WO2021139244A1 - Permissions request verification method and apparatus, device, and storage medium - Google Patents

Permissions request verification method and apparatus, device, and storage medium Download PDF

Info

Publication number
WO2021139244A1
WO2021139244A1 PCT/CN2020/118444 CN2020118444W WO2021139244A1 WO 2021139244 A1 WO2021139244 A1 WO 2021139244A1 CN 2020118444 W CN2020118444 W CN 2020118444W WO 2021139244 A1 WO2021139244 A1 WO 2021139244A1
Authority
WO
WIPO (PCT)
Prior art keywords
permission
authorization
key
token
authority
Prior art date
Application number
PCT/CN2020/118444
Other languages
French (fr)
Chinese (zh)
Inventor
顾青成
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2021139244A1 publication Critical patent/WO2021139244A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Definitions

  • This application relates to the field of cryptography ⁇ information encryption and decryption technology, and in particular to a method, device, device, and storage medium for verifying permission application.
  • the interaction between systems usually adopts the way that users log in to multiple systems and operate separately, or the way that users can call between systems through api through authorization .
  • the way to call between systems through api is usually that the system applying for permission uses the user key stored in the system, the permission to be applied for, the api call parameter, and the current timestamp to generate a token and send it to the issuing permission.
  • the system that issues permissions uses the same key to generate a token, and compares whether the received token is the same as the generated token. If the same is the same, the verification is passed. In this way, the inventor found After the verification is passed, the system permissions are fully developed, but usually api calls do not require all permissions, and there is a certain security risk, and the user key is the same in multiple systems, and there is also a certain security risk.
  • This application provides a permission application verification method, device, equipment and storage medium, which can achieve the purpose of improving the security of permission authorization between systems.
  • a technical solution adopted in this application is to provide a permission application verification method, and the permission application verification method includes:
  • a technical solution adopted in this application is to provide a permission application verification device, the permission application verification device including:
  • An obtaining module configured to receive a first token for applying for permission, the first token including a user ID, permission calling interface parameters, and a time stamp; obtaining a user key according to the user ID;
  • a key generation module configured to obtain a temporary verification key according to the user key and the authority call interface parameters
  • the verification module is configured to generate a second token according to the user ID, the temporary verification key, the authority calling interface parameter, and the time stamp; compare whether the first token and the second token are If they are consistent, the authorization application is verified and authorized according to the authorization call interface parameters.
  • a technical solution adopted by this application is to provide a permission application verification device, the permission application verification device including a processor and a memory coupled to the processor, wherein the Computer-readable instructions are stored in the memory, and when the computer-readable instructions are executed by the processor, the processor is caused to execute the steps of the permission application verification method described in any one of the foregoing items.
  • a technical solution adopted by this application is to provide a storage medium storing computer-readable instructions.
  • the computer-readable instructions are executed by one or more processors, one or The multiple processors execute the steps of the permission application verification method described in any one of the above.
  • the authorization application verification method, device, device, and storage medium proposed in this application verify the first token by generating the second token using the temporary verification key, which protects the security of the user key and further protects the security of the system.
  • FIG. 1 is a schematic flowchart of a permission application verification method according to an embodiment of the present application
  • FIG. 2 is a schematic structural diagram of a permission application verification device according to an embodiment of the present application
  • FIG. 3 is a schematic structural diagram of a permission application verification device according to an embodiment of the present application.
  • FIG. 4 is a schematic structural diagram of a storage medium according to an embodiment of the present application.
  • first”, “second”, and “third” in this application are only used for descriptive purposes, and cannot be understood as indicating or implying relative importance or implicitly indicating the number of indicated technical features. Thus, the features defined with “first”, “second”, and “third” may explicitly or implicitly include at least one of the features.
  • "a plurality of” means at least two, such as two, three, etc., unless otherwise specifically defined. All directional indications (such as up, down, left, right, front, back%) in the embodiments of this application are only used to explain the relative positional relationship between the components in a specific posture (as shown in the figure) , Movement status, etc., if the specific posture changes, the directional indication will also change accordingly.
  • FIG. 1 is a schematic flowchart of a permission application verification method according to an embodiment of the present application.
  • the authorization application verification method is used for two first system and second system that need to interact.
  • the first system applies authorization authorization from the second system, and the second system
  • the system verifies whether the application of the first system complies with the authorization through the authorization application verification method, and if complies, authorizes the first system.
  • the first system and the second system may be a client and a server, a cloud client and a cloud platform, etc., respectively.
  • the method of the present application is not limited to the sequence of the process shown in FIG. 1.
  • the authorization application verification method includes the following steps:
  • Step S101 Receive a first token for permission application, where the first token includes a user ID, permission call interface parameters, and a timestamp.
  • the first token is a permission application instruction sent by the first system to the second system to be applied for permission, and includes the user ID, the permission call interface parameter, and the time stamp
  • the user ID is the identity of the user applying for the permission
  • the permission call interface parameter is a parameter defined by the inter-system api interface call
  • the timestamp is the system time when the permission call application is initiated.
  • the first token includes a temporary application key, wherein the temporary application key is obtained by the following method:
  • Step S1 Obtain a user key and at least one authorization ID to be authorized.
  • the system user can configure the user key in the system when configuring the system.
  • the user key of the same user can be obtained by multiple systems that perform authorization calls through user authorization. the same.
  • at least one authorization ID corresponding to the authorization name can be obtained from a database storing the corresponding relationship between multiple authorization names and multiple authorization IDs by acquiring the authorization name to be authorized.
  • the authority ID in the database is obtained after the authority is refined according to the preset scope. For example, the authority with authority ID of 001 can be set to represent the user name, and the authority with authority ID of 002 to represent the user's phone number and authority.
  • the authority with ID 003 represents the user address
  • one authority name to be authorized may correspond to multiple authority IDs
  • the authority of different authority names to be authorized may have at least part of the same authority ID, or it may be A completely different authority ID.
  • the corresponding authority ID can be 001, 002, 003, and when the authority name to be authorized is a login system, it The corresponding permission ID can be 001 or 002.
  • Step S2 Calculate the permission termination period according to the permission ID, and the permission termination period is the time for terminating the permission authorization.
  • the authorization time corresponding to the authorization ID may also be stored in the database. After the authorization ID to be authorized is obtained, the number of authorization IDs and their corresponding Calculate the overall authorization time for the authorization, and thus calculate the authorization termination period. It can be understood that in order to ensure that the corresponding temporary keys are different for the different permissions to be authorized, the length of the authorization time corresponding to the authorization ID can be accurate to milliseconds, for example, the authorization time for the authorization ID of 001 is 1 minute. 21 seconds and 450 milliseconds, the authorization time for the authorization ID 002 is 0 minutes 45 seconds and 120 milliseconds, and the authorization time for the authorization ID 003 is 1 minute, 0 seconds and 250 milliseconds.
