项或多项时,该令牌请求中可不包括该UDM的用户标识范围,该情况下NRF可根据该令牌请求中的信息(如UDM的网络功能实例ID等等)查询UDM的简况参数得到该UDM的用户标识范围。以及,该令牌请求中包括该UDM的用户标识范围时,对于该令牌请求中是否包括该UDM的简况参 数中的一项或多项参数不作限定。
可理解,在具体实现中,上述401和402不一定每一次都执行,即UDM向NRF发送了第一注册请求以及UDR向NRF发送了第二注册请求之后,在一定的有效期内,本申请实施例所提供的授权方法还可只包括403-406。
404、NRF根据令牌请求确定UDM是否有权限访问UDR;若有,则向该UDM发送令牌响应(token response)。相应的,该UDM接收该令牌响应。
可选的,该令牌请求中在包括UDM的简况参数中的一项或多项时,该令牌请求中可不包括该UDM的用户标识范围,该情况下该令牌请求还可包括指示信息,该指示信息用于指示NRF需要判断UDM是否有权限访问UDR,或者指示NRF需要判断UDM是否位于UDR允许访问的区域,或者指示NRF当前为区域相关的授权。也就是说,NRF确定UDM是否有权限访问UDR之前,该NRF还需要判断是否确定UDM是否有权限访问UDR。
可选的,在令牌请求中包括UDM的用户标识范围时,该NRF可根据令牌请求包括的UDM的用户标识范围判断需要确定UDM是否有权限访问UDR。
可理解,该令牌请求中可包括UDR的标识信息,该UDR的标识信息可用于指示UDM需要访问的UDR。即NRF可通过该UDR的标识信息得知UDM需要访问哪个UDR。例如,如图2,UDM1需要访问同一个区域的UDR1,则令牌请求中可包括UDR1的标识信息。又例如,UDM1需要访问不属于同一个区域的UDR2,则令牌请求中可包括UDR2的标识信息。
NRF可根据请求中包含的UDR的标识信息获取UDR的用户标识范围内,并确定该UDM的用户标识范围是否属于UDR的用户标识范围内;如果是,则生成令牌,该令牌中包括UDM的用户标识范围;或者,该令牌中包括UDR的用户标识范围;或者,该令牌中包括UDM的用户标识范围和UDR的用户标识范围。若UDM的用户标识范围不属于UDR的用户标识范围内,则该NRF不生成令牌,从而不向该UDM返回令牌响应。或者,该NRF可以向该UDM返回令牌响应,该令牌响应中可包括失败原因值和/或异常信息等等,该失败原因值用于表示该UDM无法访问UDR的原因。或者,该NRF可以向该UDM返回拒绝消息。
该令牌中所包括的UDM的用户标识范围和/或UDR的用户标识范围的具体位置,可参考表1的相关描述。
可理解,NRF还可对该令牌进行完整性保护,即NRF可根据令牌请求中包括的UDR的标识信息生成令牌,即该NRF可使用与该令牌请求中包括的UDR的标识信息所指示的UDR之间的共享秘钥、或者使用私钥对该令牌进行完整性保护等等。
405、UDM向UDR发送服务请求,该服务请求包括令牌,该令牌用于校验该UDM是否有权限访问该UDR,且该令牌包括UDM的用户标识范围和/或UDR的用户标识范围。相应的,该UDR接收该服务请求。
406、UDR根据服务请求中的令牌确定UDM是否有权限访问该UDR;若有,则向该UDM发送服务响应。相应的,该UDM接收该服务响应。
UDR可校验令牌中的UDM用户标识范围是否属于该UDR的用户标识范围内,如果属于该UDR的用户标识范围内,则该UDM有权限访问该UDR;或者,UDR可校验令牌中包括的UDR的用户标识范围是否与自身的用户标识范围相同,如果相同,则确定UDM有权限访问该UDR。若UDR确定UDM有权限访问该UDR,则向UDM返回服务响应。
可选的,该UDR还可对令牌进行完整性校验。
可理解,该UDR可先对令牌进行完整性校验;然后再校验UDM是否有权限访问该UDR。或者,该UDR也可先校验该UDM是否有权限访问该UDR,再对令牌进行完整性校验等等,本申请实施例不作限定。
可理解,在具体实现中,上述403和404不一定每一次都执行,即UDM向NRF请求了令牌后,在该令牌的有效期内,本申请实施例所提供的授权方法还可只包括405和406。
可理解,对于图4所示的方法同样适用于图1所示的网络架构。例如,UDM可替换为CSCF或AS;UDR可替换为HSS。例如,用户标识范围可替换为(range(s)of IMPI(IP multimedia private identity,IMPI)/(IMS public user identity,IMPU))等等。对于具体的实现方式可参考图3和图4所示的方法,这里不再一一详述。
实施本申请实施例,可避免未经授权的第一网络设备访问第二网络设备,提高第一网络设备与第二网络设备之间信息交互的安全性。进一步的,通过授权同一区域的第一网络设备访问该同区域的第二网络设备,还可减少第一网络设备访问第二网络设备的时延,提高效率。
可理解,图3和图4所示的方法各有侧重,其中一个实施例中未详尽描述的实现方式可参考另一个实施例。
请参阅图7,图7是本申请实施例提供的又一种授权方法的流程示意图,该方法可应用于图2所示的网络架构。如图7所示,该方法包括:
701、服务请求者(例如,UDM,PCF,NEF等)向NRF发送第一注册请求,相应的,该NRF接收该第一注册请求。
本申请实施例中,该第一注册请求可以包括服务请求者的简况(NF profile)参数,该服务请求者的简况参数可包括服务请求者的网络功能实例ID(NF instance ID)、服务请求者的网络功能类型(NF type)、服务请求者的组标识(group ID)、服务请求者的签约永久标识范围(range(s)of(subscriber permanent identifier,SUPI)s)等等参数。可理解,本申请实施例对于该服务请求者的简况参数具体有哪些参数不作限定。
本申请实施例中,该第一注册请求用于将服务请求者的相关信息参数(例如,网络功能简况,NF profile)注册到NRF中,以便于NRF执行服务发现和授权。
702、服务提供者(例如,UDR)向NRF发送第二注册请求。相应的,该NRF接收该第二注册请求。
本申请实施例中,该第二注册请求可以包括服务提供者的简况(profile)参数,该第二NF简况参数可包括服务提供者的网络功能实例ID(NF instance ID)、服务提供者的网络功能类型(NF type)、服务提供者的组标识(group ID)、服务提供者的签约永久标识范围(range(s)of(subscriber permanent identifier,SUPI)s)等等参数。可理解,本申请实施例对于该服务提供者的简况参数具体有哪些参数不作限定。