  • the authorization name to be authorized is the registration system
  • the authorization termination period based on the current timestamp plus authorization time 2.
  • Step S3 Generate authority information according to the authority ID and the authority termination period.
  • the authorization ID and the authorization termination period can be spliced into a string according to preset rules to generate authorization information.
  • the authorization IDs are 001, 002, 003
  • the permission termination period is 2:01:00 and 531 milliseconds
  • the permission information is "001, 002, 003->20100531"
  • Step S4 Use the user key to encrypt the authority information to generate first information.
  • first information can be generated after symmetrically encrypting the authority information using the user key.
  • the encryption algorithm may use the AES128 algorithm with higher strength.
  • Step S5 Generate the temporary application key according to the first information and the user key.
  • step S5 the first information and the user key are first signed.
  • the MD5 algorithm may be used to perform the combined character string of the first information and the user key. Sign to obtain the first digital signature, and then append the first digital signature to the first information to form the temporary application key.
  • the first token is generated after being encrypted according to the user ID, the permission call interface parameters, the timestamp, and the temporary application key. For example, for the user in the first token token1 ID, the authorization call interface parameters, the time stamp, and the temporary application key are sorted to form a specific string "user id+temporary application private key + authorization call interface parameters sorted by parameter name + time stamp", Then MD5 encryption is performed, where the authority calling interface parameters include authority range parameters.
  • the first information may be used as the authority range parameters. If the authority range parameter can be defined as "AuthorityRange", the url of the calling interface can be " ".
  • the scope and time limit of authorization can be limited, and the security of the user key is protected, thereby protecting the security of the system.
  • Step S102 Obtain a user key according to the user ID.
  • the second system After the second system receives the first token token1 for which the first system applies for permission, it can obtain the user ID from the first token token1, and find the corresponding user ID according to the user ID.
  • the user and the user key installed in the second system.
  • Step S103 Obtain a temporary verification key according to the user key and the permission call interface parameters.
  • the authority calling interface parameter includes a authority scope parameter
  • the first information serves as the authority scope parameter. That is, the first information can be obtained from the permission call interface parameters of the first token, the first information and the user key can be signed to generate a second digital signature, and the second digital signature can be generated according to the second The digital signature and the first information generate the temporary verification key.
  • the combined character string of the first information and the user key may be signed using the MD5 algorithm to obtain the second digital Signing, and then appending the second digital signature to the first information to form the temporary verification key.
  • Step S104 Generate a second token according to the user ID, the temporary verification key, the authority calling interface parameter, and the timestamp;
  • the second token is generated after being encrypted according to the user ID, the authority calling interface parameters, the time stamp, and the temporary verification key.
  • the process of generating the second token Same as the first token, such as sorting the user ID, the authority calling interface parameter, the time stamp, and the temporary verification key in the second token token2 to form a specific string "User id+temporary verification private key+authorization calling interface parameters sorted by parameter name+time stamp", and then MD5 encryption, wherein the authority calling interface parameters include authority range parameters.
  • the first information may be used as the permission range parameter. If the authority range parameter can be defined as "AuthorityRange", the url of the calling interface can be " ".
  • Step S105 Compare whether the first token and the second token are consistent. If they are consistent, the authorization application is verified and authorization is performed according to the authorization call interface parameters.
  • the authorization ID to be authorized and the authorization expiration period can be obtained, and based on the authorization expiration period and Calculate at the current time whether the authorization expiration period in the first token token1 exceeds the authorization time limit. If the authorization time limit is exceeded, the authorization application verification fails; if it is within the authorization time limit, it will be based on the authorization ID, The user ID and the authorization call interface parameters determine whether the first token token1 exceeds the authorization scope; if it exceeds the authorization scope, the authorization application verification fails. After all the above verifications are passed, compare whether the first token token1 and the second token token2 are consistent. When the first token token1 and the second token token2 are consistent, the authorization application verification is passed And call the interface parameters for authorization according to the authority.
  • the authorization application verification method proposed in this embodiment uses a temporary verification key to generate a second token to verify the first token, which protects the security of the user key and further protects the security of the system.
  • the first token uses the user key to sign and encrypt the authorization ID of the authorization to be applied for and the authorization expiration period to generate a temporary application key, which protects the security of the user key while keeping the authorization within a certain range and time limit. Protect the system security.
  • the authority is refined, and the authority scope is accurately limited to protect the security of the system authority.
  • the usage time of the permission can be effectively controlled, thereby protecting the security of the system.
  • the authorization application verification method, device, device and storage medium proposed by the application verify the first token by generating the second token using the temporary verification key, and pass the authorization ID and the authorization termination period to protect the system At the same time of security, it can effectively control the scope of authority and usage time, so it is also suitable for smart cities, big data, financial technology and other related fields involving authority management.
  • FIG. 2 is a schematic structural diagram of a permission application verification device 1 according to an embodiment of the present application.
  • the authorization application verification device 1 includes an acquisition module 10, a key generation module 11, and a verification module 12.
  • the obtaining module 10 is configured to receive a first token for applying for permission, where the first token includes a user ID, permission calling interface parameters, and a time stamp; obtaining a user key according to the user ID;
  • the key generation module 11 is configured to obtain a temporary verification key according to the user key and the permission call interface parameters;
  • the verification module 12 is configured to generate a second token according to the user ID, the temporary verification key, the authority calling interface parameter, and the time stamp; compare the first token with the second token Whether they are consistent or not, if they are consistent, the authorization application is verified and authorized according to the authorization call interface parameters.
  • FIG. 3 is a schematic structural diagram of a permission application verification device 30 according to an embodiment of the present application.
  • the authorization application verification device 30 includes a memory 32, a processor 31, and a computer program stored on the memory 32 and running on the processor 31, and the processor 31 executes the The computer program realizes the above authorization application verification method.
  • FIG. 4 is a schematic structural diagram of a storage medium according to an embodiment of the present application.
  • a storage medium storing computer-readable instructions 41, when the computer-readable instructions 41 are executed by one or more processors, cause one or more processors to execute the above authorization application verification method.
  • the computer program can be stored in a computer readable storage medium, and the program can be stored in a computer readable storage medium. When executed, it may include the procedures of the above-mentioned method embodiments.
  • the aforementioned storage medium may be a magnetic disk, an optical disk, or a read-only storage memory (Read-Only Memory, ROM) and other non-volatile storage media, or random storage memory (Random Access Memory, RAM) and other volatile storage media.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The present application sets forth a permissions request verification method. The permissions request verification method comprises: receiving a first token requesting permissions, said first token including a user ID, a permissions calling interface parameter, and a time stamp; obtaining a user key according to the user ID; obtaining a temporary verification key according to the user key and the permissions calling interface parameter; generating a second token according to the user ID, the temporary verification key, the permissions calling interface parameter, and the time stamp; comparing the first token and the second token and determining if the two are consistent; if consistent, the permissions request verification is deemed successful, and authorization is performed according to the permissions calling interface parameter. The present application enhances the security of inter-system permissions authorization.

Description

权限申请验证方法、装置、设备及存储介质Authorization application verification method, device, equipment and storage medium
本申请要求于2020年07月28日提交中国专利局、申请号为202010738614. 5,发明名称为“权限申请验证方法、装置、设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on July 28, 2020, the application number is 202010738614. 5, and the invention title is "Authorization Application Verification Method, Apparatus, Equipment, and Storage Medium". The entire content of the application is approved The reference is incorporated in this application.
技术领域Technical field
本申请涉及密码技术\信息加解密技术领域,尤其涉及一种权限申请验证方法、装置、设备及存储介质。This application relates to the field of cryptography\information encryption and decryption technology, and in particular to a method, device, device, and storage medium for verifying permission application.
背景技术Background technique
对于非封闭式软件系统,如后台系统、中台系统,为了支持其他系统的对接,系统间交互通常采用用户分别登陆多个系统分别进行操作的方式或用户通过授权使系统间通过api调用的方式。For non-closed software systems, such as back-end systems and middle-office systems, in order to support the docking of other systems, the interaction between systems usually adopts the way that users log in to multiple systems and operate separately, or the way that users can call between systems through api through authorization .
对于用户分别登陆多个系统分别进行操作的方式需要人为介入,用户在多系统运行过程中需要全程参与,在系统调用时分别在多个系统上进行操作,操作繁琐且对用户时间占用较多,用户体验不佳。For the user to log in to multiple systems and operate separately, human intervention is required. The user needs to participate in the whole process of the operation of multiple systems. When the system is called, the operation is performed on multiple systems. The operation is cumbersome and takes a lot of user time. Poor user experience.
对于用户通过授权使系统间通过api调用的方式通常是申请权限的系统使用用户存储在系统中的用户密钥、待申请的权限、api调用参数及当前时间戳生成一个token令牌发送给发放权限的系统,发放权限的系统使用同样的用密钥同样生成一个token令牌,并比较收到的token令牌和生成的token令牌是否相同,相同则验证通过,此种方式中,发明人发现当验证通过后系统的权限则完全开发,但通常api调用并不需要全部权限,存在一定的安全风险,且用户密钥在多个系统中是相同的,也存在一定的安全风险。For users through authorization, the way to call between systems through api is usually that the system applying for permission uses the user key stored in the system, the permission to be applied for, the api call parameter, and the current timestamp to generate a token and send it to the issuing permission. The system that issues permissions uses the same key to generate a token, and compares whether the received token is the same as the generated token. If the same is the same, the verification is passed. In this way, the inventor found After the verification is passed, the system permissions are fully developed, but usually api calls do not require all permissions, and there is a certain security risk, and the user key is the same in multiple systems, and there is also a certain security risk.
因此,如何在系统间进行安全的权限调用是用户的迫切需求。Therefore, how to make secure permission calls between systems is an urgent need for users.
技术问题technical problem
本申请提供一种权限申请验证方法、装置、设备及存储介质,能够达到提高系统间权限授权的安全性的目的。This application provides a permission application verification method, device, equipment and storage medium, which can achieve the purpose of improving the security of permission authorization between systems.
技术解决方案Technical solutions
为解决上述技术问题,本申请采用的一个技术方案是:提供一种权限申请验证方法,所述权限申请验证方法包括:In order to solve the above technical problems, a technical solution adopted in this application is to provide a permission application verification method, and the permission application verification method includes:
接收申请权限的第一令牌,所述第一令牌包括用户ID、权限调用接口参数及时间戳;Receiving a first token for applying for permission, where the first token includes a user ID, permission calling interface parameters, and a timestamp;
依据所述用户ID获取用户密钥;Obtaining a user key according to the user ID;
依据所述用户密钥及所述权限调用接口参数获取临时验证密钥;Obtaining a temporary verification key according to the user key and the permission call interface parameters;
依据所述用户ID、所述临时验证密钥、所述权限调用接口参数及所述时间戳生成第二令牌;Generate a second token according to the user ID, the temporary verification key, the authority calling interface parameter, and the timestamp;
对比所述第一令牌与所述第二令牌是否一致,若一致,则权限申请验证通过并依据所述权限调用接口参数进行授权。Compare whether the first token and the second token are consistent. If they are consistent, the authorization application is verified and authorization is performed according to the authorization call interface parameters.
此外,为解决上述技术问题,本申请还采用的一个技术方案是:提供一种权限申请验证装置,所述权限申请验证装置包括:In addition, in order to solve the above technical problems, a technical solution adopted in this application is to provide a permission application verification device, the permission application verification device including:
获取模块,用于接收申请权限的第一令牌,所述第一令牌包括用户ID、权限调用接口参数及时间戳;依据所述用户ID获取用户密钥;An obtaining module, configured to receive a first token for applying for permission, the first token including a user ID, permission calling interface parameters, and a time stamp; obtaining a user key according to the user ID;
密钥生成模块,用于依据所述用户密钥及所述权限调用接口参数获取临时验证密钥;A key generation module, configured to obtain a temporary verification key according to the user key and the authority call interface parameters;
验证模块,用于依据所述用户ID、所述临时验证密钥、所述权限调用接口参数及所述时间戳生成第二令牌;对比所述第一令牌与所述第二令牌是否一致,若一致,则权限申请验证通过并依据所述权限调用接口参数进行授权。The verification module is configured to generate a second token according to the user ID, the temporary verification key, the authority calling interface parameter, and the time stamp; compare whether the first token and the second token are If they are consistent, the authorization application is verified and authorized according to the authorization call interface parameters.
此外,为解决上述技术问题,本申请还采用的一个技术方案是:提供一种权限申请验证设备,所述权限申请验证设备包括处理器、与所述处理器耦接的存储器,其中,所述存储器中存储有计算机可读指令,所述计算机可读指令被所述处理器执行时,使得所述处理器执行如上述任一项所述权限申请验证方法的步骤。In addition, in order to solve the above technical problems, a technical solution adopted by this application is to provide a permission application verification device, the permission application verification device including a processor and a memory coupled to the processor, wherein the Computer-readable instructions are stored in the memory, and when the computer-readable instructions are executed by the processor, the processor is caused to execute the steps of the permission application verification method described in any one of the foregoing items.