可选的,该第二注册请求可以包括可访问该服务提供者的服务请求者的NF type与该服务请求者可访问数据类型的对应关系。具体的,服务请求者的NF type与该服务请求者可访问数据类型的对应关系,可以是服务提供者NF type与数据类型标识的匹配列表,或者可以是服务提供者NF type与数据类型标识的映射列表。其中,数据类型标识用于标识服务提供者中保存的数据的类型,具体的,数据类型标识可以包括数据集合标识(Data Set  Identifier),和/或数据子集合标识(Data Subset Identifier),和/或数据秘钥(Data Key),和/或数据子秘钥(Data Sub Key)等。其中,数据集合标识用于标识服务请求者需要请求的数据集合,数据集合可以表示为数据类型,例如,数据集合可以是签约数据(Subscription Data),或者应用数据(Application data),或者策略数据(Policy Data),或者开放数据(Exposure Data);数据子集合标识用于标识服务请求者需要请求的数据子集合,数据子集合是数据集合的下一层级,可以表示为更具体的数据类型,例如,数据子集合可以是接入与移动签约数据(Access and MobilitySubscription Data),或者数据包流说明(Packet Flow Descriptions),或者UE上下文策略控制数据(UE context policy control data),或者接入与移动信息(Access and Mobility Information)等。
本申请实施例中,该第二注册请求用于将服务提供者的相关信息参数(例如,网络功能简况,NF profile)注册到NRF中,以便于NRF执行服务发现和授权。
703、服务请求者向NRF发送令牌请求(token request),该令牌请求用于请求下发令牌(token)。相应的,该NRF接收该令牌请求。
本申请实施例中,该令牌请求可包括服务请求者的简况参数中的一项或多项参数,对于该服务请求者的简况参数所包括的参数类型可参考前述描述,这里不再详述。
可选的,该令牌请求中还可以包含服务请求者要访问服务提供者中保存数据的数据类型标识(例如,Data Set Identifier,和/或Data Subset Identifier,和/或Data Key,和/或Data Sub Key等)。
可理解,在具体实现中,上述701和702不一定每一次都执行,即服务请求者向NRF发送了第一注册请求以及服务提供者向NRF发送了第二注册请求之后,在一定的有效期内,本申请实施例所提供的授权方法还可只包括703-706。
704、NRF根据令牌请求确定服务请求者是否被授权访问服务提供者的服务,例如,NRF根据令牌请求确定服务请求者是否有权限访问服务提供者提供的服务。若确定服务请求者被授权访问服务提供者的服务,则向该服务请求者发送令牌响应(token response),令牌响应中包含令牌。相应的,该服务请求者接收该令牌响应。
具体的,NRF可根据令牌请求包括的服务请求者的简况参数中的一项或多项参数,结合本地配置或者本地策略信息来确定该服务请求者是否被授权访问服务提供者提供的服务。
可选的,若NRF确定服务请求者被授权访问服务提供者提供的服务,则NRF可以进一步的根据令牌请求中的服务请求者的网络功能类型(NF type of the NF producer),和/或服务请求中的数据类型标识(例如,Data Set Identifier,和/或Data Subset Identifier,和/或Data Key,和/或Data Sub Key等),和/或服务请求者的NF type与该服务请求者可访问数据类型的对应关系,和/或本地配置或者本地策略信息确定服务请求者是否被授权访问该数据类型的数据,例如,NRF确定服务请求者是否有权限访问该数据类型的数据。若确定服务请求者被授权访问该数据类型的数据,则服务提供者向该服务请求者发送服务响应,该服务响应中包含前述类型的数据。
可理解,该令牌请求中可包括服务提供者的标识信息,该服务提供者的标识信息可用于指示服务请求者需要访问的服务提供者。即NRF可通过该服务提供者的标识信息得知服务请求者需要访问哪个服务提供者。
可理解,NRF还可对该令牌进行完整性保护,即NRF可根据令牌请求中包括的服务 提供者的标识信息生成令牌,即该NRF可使用与该令牌请求中包括的服务提供者的标识信息所指示的服务提供者之间的共享秘钥、或者使用私钥对该令牌进行完整性保护等等。
705、服务请求者向服务提供者发送服务请求;
可选的,该服务请求包括令牌。服务提供者使用该校验该服务请求者是否有权限访问该服务提供者。
可选的,该服务请求中还可以包括数据类型标识(例如,Data Set Identifier,和/或Data Subset Identifier,和/或Data Key,和/或Data Sub Key等)。相应的,该服务提供者接收该服务请求。
706、服务提供者根据服务请求中的令牌确定服务请求者是否被授权访问该服务提供者;若确定服务请求者被授权访问该服务提供者,则服务提供者继续根据令牌中的服务请求者的网络功能类型(NF type),以及服务请求中的数据类型标识,确定服务请求者是否被授权访问该类型的数据,若确定服务请求者被授权访问该类型的数据,则服务提供者向该服务请求者发送服务响应,该服务响应中包含前述类型的数据。相应的,该服务请求者接收该服务响应。
本申请实施例中,服务提供者可根据令牌中包括的服务请求者的网络功能类型,以及服务请求中的数据类型标识,确定服务请求者是否被授权访问该类型的数据。例如,服务提供者为UDR,服务提供者可根据令牌中的服务请求者的网络功能类型来确定该服务请求者为UDM;可选的,服务提供者可根据服务请求中的数据集合标识来确定该服务请求者要访问的数据类型为签约数据,和/或根据服务请求中的数据子集合标识进一步确定该服务请求者要访问的数据子类型为接入和移动签约数据,随后服务提供者根据本地配置或者本地策略,确定该类型的服务请求者(即,UDM)可以请求该类型的数据(即,签约数据,和/或接入和移动签约数据),即UDM可以请求UDR中的签约数据,和/或接入和移动签约数据。又例如,服务提供者为UDR,服务请求者的网络功能类型为PCF/NEF,数据集合标识表示数据类型为签约数据,则服务提供者根据本地配置或者本地策略,确定该类型的服务请求者(即,PCF/NEF)不可以请求该类型的数据(即,签约数据),即PCF/NEF不可以请求UDR中的签约数据。又例如,服务提供者为UDR,数据集合标识表示数据类型为策略数据,若服务请求者的网络功能类型为PCF,则服务提供者确定该类型的服务请求者(即,PCF)可以请求该类型的数据(即,签约数据);若服务请求者的网络功能类型为UDM/NEF,则服务提供者确定该类型的服务请求者(即,UDM/NEF)不可以请求该类型的数据(即,签约数据),即仅有PCF可以请求UDR中的策略数据,UDM/NEF则不可以请求UDR中的策略数据。若服务提供者确定服务请求者有权限请求访问该类型的数据,则服务提供者向服务请求者返回服务响应,该服务响应中包含前述类型的数据。