此外,为解决上述技术问题,本申请还采用的一个技术方案是:提供一种存储有计算机可读指令的存储介质,所述计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行如上述任一项所述权限申请验证方法的步骤。In addition, in order to solve the above-mentioned technical problems, a technical solution adopted by this application is to provide a storage medium storing computer-readable instructions. When the computer-readable instructions are executed by one or more processors, one or The multiple processors execute the steps of the permission application verification method described in any one of the above.
有益效果Beneficial effect
本申请提出的权限申请验证方法、装置、设备及存储介质,通过使用临时验证密钥生成第二令牌对第一令牌进行验证,保护了用户密钥安全,进而保护了系统安全。The authorization application verification method, device, device, and storage medium proposed in this application verify the first token by generating the second token using the temporary verification key, which protects the security of the user key and further protects the security of the system.
附图说明Description of the drawings
图1是本申请一种实施例的权限申请验证方法的流程示意图;FIG. 1 is a schematic flowchart of a permission application verification method according to an embodiment of the present application;
图2是本申请一种实施例的权限申请验证装置的结构示意图;FIG. 2 is a schematic structural diagram of a permission application verification device according to an embodiment of the present application;
图3是本申请一种实施例的权限申请验证设备的结构示意图;FIG. 3 is a schematic structural diagram of a permission application verification device according to an embodiment of the present application;
图4是本申请一种实施例的存储介质的结构示意图。FIG. 4 is a schematic structural diagram of a storage medium according to an embodiment of the present application.
本发明的实施方式Embodiments of the present invention
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅是本申请的一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present application in conjunction with the drawings in the embodiments of the present application. Obviously, the described embodiments are only a part of the embodiments of the present application, rather than all the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of this application.
本申请中的术语“第一”、“第二”、“第三”仅用于描述目的,而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”、“第三”的特征可以明示或者隐含地包括至少一个该特征。本申请的描述中,“多个”的含义是至少两个,例如两个,三个等,除非另有明确具体的限定。本申请实施例中所有方向性指示(诸如上、下、左、右、前、后……)仅用于解释在某一特定姿态(如附图所示)下各部件之间的相对位置关系、运动情况等,如果该特定姿态发生改变时,则该方向性指示也相应地随之改变。此外,术语“包括”和“具有”以及它们任何变形,意图在于覆盖不排他的包含。例如包含了一系列步骤或单元的过程、方法、系统、产品或设备没有限定于已列出的步骤或单元,而是可选地还包括没有列出的步骤或单元,或可选地还包括对于这些过程、方法、产品或设备固有的其它步骤或单元。The terms "first", "second", and "third" in this application are only used for descriptive purposes, and cannot be understood as indicating or implying relative importance or implicitly indicating the number of indicated technical features. Thus, the features defined with “first”, “second”, and “third” may explicitly or implicitly include at least one of the features. In the description of this application, "a plurality of" means at least two, such as two, three, etc., unless otherwise specifically defined. All directional indications (such as up, down, left, right, front, back...) in the embodiments of this application are only used to explain the relative positional relationship between the components in a specific posture (as shown in the figure) , Movement status, etc., if the specific posture changes, the directional indication will also change accordingly. In addition, the terms "including" and "having" and any variations of them are intended to cover non-exclusive inclusions. For example, a process, method, system, product, or device that includes a series of steps or units is not limited to the listed steps or units, but optionally includes unlisted steps or units, or optionally also includes Other steps or units inherent to these processes, methods, products or equipment.
在本文中提及“实施例”意味着,结合实施例描述的特定特征、结构或特性可以包含在本申请的至少一个实施例中。在说明书中的各个位置出现该短语并不一定均是指相同的实施例,也不是与其它实施例互斥的独立的或备选的实施例。本领域技术人员显式地和隐式地理解的是,本文所描述的实施例可以与其它实施例相结合。The reference to "embodiments" herein means that a specific feature, structure, or characteristic described in conjunction with the embodiments may be included in at least one embodiment of the present application. The appearance of the phrase in various places in the specification does not necessarily refer to the same embodiment, nor is it an independent or alternative embodiment mutually exclusive with other embodiments. Those skilled in the art clearly and implicitly understand that the embodiments described herein can be combined with other embodiments.
请参阅图1,图1是本申请一种实施例的权限申请验证方法的流程示意图。根据本申请的一种实施例,所述权限申请验证方法用于两个需要交互的第一系统及第二系统,所述第一系统通过向所述第二系统申请权限授权,所述第二系统通过所述权限申请验证方法验证所述第一系统的申请是否符合授权,如果符合则对所述第一系统进行授权。本实施例中,所述第一系统、所述第二系统分别可以是客户端和服务器、云客户端和云平台等。需注意的是,若有实质上相同的结果,本申请的方法并不以图1所示的流程顺序为限。如图1所示,所述权限申请验证方法包括以下步骤:Please refer to FIG. 1. FIG. 1 is a schematic flowchart of a permission application verification method according to an embodiment of the present application. According to an embodiment of the present application, the authorization application verification method is used for two first system and second system that need to interact. The first system applies authorization authorization from the second system, and the second system The system verifies whether the application of the first system complies with the authorization through the authorization application verification method, and if complies, authorizes the first system. In this embodiment, the first system and the second system may be a client and a server, a cloud client and a cloud platform, etc., respectively. It should be noted that if there is substantially the same result, the method of the present application is not limited to the sequence of the process shown in FIG. 1. As shown in Figure 1, the authorization application verification method includes the following steps:
步骤S101:接收申请权限的第一令牌,所述第一令牌包括用户ID、权限调用接口参数及时间戳。Step S101: Receive a first token for permission application, where the first token includes a user ID, permission call interface parameters, and a timestamp.
需要说明的是,所述第一令牌是待申请权限的所述第一系统向所述第二系统发送的权限申请指令,包括所述用户ID、所述权限调用接口参数及所述时间戳,所述用户ID即申请权限的用户的身份标识,所述权限调用接口参数为系统间api接口调用定义的参数,所述时间戳为发起权限调用申请的系统时间。为更好的理解所述第二系统对所述第一令牌的验证过程,下面对所述第一令牌的生成过程进行说明。It should be noted that the first token is a permission application instruction sent by the first system to the second system to be applied for permission, and includes the user ID, the permission call interface parameter, and the time stamp The user ID is the identity of the user applying for the permission, the permission call interface parameter is a parameter defined by the inter-system api interface call, and the timestamp is the system time when the permission call application is initiated. In order to better understand the verification process of the first token by the second system, the process of generating the first token will be described below.
根据本申请的一个实施例,所述第一令牌包括临时申请密钥,其中,所述临时申请密钥采用如下方法获得:According to an embodiment of the present application, the first token includes a temporary application key, wherein the temporary application key is obtained by the following method:
步骤S1:获取用户密钥及待授权的至少一个权限ID。Step S1: Obtain a user key and at least one authorization ID to be authorized.
根据本申请的一种实施例,系统用户可以在配置系统的时候在系统中进行所述用户密钥的配置,通常通过用户授权方式进行权限调用的多个系统对于同一用户的所述用户密钥相同。为了使授权范围可控,本实施例中,可以通过获取待授权的权限名称从存储有多个权限名称与多个权限ID对应关系的数据库中获取至少一个与其对应的所述权限ID。可以理解,所述数据库中的所述权限ID是按预设范围将权限细化后得到的,如可以设置权限ID为001的权限代表用户名字、权限ID为002的权限代表用户电话号码、权限ID为003的权限代表用户地址,一个所述待授权的权限名称可以对应多个所述权限ID,不同所述待授权的权限名称的权限可以有至少部分相同的所述权限ID,也可以是完全不同的所述权限ID,例如,当所述待授权的权限名称为注册系统,则其对应的权限ID可以为001、002、003,当所述待授权的权限名称为登陆系统,则其对应的权限ID可以为001、002。通过所述权限名称与所述权限ID的对应,可以将待授权的权限细化,不用每次授权都开放全部权限,按范围的进行授权,可以准确的限定权限范围,保护系统安全。According to an embodiment of the present application, the system user can configure the user key in the system when configuring the system. Usually, the user key of the same user can be obtained by multiple systems that perform authorization calls through user authorization. the same. In order to make the authorization scope controllable, in this embodiment, at least one authorization ID corresponding to the authorization name can be obtained from a database storing the corresponding relationship between multiple authorization names and multiple authorization IDs by acquiring the authorization name to be authorized. It can be understood that the authority ID in the database is obtained after the authority is refined according to the preset scope. For example, the authority with authority ID of 001 can be set to represent the user name, and the authority with authority ID of 002 to represent the user's phone number and authority. The authority with ID 003 represents the user address, one authority name to be authorized may correspond to multiple authority IDs, and the authority of different authority names to be authorized may have at least part of the same authority ID, or it may be A completely different authority ID. For example, when the authority name to be authorized is a registration system, the corresponding authority ID can be 001, 002, 003, and when the authority name to be authorized is a login system, it The corresponding permission ID can be 001 or 002. Through the correspondence between the authority name and the authority ID, the authority to be authorized can be refined, instead of opening all the authority for each authorization, the authority is authorized according to the scope, and the authority scope can be accurately limited to protect the security of the system.
步骤S2:依据所述权限ID计算权限终止期,所述权限终止期为终止权限授权的时间。Step S2: Calculate the permission termination period according to the permission ID, and the permission termination period is the time for terminating the permission authorization.
根据本申请的一种实施例,所述数据库中还可以存储有所述权限ID对应的授权时间,当获取到待授权的所述权限ID后,可以依据所述权限ID的个数及其对应的权限计算整体的授权时间,从而计算出所述权限终止期。可以理解,为保证所述待授权的权限不同其对应的所述临时密钥不同,所述权限ID对应的所述授权时间的长度可以精确到毫秒,如权限ID为001的授权时间为1分21秒450毫秒,权限ID为002的授权时间为0分45秒120毫秒,权限ID为003的授权时间为1分0秒250毫秒,则当所述待授权的权限名称为注册系统时,可以根据权限ID为001、002、003的授权时间进行计算,获得整体的授权时间1,然后根据所述当前时间戳加上授权时间1计算所述权限终止期,当所述待授权的权限名称为登陆系统时,可以根据权限ID为001、002的授权时间进行计算,获得整体的授权时间2,然后根据所述当前时间戳加上授权时间2计算所述权限终止期。通过所述权限终止期,可以有效控制权限的授权发放时间,从而使授权时间范围可控,进而保护系统安全。According to an embodiment of the present application, the authorization time corresponding to the authorization ID may also be stored in the database. After the authorization ID to be authorized is obtained, the number of authorization IDs and their corresponding Calculate the overall authorization time for the authorization, and thus calculate the authorization termination period. It can be understood that in order to ensure that the corresponding temporary keys are different for the different permissions to be authorized, the length of the authorization time corresponding to the authorization ID can be accurate to milliseconds, for example, the authorization time for the authorization ID of 001 is 1 minute. 21 seconds and 450 milliseconds, the authorization time for the authorization ID 002 is 0 minutes 45 seconds and 120 milliseconds, and the authorization time for the authorization ID 003 is 1 minute, 0 seconds and 250 milliseconds. Then, when the authorization name to be authorized is the registration system, you can Calculate according to the authorization time of authorization ID 001, 002, 003, obtain the overall authorization time 1, and then calculate the authorization expiration period based on the current timestamp plus authorization time 1, when the authorization name to be authorized is When logging in to the system, you can calculate the authorization time based on authorization IDs 001 and 002 to obtain the overall authorization time 2, and then calculate the authorization termination period based on the current timestamp plus authorization time 2. Through the authorization termination period, the authorization issuance time of the authorization can be effectively controlled, so that the authorization time range is controllable, thereby protecting the security of the system.
步骤S3:依据所述权限ID、所述权限终止期生成权限信息。Step S3: Generate authority information according to the authority ID and the authority termination period.
步骤S3中可以将所述权限ID、所述权限终止期按预设规则拼接成字符串后生成权限信息,如所述待授权的权限名称为注册系统时,所述权限ID为001、002、003,所述权限终止期为2点1分0秒531毫秒,则所述权限信息为“001,002,003->20100531”In step S3, the authorization ID and the authorization termination period can be spliced into a string according to preset rules to generate authorization information. For example, when the authorization name to be authorized is a registration system, the authorization IDs are 001, 002, 003, the permission termination period is 2:01:00 and 531 milliseconds, then the permission information is "001, 002, 003->20100531"
步骤S4:使用所述用户密钥对所述权限信息加密生成第一信息。Step S4: Use the user key to encrypt the authority information to generate first information.
具体地,使用所述用户密钥对所述权限信息进行对称加密后可以生成第一信息,根据本申请的一种实施例,加密算法可以采用强度较高的AES128算法。Specifically, first information can be generated after symmetrically encrypting the authority information using the user key. According to an embodiment of the present application, the encryption algorithm may use the AES128 algorithm with higher strength.
步骤S5:依据所述第一信息和所述用户密钥生成所述临时申请密钥。Step S5: Generate the temporary application key according to the first information and the user key.