可理解,服务提供者确定可以根据服务提供者的NF type和服务请求中的数据类型标识,结合本地配置或者本地策略,确定该类型的服务请求者是否被授权请求/访问该类型的数据。可选的,服务提供者也可以根据服务提供者的NF type和服务请求中的数据类型标识,结合服务请求者的NF type与该服务请求者可访问数据类型的对应关系,确定该类型的服务请求者是否被授权请求/访问该类型的数据。
可选的,服务提供者还可以校验令牌中包含的数据类型标识与服务请求中的数据类型标识是否一致,若一致,则确定服务提供者被授权访问该类型的数据。
可选的,服务提供者还可以校验令牌中包含的数据类型标识与本地保存的数据类型标 识是否一致,若一致,则确定服务提供者被授权访问该类型的数据。
可选的,服务提供者也可以根据令牌中的服务提供者的NF type和数据类型标识,结合服务请求者的NF type与该服务请求者可访问数据类型的对应关系,和/或结合本地配置或者本地策略,确定该类型的服务请求者是否被授权请求/访问该类型的数据。
可理解,服务提供者接收到包括令牌的服务请求后,还可对该令牌进行完整性校验,如果校验通过,则向该服务请求者返回服务响应。例如,该服务提供者可使用与NRF之间的共享秘钥,或者使用NRF的公钥对令牌进行完整性校验,校验通过后服务提供者向服务请求者响应服务请求所请求的相关服务。可理解,该服务提供者可先对令牌进行完整性校验;然后再校验服务请求者是否被授权访问该服务提供者。或者,该服务提供者也可先校验该服务请求者是否有权限访问该服务提供者,再对令牌进行完整性校验等等,本申请实施例不作限定。
可理解,在具体实现中,上述703和704不一定每一次都执行,即服务请求者向NRF请求了令牌后,在该令牌的有效期内,本申请实施例所提供的授权方法还可只包括705和706。
本申请实施例中,例如,服务请求可用于请求查询用户签约数据,从而服务提供者返回用户签约数据;又例如,服务请求可用于请求更新策略数据,从而服务提供者更新策略数据后向服务请求者返回更新情况(更新成功或者失败)等等,本申请实施例对于服务请求所请求的内容不作限定。
本申请实施例中,在确认服务请求者有权限访问服务提供者后,可以进一步的根据服务请求者的网络功能类型(NF type),以及数据类型标识,确定服务请求者是否被授权访问该类型的数据,从而可以在数据类型粒度完成授权,防止未被授权类型的NF访问服务提供者内保存的敏感数据,进一步的提升安全性。
以下将详细描述本申请实施例涉及的装置。
请参阅图5,图5是本申请实施例提供的一种通信装置的结构示意图,该通信装置可用于执行图3、图4和图7中的第一网络设备所实现的功能。如图5所示,该通信装置包括:
发送单元501,用于向第二网络设备发送服务请求,该服务请求包括令牌,该令牌用于校验该通信装置是否有权限访问该第二网络设备,该令牌包括第一信息和/或第二信息,该第一信息用于标识该通信装置,该第二信息用于标识该第二网络设备允许访问的网络设备;
接收单元502,用于在该第二网络设备校验通过该令牌的情况下,接收该第二网络设备发送的服务响应,该服务响应用于响应该服务请求。
在一种可能的实现方式中,该第一信息包括该通信装置的域,该第二信息包括该第二网络设备允许的域;
或者,该第一信息包括该通信装置的路由指示,该第二信息包括路由指示列表;
或者,该第一信息包括该通信装置的组标识,该第二信息包括组标识列表。
在一种可能的实现方式中,该发送单元501,还用于向第三网络设备发送令牌请求,该令牌请求用于请求下发该令牌;
该接收单元502,还用于接收该第三网络设备发送的包括该令牌的令牌响应。
在一种可能的实现方式中,该令牌请求包括该第一信息。
在一种可能的实现方式中,该发送单元501,还用于向该第三网络设备发送第一注册请求,该第一注册请求包括该第一信息。
需要理解的是,当上述通信装置是第一网络设备或第一网络设备中实现上述功能的部件时,该通信装置还可包括处理单元503。其中,处理单元503可以是一个或多个处理器,发送单501可以是发送器,接收单元502可以是接收器,或者发送单元501和接收单元502集成于一个器件,例如收发器。
当上述通信装置是芯片时,处理单元503可以是一个或多个处理器,发送单元501可以是输出接口,接收单元502可以是输入接口,或者发送单元501和接收单元502集成于一个单元,例如输入输出接口,又或者称为通信接口,或者接口电路,或接口等等。
可理解,对于图5所示的各个单元的实现可以参考前述实施例的相应描述。
请参阅图5,图5是本申请实施例提供的一种通信装置的结构示意图,该通信装置可用于执行图3、图4和图7中的第二网络设备所实现的功能。如图5所示,该通信装置包括:
接收单元502,用于接收来自第一网络设备的服务请求,该服务请求包括令牌,该令牌用于校验该第一网络设备是否有权限访问该通信装置,该令牌包括第一信息和/或第二信息,该第一信息用于标识该第一网络设备,该第二信息用于标识该通信装置允许访问的网络设备;
处理单元503,用于根据该令牌确定该第一网络设备是否有权限访问该通信装置;
发送单元501,用于若该第一网络设备有权限访问该通信装置,则向该第一网络设备发送服务响应,该服务响应用于响应该服务请求。
在一种可能的实现方式中,所述发送单元501,还用于向第三网络设备发送第二注册请求,所述第二注册请求包括所述第二信息。
在一种可能的实现方式中,该第一信息包括该第一网络设备的域,该第二信息包括该通信装置允许的域;
或者,该第一信息包括该第一网络设备的路由指示,该第二信息包括路由指示列表;
或者,该第一信息包括该第一网络设备的组标识,该第二信息包括组标识列表。
需要理解的是,当上述通信装置是第二网络设备或第二网络设备中实现上述功能的部件时,该通信装置还可包括处理单元503。其中,处理单元503可以是一个或多个处理器,发送单元501可以是发送器,接收单元502可以是接收器,或者发送单元501和接收单元502集成于一个器件,例如收发器。
当上述通信装置是芯片时,处理单元503可以是一个或多个处理器,发送单元501可以是输出接口,接收单元502可以是输入接口,或者发送单元501和接收单元502集成于一个单元,例如输入输出接口,又或者称为通信接口,或者接口电路,或接口等等。
请参阅图5,图5是本申请实施例提供的一种通信装置的结构示意图,该通信装置可用于执行图3、图4和图7中的第三网络设备(如NRF)所实现的功能。如图5所示,该通信装置包括:
接收单元502,用于接收第一网络设备发送的令牌请求,该令牌请求用于请求下发令 牌;
处理单元503,用于根据该令牌请求确定该第一网络设备是否有权限访问第二网络设备;
发送单元501,用于若该第一网络设备有权限访问该第二网络设备,则向该第一网络设备发送包括该令牌的令牌响应,该令牌包括第一信息和/或第二信息,该第一信息用于标识该第一网络设备,该第二信息用于标识该第二网络设备允许访问的网络设备。
在一种可能的实现方式中,该接收单元502,还用于接收来自该第一网络设备的第一注册请求,该第一注册请求包括该第一信息;
该接收单元502,还用于接收来自该第二网络设备的第二注册请求,该第二注册请求包括该第二信息。
在一种可能的实现方式中,该第一信息包括该第一网络设备的域,该第二信息包括该第二网络设备允许的域;
或者,该第一信息包括该第一网络设备的路由指示,该第二信息包括路由指示列表;
或者,该第一信息包括该第一网络设备的组标识,该第二信息包括组标识列表。
需要理解的是,当上述通信装置是第三网络设备或第三网络设备中实现上述功能的部件时,该通信装置还可包括处理单元503。其中,处理单元503可以是一个或多个处理器,发送单501可以是发送器,接收单元502可以是接收器,或者发送单元501和接收单元502集成于一个器件,例如收发器。
当上述通信装置是芯片时,处理单元503可以是一个或多个处理器,发送单元501可以是输出接口,接收单元502可以是输入接口,或者发送单元501和接收单元502集成于一个单元,例如输入输出接口,又或者称为通信接口,或者接口电路,或接口等等。
请参阅图6,图6是本申请实施例提供的一种通信装置的结构示意图,用于实现上述方法中第一网络设备、第二网络设备和第三网络设备中的任一功能。当实现第一网络设备的功能时,该装置可以是第一网络设备,也可以是第一网络设备中的装置,或者是能够和第一网络设备匹配使用的装置。当实现第二网络设备的功能时,该装置可以是第二网络设备,也可以是第二网络设备中的装置,或者是能够和第二网络设备匹配使用的装置。当实现第三网络设备的功能时,该装置可以是第三网络设备,也可以是第三网络设备中的装置,或者是能够和第三网络设备匹配使用的装置。作为示例,该通信装置还可以为芯片系统。本申请实施例中,芯片系统可以由芯片构成,也可以包含芯片和其他分立器件。通信装置包括至少一个处理器620,用于实现本申请实施例提供的方法中第一网络设备、第二网络设备和第三网络设备中的任一功能。通信装置还可以包括通信接口610。在本申请实施例中,通信接口可以是收发器、电路、总线、模块或其它类型的通信接口,用于通过传输介质和其它设备进行通信。例如,通信接口610用于通信装置中的装置可以和其它设备进行通信。处理器620利用通信接口610收发数据,并用于实现上述方法实施例所述的方法。
通信装置还可以包括至少一个存储器630,用于存储程序指令和/或数据。存储器630和处理器620耦合。本申请实施例中的耦合是装置、单元或模块之间的间接耦合或通信连接,可以是电性,机械或其它的形式,用于装置、单元或模块之间的信息交互。处理器620可能和存储器630协同操作。处理器620可能执行存储器630中存储的程序指令。所述至少一个存储器中的至少一个可以包括于处理器中。
本申请实施例中不限定上述通信接口610、处理器620以及存储器630之间的具体连 接介质。本申请实施例在图6中以存储器630、处理器620以及通信接口610之间通过总线640连接,总线在图6中以粗线表示,其它部件之间的连接方式,仅是进行示意性说明,并不引以为限。所述总线可以分为地址总线、数据总线、控制总线等。为便于表示,图6中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。
通信装置具体是芯片或者芯片系统时,通信接口610所输出或接收的可以是基带信号。通信装置具体是设备时,通信接口610所输出或接收的可以是射频信号。在本申请实施例中,处理器可以是通用处理器、数字信号处理器、专用集成电路、现场可编程门阵列或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件,可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。
根据本申请实施例提供的方法,本申请还提供一种计算机程序产品,该计算机程序产品包括:计算机程序代码,当该计算机程序代码在计算机上运行时,使得该计算机执行图3、图4或图7所示实施例中的方法。
根据本申请实施例提供的方法,本申请还提供一种计算机可读介质,该计算机可读介质存储有程序代码,当该程序代码在计算机上运行时,使得该计算机执行图3、图4或图7所示实施例中的方法。
根据本申请实施例提供的方法,本申请还提供一种系统,其包括前述的第一网络设备、第二网络设备和第三网络设备。
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line,DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如,软盘、硬盘、磁带)、光介质(例如,高密度数字视频光盘(digital video disc,DVD))、或者半导体介质(例如,固态硬盘(solid state disc,SSD))等。
在本说明书中使用的术语“部件”、“模块”、“系统”等用于表示计算机相关的实体、硬件、固件、硬件和软件的组合、软件、或执行中的软件。例如,部件可以是但不限于,在处理器上运行的进程、处理器、对象、可执行文件、执行线程、程序和/或计算机。通过图示,在计算设备上运行的应用和计算设备都可以是部件。一个或多个部件可驻留在进程和/或执行线程中,部件可位于一个计算机上和/或分布在两个或更多个计算机之间。此外,这些部件可从在上面存储有各种数据结构的各种计算机可读介质执行。部件可例如根据具有一个或多个数据分组(例如来自与本地系统、分布式系统和/或网络间的另一部件交互的二个部件的数据,例如通过信号与其它系统交互的互联网)的信号通过本地和/或远程进程 来通信。
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各种说明性逻辑块(illustrative logical block)和步骤(step),能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。