具体的,步骤S5中,先对所述第一信息和所述用户密钥进行签名,本实施例中,可以对所述第一信息和所述用户密钥合并后的字符串使用MD5算法进行签名获得所述第一数字签名,然后将所述第一数字签名追加在所述第一信息后面形成所述临时申请密钥。Specifically, in step S5, the first information and the user key are first signed. In this embodiment, the MD5 algorithm may be used to perform the combined character string of the first information and the user key. Sign to obtain the first digital signature, and then append the first digital signature to the first information to form the temporary application key.
所述第一令牌为依据所述用户ID、所述权限调用接口参数、所述时间戳及所述临时申请密钥经过加密后生成,如对所述第一令牌token1中的所述用户ID、所述权限调用接口参数、所述时间戳及所述临时申请密钥进行排序后组成特定字符串“用户id+临时申请私钥+按照参数名排序后的权限调用接口参数+时间戳”,然后进行MD5加密,其中,所述权限调用接口参数包括权限范围参数,根据本申请的一种实施例,可以将所述第一信息作为所述权限范围参数。如可以定义所述权限范围参数为“AuthorityRange”,则调用接口的url可以为“
Figure 863395dest_path_image001
”。 The first token is generated after being encrypted according to the user ID, the permission call interface parameters, the timestamp, and the temporary application key. For example, for the user in the first token token1 ID, the authorization call interface parameters, the time stamp, and the temporary application key are sorted to form a specific string "user id+temporary application private key + authorization call interface parameters sorted by parameter name + time stamp", Then MD5 encryption is performed, where the authority calling interface parameters include authority range parameters. According to an embodiment of the present application, the first information may be used as the authority range parameters. If the authority range parameter can be defined as "AuthorityRange", the url of the calling interface can be "
Figure 863395dest_path_image001
".
通过使用临时申请密钥生成第一令牌,并使用所述第一令牌进行权限申请,可以限定授权的范围和时限,并且保护了用户密钥安全,进而保护了系统安全。By using the temporary application key to generate the first token, and using the first token to apply for permission, the scope and time limit of authorization can be limited, and the security of the user key is protected, thereby protecting the security of the system.
步骤S102:依据所述用户ID获取用户密钥。Step S102: Obtain a user key according to the user ID.
所述第二系统接收到所述第一系统申请权限的所述第一令牌token1后,可以从所述第一令牌token1中获取所述用户ID,并依据所述用户ID查找到对应的用户及其安装在所述第二系统中的所述用户密钥。After the second system receives the first token token1 for which the first system applies for permission, it can obtain the user ID from the first token token1, and find the corresponding user ID according to the user ID. The user and the user key installed in the second system.
步骤S103:依据所述用户密钥及所述权限调用接口参数获取临时验证密钥。Step S103: Obtain a temporary verification key according to the user key and the permission call interface parameters.
根据本申请的一种实施例,所述权限调用接口参数包括权限范围参数,且所述第一信息作为所述权限范围参数。即可以从所述第一令牌的所述权限调用接口参数中获取所述第一信息,对所述第一信息和所述用户密钥进行签名生成第二数字签名,并依据所述第二数字签名与所述第一信息生成所述临时验证密钥,本实施例中,可以对所述第一信息和所述用户密钥合并后的字符串使用MD5算法进行签名获得所述第二数字签名,然后将所述第二数字签名追加在所述第一信息后面形成所述临时验证密钥。According to an embodiment of the present application, the authority calling interface parameter includes a authority scope parameter, and the first information serves as the authority scope parameter. That is, the first information can be obtained from the permission call interface parameters of the first token, the first information and the user key can be signed to generate a second digital signature, and the second digital signature can be generated according to the second The digital signature and the first information generate the temporary verification key. In this embodiment, the combined character string of the first information and the user key may be signed using the MD5 algorithm to obtain the second digital Signing, and then appending the second digital signature to the first information to form the temporary verification key.
步骤S104:依据所述用户ID、所述临时验证密钥、所述权限调用接口参数及所述时间戳生成第二令牌;Step S104: Generate a second token according to the user ID, the temporary verification key, the authority calling interface parameter, and the timestamp;
具体的,依据所述用户ID、所述权限调用接口参数、所述时间戳及所述临时验证密钥经过加密后生成所述第二令牌,可以理解,生成所述第二令牌的过程与所述第一令牌相同,如对所述第二令牌token2中的所述用户ID、所述权限调用接口参数、所述时间戳及所述临时验证密钥进行排序后组成特定字符串“用户id+临时验证私钥+按照参数名排序后的权限调用接口参数+时间戳”,然后进行MD5加密,其中,所述权限调用接口参数包括权限范围参数,根据本申请的一种实施例,可以将所述第一信息作为所述权限范围参数。如可以定义所述权限范围参数为“AuthorityRange”,则调用接口的url可以为“
Figure 111974dest_path_image001
”。 Specifically, the second token is generated after being encrypted according to the user ID, the authority calling interface parameters, the time stamp, and the temporary verification key. It can be understood that the process of generating the second token Same as the first token, such as sorting the user ID, the authority calling interface parameter, the time stamp, and the temporary verification key in the second token token2 to form a specific string "User id+temporary verification private key+authorization calling interface parameters sorted by parameter name+time stamp", and then MD5 encryption, wherein the authority calling interface parameters include authority range parameters. According to an embodiment of the present application, The first information may be used as the permission range parameter. If the authority range parameter can be defined as "AuthorityRange", the url of the calling interface can be "
Figure 111974dest_path_image001
".
步骤S105:对比所述第一令牌与所述第二令牌是否一致,若一致,则权限申请验证通过并依据所述权限调用接口参数进行授权。Step S105: Compare whether the first token and the second token are consistent. If they are consistent, the authorization application is verified and authorization is performed according to the authorization call interface parameters.
具体的,所述第二系统使用所述用户密钥对所述第一信息进行解密后可以获取所述待授权的所述权限ID及其所述权限终止期,并依据所述权限终止期及当前时间计算所述第一令牌token1中的所述权限终止期是否超出授权时限,如果超出授权时限,则权限申请验证不通过;若在授权时限内,则依据所述待授权的权限ID、所述用户ID及所述权限调用接口参数判断所述第一令牌token1是否超出授权范围;若超出授权范围,则权限申请验证不通过。以上验证均通过后,则对比所述第一令牌token1与所述第二令牌token2是否一致,当所述第一令牌token1与所述第二令牌token2一致时,则权限申请验证通过并依据所述权限调用接口参数进行授权。Specifically, after the second system uses the user key to decrypt the first information, the authorization ID to be authorized and the authorization expiration period can be obtained, and based on the authorization expiration period and Calculate at the current time whether the authorization expiration period in the first token token1 exceeds the authorization time limit. If the authorization time limit is exceeded, the authorization application verification fails; if it is within the authorization time limit, it will be based on the authorization ID, The user ID and the authorization call interface parameters determine whether the first token token1 exceeds the authorization scope; if it exceeds the authorization scope, the authorization application verification fails. After all the above verifications are passed, compare whether the first token token1 and the second token token2 are consistent. When the first token token1 and the second token token2 are consistent, the authorization application verification is passed And call the interface parameters for authorization according to the authority.