Claims (27)

  1. 一种授权方法,其特征在于,所述方法包括:
    第一网络设备向第二网络设备发送服务请求,所述服务请求包括令牌,所述令牌用于校验所述第一网络设备是否有权限访问所述第二网络设备,所述令牌包括第一信息和/或第二信息,所述第一信息用于标识所述第一网络设备,所述第二信息用于标识所述第二网络设备允许访问的网络设备;
    所述第一网络设备接收所述第二网络设备发送的服务响应。
  2. 根据权利要求1所述的方法,其特征在于,所述第一信息包括所述第一网络设备的域,所述第二信息包括所述第二网络设备允许的域;
    或者,所述第一信息包括所述第一网络设备的路由指示,所述第二信息包括路由指示列表;
    或者,所述第一信息包括所述第一网络设备的组标识,所述第二信息包括组标识列表。
  3. 根据权利要求1或2所述的方法,其特征在于,所述第一网络设备向第二网络设备发送服务请求之前,所述方法还包括:
    所述第一网络设备向第三网络设备发送令牌请求,所述令牌请求用于请求下发所述令牌;
    所述第一网络设备接收所述第三网络设备发送的包括所述令牌的令牌响应。
  4. 根据权利要求3所述的方法,其特征在于,所述令牌请求包括所述第一信息。
  5. 根据权利要求3或4所述的方法,其特征在于,所述第一网络设备向第三网络设备发送令牌请求之前,所述方法还包括:
    所述第一网络设备向所述第三网络设备发送第一注册请求,所述第一注册请求包括所述第一信息。
  6. 一种授权方法,其特征在于,所述方法包括:
    第二网络设备接收来自第一网络设备的服务请求,所述服务请求包括令牌,所述令牌用于校验所述第一网络设备是否有权限访问所述第二网络设备,所述令牌包括第一信息和/或第二信息,所述第一信息用于标识所述第一网络设备,所述第二信息用于标识所述第二网络设备允许访问的网络设备;
    所述第二网络设备根据所述令牌确定所述第一网络设备是否有权限访问所述第二网络设备;
    若所述第一网络设备有权限访问所述第二网络设备,则所述第二网络设备向所述第一网络设备发送服务响应。
  7. 根据权利要求6所述的方法,其特征在于,所述第二网络设备接收来自第一网络设备的服务请求之前,所述方法还包括:
    所述第二网络设备向第三网络设备发送第二注册请求,所述第二注册请求包括所述第二信息。
  8. 根据权利要求6或7所述的方法,其特征在于,所述第一信息包括所述第一网络设备的域,所述第二信息包括所述第二网络设备允许的域;
    或者,所述第一信息包括所述第一网络设备的路由指示,所述第二信息包括路由指示列表;
    或者,所述第一信息包括所述第一网络设备的组标识,所述第二信息包括组标识列表。
  9. 一种授权方法,其特征在于,所述方法包括:
    第三网络设备接收第一网络设备发送的令牌请求,所述令牌请求用于请求下发令牌;
    所述第三网络设备根据所述令牌请求确定所述第一网络设备是否有权限访问第二网络设备;
    若所述第一网络设备有权限访问所述第二网络设备,则所述第三网络设备向所述第一网络设备发送包括所述令牌的令牌响应,所述令牌包括第一信息和/或第二信息,所述第一信息用于标识所述第一网络设备,所述第二信息用于标识所述第二网络设备允许访问的网络设备。
  10. 根据权利要求9所述的方法,其特征在于,所述第三网络设备接收第一网络设备发送的令牌请求之前,所述方法还包括:
    所述第三网络设备接收来自所述第一网络设备的第一注册请求,所述第一注册请求包括所述第一信息;
    以及所述第三网络设备接收来自所述第二网络设备的第二注册请求,所述第二注册请求包括所述第二信息。
  11. 根据权利要求9或10所述的方法,其特征在于,所述第一信息包括所述第一网络设备的域,所述第二信息包括所述第二网络设备允许的域;
    或者,所述第一信息包括所述第一网络设备的路由指示,所述第二信息包括路由指示列表;
    或者,所述第一信息包括所述第一网络设备的组标识,所述第二信息包括组标识列表。
  12. 一种通信装置,其特征在于,所述装置包括:
    发送单元,用于向第二网络设备发送服务请求,所述服务请求包括令牌,所述令牌用于校验所述通信装置是否有权限访问所述第二网络设备,所述令牌包括第一信息和/或第二信息,所述第一信息用于标识所述通信装置,所述第二信息用于标识所述第二网络设备允许访问的网络设备;
    接收单元,用于接收所述第二网络设备发送的服务响应。
  13. 根据权利要求12所述的装置,其特征在于,所述第一信息包括所述通信装置的域,所述第二信息包括所述第二网络设备允许的域;
    或者,所述第一信息包括所述通信装置的路由指示,所述第二信息包括路由指示列表;
    或者,所述第一信息包括所述通信装置的组标识,所述第二信息包括组标识列表。
  14. 根据权利要求12或13所述的装置,其特征在于,
    所述发送单元,还用于向第三网络设备发送令牌请求,所述令牌请求用于请求下发所述令牌;
    所述接收单元,还用于接收所述第三网络设备发送的包括所述令牌的令牌响应。
  15. 根据权利要求14所述的装置,其特征在于,所述令牌请求包括所述第一信息。
  16. 根据权利要求14或15所述的装置,其特征在于,
    所述发送单元,还用于向所述第三网络设备发送第一注册请求,所述第一注册请求包括所述第一信息。
  17. 一种通信装置,其特征在于,所述装置包括:
    接收单元,用于接收来自第一网络设备的服务请求,所述服务请求包括令牌,所述令 牌用于校验所述第一网络设备是否有权限访问所述通信装置,所述令牌包括第一信息和/或第二信息,所述第一信息用于标识所述第一网络设备,所述第二信息用于标识所述通信装置允许访问的网络设备;
    处理单元,用于根据所述令牌确定所述第一网络设备是否有权限访问所述通信装置;
    发送单元,用于若所述第一网络设备有权限访问所述通信装置,则向所述第一网络设备发送服务响应。
  18. 根据权利要求17所述的装置,其特征在于,
    所述发送单元,还用于向第三网络设备发送第二注册请求,所述第二注册请求包括所述第二信息。
  19. 根据权利要求17或18所述的装置,其特征在于,所述第一信息包括所述第一网络设备的域,所述第二信息包括所述通信装置允许的域;
    或者,所述第一信息包括所述第一网络设备的路由指示,所述第二信息包括路由指示列表;
    或者,所述第一信息包括所述第一网络设备的组标识,所述第二信息包括组标识列表。
  20. 一种通信装置,其特征在于,所述装置包括:
    接收单元,用于接收第一网络设备发送的令牌请求,所述令牌请求用于请求下发令牌;
    处理单元,用于根据所述令牌请求确定所述第一网络设备是否有权限访问第二网络设备;
    发送单元,用于若所述第一网络设备有权限访问所述第二网络设备,则向所述第一网络设备发送包括所述令牌的令牌响应,所述令牌包括第一信息和/或第二信息,所述第一信息用于标识所述第一网络设备,所述第二信息用于标识所述第二网络设备允许访问的网络设备。
  21. 根据权利要求20所述的装置,其特征在于,
    所述接收单元,还用于接收来自所述第一网络设备的第一注册请求,所述第一注册请求包括所述第一信息;
    所述接收单元,还用于接收来自所述第二网络设备的第二注册请求,所述第二注册请求包括所述第二信息。
  22. 根据权利要求20或21所述的装置,其特征在于,所述第一信息包括所述第一网络设备的域,所述第二信息包括所述第二网络设备允许的域;
    或者,所述第一信息包括所述第一网络设备的路由指示,所述第二信息包括路由指示列表;
    或者,所述第一信息包括所述第一网络设备的组标识,所述第二信息包括组标识列表。
  23. 一种通信装置,其特征在于,包括处理器、存储器和收发器;
    所述收发器,用于接收信号或者发送信号;
    所述存储器,用于存储程序代码;
    所述处理器,用于执行所述程序代码,以使所述通信装置执行如权利要求1-11任一项所述的方法。
  24. 一种通信装置,其特征在于,包括处理器和接口电路;
    所述接口电路,用于接收代码指令并传输至所述处理器;所述处理器运行所述代码指令以执行如权利要求1-11任一项所述的方法。
  25. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质用于存储指令,当所述指令被执行时,使如权利要求1-11任一项所述的方法被实现。
  26. 一种计算机程序产品,其特征在于,所述计算机程序产品包括指令,当所述指令被执行时,使如权利要求1-11任一项所述的方法被实现。
  27. 一种通信系统,其特征在于,所述通信系统包括:第一网络设备、第二网络设备和第三网络设备;其中,
    所述第一网络设备,用于向所述第三网络设备发送第一注册请求,所述第一注册请求包括第一信息;
    所述第二网络设备,用于向所述第三网络设备发送第二注册请求,所述第二注册请求包括第二信息;
    所述第三网络设备,用于接收所述第一注册请求和所述第二注册请求;
    所述第一网络设备,还用于向所述第三网络设备发送令牌请求;
    所述第三网络设备,还用于接收所述令牌请求,以及向所述第一网络设备发送包括令牌的令牌响应;
    所述第一网络设备,还用于接收包括所述令牌的令牌响应;
    所述第一网络设备,还用于向所述第二网络设备发送服务请求,所述服务请求包括所述令牌,所述令牌用于校验所述第一网络设备是否有权限访问所述第二网络设备,所述令牌包括第一信息和/或第二信息,所述第一信息用于标识所述第一网络设备,所述第二信息用于标识所述第二网络设备允许访问的网络设备;
    所述第二网络设备,还用于接收所述服务请求,以及确定所述第一网络设备是否有权限访问所述第二网络设备,在所述第一网络设备有权限访问所述第二网络设备的情况下,所述第二网络设备向所述第一网络设备发送服务响应;
    所述第一网络设备,还用于接收所述服务响应。
PCT/CN2020/111408 2019-11-30 2020-08-26 授权方法及装置 WO2021103693A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP20891581.9A EP4054141A4 (en) 2019-11-30 2020-08-26 AUTHORIZATION METHOD AND DEVICE
US17/824,101 US20220286464A1 (en) 2019-11-30 2022-05-25 Authorization method and apparatus