本实施例提出的权限申请验证方法通过使用临时验证密钥生成第二令牌对第一令牌进行验证,保护了用户密钥安全,进而保护了系统安全。The authorization application verification method proposed in this embodiment uses a temporary verification key to generate a second token to verify the first token, which protects the security of the user key and further protects the security of the system.
进一步地,第一令牌通过用户密钥将待申请权限的权限ID与权限终止期进行签名加密后生成临时申请密钥,保护了用户密钥安全的同时,使授权在一定范围和期限内,保护了系统安全。Further, the first token uses the user key to sign and encrypt the authorization ID of the authorization to be applied for and the authorization expiration period to generate a temporary application key, which protects the security of the user key while keeping the authorization within a certain range and time limit. Protect the system security.
进一步地,通过权限名称与权限ID的对应,细化权限,准确的限定权限范围,保护系统权限安全。Further, through the correspondence between the authority name and the authority ID, the authority is refined, and the authority scope is accurately limited to protect the security of the system authority.
进一步地,通过权限终止期,可以有效控制权限的使用时间,从而保护系统安全。Furthermore, through the permission termination period, the usage time of the permission can be effectively controlled, thereby protecting the security of the system.
进一步地,申请提出的权限申请验证方法、装置、设备及存储介质,通过使用临时验证密钥生成第二令牌对第一令牌进行验证,并通过权限ID、权限终止期,在保护保护系统安全的同时,可以有效控制权限范围和使用时间,因此也适用于智慧城市、大数据、金融科技等涉及权限管理的相关领域。Further, the authorization application verification method, device, device and storage medium proposed by the application verify the first token by generating the second token using the temporary verification key, and pass the authorization ID and the authorization termination period to protect the system At the same time of security, it can effectively control the scope of authority and usage time, so it is also suitable for smart cities, big data, financial technology and other related fields involving authority management.
图2是本申请一种实施例的权限申请验证装置1的结构示意图。如图4所示,所述权限申请验证装置1包括获取模块10,密钥生成模块11、验证模块12。FIG. 2 is a schematic structural diagram of a permission application verification device 1 according to an embodiment of the present application. As shown in FIG. 4, the authorization application verification device 1 includes an acquisition module 10, a key generation module 11, and a verification module 12.
获取模块10,用于接收申请权限的第一令牌,所述第一令牌包括用户ID、权限调用接口参数及时间戳;依据所述用户ID获取用户密钥;The obtaining module 10 is configured to receive a first token for applying for permission, where the first token includes a user ID, permission calling interface parameters, and a time stamp; obtaining a user key according to the user ID;
密钥生成模块11,用于依据所述用户密钥及所述权限调用接口参数获取临时验证密钥;The key generation module 11 is configured to obtain a temporary verification key according to the user key and the permission call interface parameters;
验证模块12,用于依据所述用户ID、所述临时验证密钥、所述权限调用接口参数及所述时间戳生成第二令牌;对比所述第一令牌与所述第二令牌是否一致,若一致,则权限申请验证通过并依据所述权限调用接口参数进行授权。The verification module 12 is configured to generate a second token according to the user ID, the temporary verification key, the authority calling interface parameter, and the time stamp; compare the first token with the second token Whether they are consistent or not, if they are consistent, the authorization application is verified and authorized according to the authorization call interface parameters.
可以理解的是,上述装置的各模块实现各功能的具体方式可参阅上述实施例对应的具体步骤,故在此不作赘述。It can be understood that the specific manners for implementing each function of each module of the above-mentioned device can refer to the specific steps corresponding to the above-mentioned embodiment, so it will not be repeated here.
请参阅图3,图3是本申请一种实施例的权限申请验证设备30的结构示意图。如图3所示,所述权限申请验证设备30包括存储器32、处理器31及存储在所述存储器32上并可在所述处理器31上运行的计算机程序,所述处理器31执行所述计算机程序时实现上述权限申请验证方法。Please refer to FIG. 3, which is a schematic structural diagram of a permission application verification device 30 according to an embodiment of the present application. As shown in FIG. 3, the authorization application verification device 30 includes a memory 32, a processor 31, and a computer program stored on the memory 32 and running on the processor 31, and the processor 31 executes the The computer program realizes the above authorization application verification method.
参阅图4,图4是本申请一种实施例的存储介质的结构示意图。如图4所示存储有计算机可读指令41的存储介质,该计算机可读指令41被一个或多个处理器执行时,使得一个或多个处理器执行上述权限申请验证方法。 Refer to FIG. 4, which is a schematic structural diagram of a storage medium according to an embodiment of the present application. As shown in FIG. 4, a storage medium storing computer-readable instructions 41, when the computer-readable instructions 41 are executed by one or more processors, cause one or more processors to execute the above authorization application verification method.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程,是可以通过计算机程序来指令相关的硬件来完成,该计算机程序可存储于一计算机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。其中,前述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory,ROM)等非易失性存储介质,或随机存储记忆体(Random Access Memory,RAM)等易失性存储介质。A person of ordinary skill in the art can understand that all or part of the processes in the above-mentioned embodiment methods can be implemented by instructing relevant hardware through a computer program. The computer program can be stored in a computer readable storage medium, and the program can be stored in a computer readable storage medium. When executed, it may include the procedures of the above-mentioned method embodiments. Among them, the aforementioned storage medium may be a magnetic disk, an optical disk, or a read-only storage memory (Read-Only Memory, ROM) and other non-volatile storage media, or random storage memory (Random Access Memory, RAM) and other volatile storage media.
以上所述实施例的各技术特征可以进行任意的组合,为使描述简洁,未对上述实施例中的各个技术特征所有可能的组合都进行描述,然而,只要这些技术特征的组合不存在矛盾,都应当认为是本说明书记载的范围。The technical features of the above-mentioned embodiments can be combined arbitrarily. In order to make the description concise, all possible combinations of the various technical features in the above-mentioned embodiments are not described. However, as long as there is no contradiction in the combination of these technical features, All should be considered as the scope of this specification.