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201911209163.X 2019-11-30
CN201911209163 2019-11-30
CN202010088956.7 2020-02-12
CN202010088956.7A CN112887260A (zh) 2019-11-30 2020-02-12 授权方法及装置

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US17/824,101 Continuation US20220286464A1 (en) 2019-11-30 2022-05-25 Authorization method and apparatus

Publications (1)

Publication Number Publication Date
WO2021103693A1 true WO2021103693A1 (zh) 2021-06-03

Family

ID=76042813

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/111408 WO2021103693A1 (zh) 2019-11-30 2020-08-26 授权方法及装置

Country Status (4)

Country Link
US (1) US20220286464A1 (zh)
EP (1) EP4054141A4 (zh)
CN (1) CN112887260A (zh)
WO (1) WO2021103693A1 (zh)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116137571A (zh) * 2021-11-16 2023-05-19 维沃移动通信有限公司 授权数据的调度方法、装置及网络侧设备
CN114827978B (zh) * 2022-04-06 2022-11-18 广州爱浦路网络技术有限公司 应用服务器选择方法、装置及存储介质
CN114978733B (zh) * 2022-05-30 2024-05-14 阿里巴巴(中国)有限公司 基于轻应用的访问处理方法、电子设备和存储介质
CN117858087A (zh) * 2022-09-30 2024-04-09 中国移动通信有限公司研究院 信息传输方法、装置、设备及存储介质
CN116347467B (zh) * 2023-03-03 2023-12-15 广州爱浦路网络技术有限公司 5g网络中udr进行用户数据管理方法及系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109688586A (zh) * 2017-10-19 2019-04-26 中兴通讯股份有限公司 一种网络功能认证的方法、装置及计算机可读存储介质
US20190251241A1 (en) * 2018-02-15 2019-08-15 Nokia Technologies Oy Security management for service authorization in communication systems with service-based architecture
WO2019158819A1 (en) * 2018-02-15 2019-08-22 Nokia Technologies Oy Security management for roaming service authorization in communication systems with service-based architecture
CN110366159A (zh) * 2018-04-09 2019-10-22 华为技术有限公司 一种获取安全策略的方法及设备

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7191216B2 (en) * 2001-10-03 2007-03-13 Nokia Corporation System and method for controlling access to downloadable resources
US10498734B2 (en) * 2012-05-31 2019-12-03 Netsweeper (Barbados) Inc. Policy service authorization and authentication
CN108632216B (zh) * 2017-03-20 2020-10-16 电信科学技术研究院 网络功能授权方法、装置、可读存储介质及实体设备
US20210058748A1 (en) * 2017-03-24 2021-02-25 Apple Inc. Systems and methods for group based services provisioning
WO2018231426A1 (en) * 2017-06-16 2018-12-20 Motorola Mobility Llc Rogue unit detection information
CN109587187B (zh) * 2017-09-28 2024-08-02 华为技术有限公司 用于调用网络功能服务的方法、装置和系统
CN110166404B (zh) * 2018-02-12 2021-01-15 中国移动通信有限公司研究院 数据访问限制方法及服务提供者、服务使用者网络功能
WO2020215668A1 (en) * 2019-04-26 2020-10-29 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for service discovery
US11552798B2 (en) * 2019-07-30 2023-01-10 Waymo Llc Method and system for authenticating a secure credential transfer to a device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109688586A (zh) * 2017-10-19 2019-04-26 中兴通讯股份有限公司 一种网络功能认证的方法、装置及计算机可读存储介质
US20190251241A1 (en) * 2018-02-15 2019-08-15 Nokia Technologies Oy Security management for service authorization in communication systems with service-based architecture
WO2019158819A1 (en) * 2018-02-15 2019-08-22 Nokia Technologies Oy Security management for roaming service authorization in communication systems with service-based architecture
CN110366159A (zh) * 2018-04-09 2019-10-22 华为技术有限公司 一种获取安全策略的方法及设备

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; Security Aspects; Study on security aspects of the 5G Service Based Architecture (SBA) (Release 16)", 3GPP STANDARD; TECHNICAL REPORT; 3GPP TR 33.855, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, no. V1.7.0, 22 September 2019 (2019-09-22), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, pages 1 - 101, XP051784633 *
ERICSSON: "Resource Level Authorization using Access Tokens", 3GPP DRAFT; S3-193622_DRAFT CR_33501_RESOURCELEVELAUTH, 3RD GENERATION PARTNERSHIP PROJECT (3GPP), MOBILE COMPETENCE CENTRE ; 650, ROUTE DES LUCIOLES ; F-06921 SOPHIA-ANTIPOLIS CEDEX ; FRANCE, vol. SA WG3, no. Chongqing (China); 20191014 - 20191018, 7 October 2019 (2019-10-07), Mobile Competence Centre ; 650, route des Lucioles ; F-06921 Sophia-Antipolis Cedex ; France, XP051796360 *

Also Published As

Publication number Publication date
EP4054141A1 (en) 2022-09-07
CN112887260A (zh) 2021-06-01
US20220286464A1 (en) 2022-09-08
EP4054141A4 (en) 2022-12-21

Similar Documents

Publication Publication Date Title
WO2021103693A1 (zh) 授权方法及装置
EP3570515B1 (en) Method, device, and system for invoking network function service
US11729609B2 (en) Protecting a message transmitted between core network domains
EP4250644A2 (en) Registering and requesting services in a service based architecture
CN116057924B (zh) 用于提供网络功能发现服务增强的方法、系统和计算机可读介质
US9955348B2 (en) Method and device for requesting for specific right acquisition on specific resource in wireless communication system
CN109617896B (zh) 一种基于智能合约的物联网访问控制方法和系统
US9319413B2 (en) Method for establishing resource access authorization in M2M communication
US11553524B2 (en) Methods, systems, and computer readable media for resource object level authorization at a network function (NF)
US20150143471A1 (en) Method for establishing resource access authorization in m2m communication
CN112449758A (zh) 用于针对用户处理切片选择数据的方法和装置
US20210227374A1 (en) Method of Executing a Service for a Service Consumer, as well as a Corresponding Network Node and a Computer Program Product
CN112995166B (zh) 资源访问的鉴权方法及装置、存储介质、电子设备
US11991660B2 (en) Apparatus, methods, and computer programs
US11349844B2 (en) Instant enforcement of centrally configured IT policies
WO2018068660A1 (zh) 一种数据处理方法、装置和设备
WO2020228751A1 (zh) 一种通信方法和装置
RU2473184C2 (ru) Способ и устройство для абонентской базы данных
US11533596B2 (en) API publish method and apparatus
WO2021129803A1 (zh) 一种信息处理方法及通信装置
CN111385262B (zh) 一种控制权限的方法及网络设备
KR20150067037A (ko) M2m 시스템에서 구독의 기준정보 최적화 방법 및 장치
US10548006B2 (en) System and method for authorizing a subscriber device
KR101317403B1 (ko) 신뢰도 기반 개인정보 관리 시스템 및 그 방법
US20240179140A1 (en) Methods, apparatuses, and computer programs for providing access to a subset of a resource managed by an entity of a mobile communication network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20891581

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2020891581

Country of ref document: EP

Effective date: 20220603

NENP Non-entry into the national phase

Ref country code: DE