以上所述实施例仅表达了本申请的几种实施方式,其描述较为具体和详细,但并不能因此而理解为对本申请专利范围的限制。应当指出的是,对于本领域的普通技术人员来说,在不脱离本申请构思的前提下,还可以做出若干变形和改进,这些都属于本申请的保护范围。因此,本申请专利的保护范围应以所附权利要求为准。The above-mentioned embodiments only express several implementation manners of the present application, and their description is relatively specific and detailed, but they should not be understood as a limitation to the patent scope of the present application. It should be pointed out that for those of ordinary skill in the art, without departing from the concept of this application, several modifications and improvements can be made, and these all fall within the protection scope of this application. Therefore, the scope of protection of the patent of this application shall be subject to the appended claims.

Claims (20)

1、一种权限申请验证方法,其中,所述权限申请验证方法包括:1. A permission application verification method, wherein the permission application verification method includes:
接收申请权限的第一令牌,所述第一令牌包括用户ID、权限调用接口参数及时间戳;Receiving a first token for applying for permission, where the first token includes a user ID, permission calling interface parameters, and a timestamp;
依据所述用户ID获取用户密钥;Obtaining a user key according to the user ID;
依据所述用户密钥及所述权限调用接口参数获取临时验证密钥;Obtaining a temporary verification key according to the user key and the permission call interface parameters;
依据所述用户ID、所述临时验证密钥、所述权限调用接口参数及所述时间戳生成第二令牌;Generate a second token according to the user ID, the temporary verification key, the authority calling interface parameter, and the timestamp;
对比所述第一令牌与所述第二令牌是否一致,若一致,则权限申请验证通过并依据所述权限调用接口参数进行授权。Compare whether the first token and the second token are consistent. If they are consistent, the authorization application is verified and authorization is performed according to the authorization call interface parameters.
2、根据权利要求1所述权限申请验证方法,其中,所述第一令牌还包括临时申请密钥,所述临时申请密钥采用如下方法获得:2. The authorization application verification method according to claim 1, wherein the first token further includes a temporary application key, and the temporary application key is obtained by the following method:
获取所述用户密钥及待授权的至少一个权限ID;Obtaining the user key and at least one authorization ID to be authorized;
依据所述权限ID计算权限终止期,所述权限终止期为终止权限授权的时间;Calculate the permission termination period according to the permission ID, and the permission termination period is the time for terminating the permission authorization;
依据所述权限ID、所述权限终止期生成权限信息;Generating authority information according to the authority ID and the authority termination period;
使用所述用户密钥对所述权限信息加密生成第一信息;Encrypting the authority information by using the user key to generate first information;
依据所述第一信息和所述用户密钥生成所述临时申请密钥。The temporary application key is generated according to the first information and the user key.
3、根据权利要2所述权限申请验证方法,其中,所述依据所述待授权权限名称获取待授权的至少一个权限ID,包括:3. The authorization application verification method according to claim 2, wherein the obtaining at least one authorization ID to be authorized according to the authorization name to be authorized includes:
依据所述权限名称从存储有多个权限名称与多个权限ID对应关系的数据库中获取至少一个与其对应的所述权限ID。According to the authority name, at least one authority ID corresponding to the authority ID is obtained from a database storing a plurality of authority names and a plurality of authority IDs.
4、根据权利要求3所述权限申请验证方法,其中,所述依据所述权限ID计算权限终止期,包括:4. The permission application verification method according to claim 3, wherein the calculating the permission termination period according to the permission ID includes:
依据所述权限ID的个数及其对应的权限计算所述权限终止期。The right termination period is calculated according to the number of the right ID and the corresponding right.
5、根据权利要2所述权限申请验证方法,其中,所述依据所述第一信息和所述用户密钥生成所述临时申请密钥,包括;5. The authorization application verification method according to claim 2, wherein said generating said temporary application key based on said first information and said user key includes;
依据所述第一信息和所述用户密钥生成第一数字签名;及Generate a first digital signature according to the first information and the user key; and
依据所述第一数字签名与所述第一信息生成所述临时申请密钥。The temporary application key is generated according to the first digital signature and the first information.
6、根据权利要求2所述权限申请验证方法,其中,所述第一令牌中的所述权限调用接口参数包括权限范围参数,所述权限范围参数包括所述第一信息,所述依据所述用户密钥及所述权限调用接口参数获取临时验证密钥,包括:6. The permission application verification method according to claim 2, wherein the permission calling interface parameter in the first token includes a permission range parameter, the permission range parameter includes the first information, and the basis The user key and the authorization call interface parameters to obtain the temporary verification key include:
依据所述第一信息和所述用户密钥生成第二数字签名;及Generate a second digital signature according to the first information and the user key; and
依据所述第二数字签名与所述第一信息生成所述临时验证密钥。The temporary verification key is generated according to the second digital signature and the first information.
7、根据权利要求2所述权限申请验证方法,其中,所述权限申请验证方法还包括:7. The permission application verification method according to claim 2, wherein the permission application verification method further comprises:
使用所述用户密钥对所述第一信息进行解密后获取所述待授权的权限ID及其权限终止期;Use the user key to decrypt the first information to obtain the permission ID to be authorized and the permission termination period;
依据所述权限终止期及当前时间判断所述第一令牌是否超出授权时限;Judging whether the first token exceeds the authorization time limit according to the authority termination period and the current time;
若超出授权时限,则权限申请验证不通过;If the authorization time limit is exceeded, the authorization application verification will not pass;
若在授权时限内,则依据所述待授权的权限ID、所述用户ID及所述权限调用接口参数判断所述第一令牌是否超出授权范围;If it is within the authorization time limit, determine whether the first token exceeds the authorization range according to the authorization ID to be authorized, the user ID, and the authorization call interface parameters;
若超出授权范围,则权限申请验证不通过;If it exceeds the authorization scope, the authorization application verification will not pass;
若在授权范围内,则对比所述第一令牌与所述第二令牌是否一致。If it is within the authorization range, compare whether the first token and the second token are consistent.
8、一种权限申请验证装置,其中,所述权限申请验证装置包括:8. A permission application verification device, wherein the permission application verification device includes:
获取模块,用于接收申请权限的第一令牌,所述第一令牌包括用户ID、权限调用接口参数及时间戳;依据所述用户ID获取用户密钥;An obtaining module, configured to receive a first token for applying for permission, the first token including a user ID, permission calling interface parameters, and a time stamp; obtaining a user key according to the user ID;
密钥生成模块,用于依据所述用户密钥及所述权限调用接口参数获取临时验证密钥;The key generation module is used to obtain a temporary verification key according to the user key and the permission call interface parameters;
验证模块,用于依据所述用户ID、所述临时验证密钥、所述权限调用接口参数及所述时间戳生成第二令牌;对比所述第一令牌与所述第二令牌是否一致,若一致,则权限申请验证通过并依据所述权限调用接口参数进行授权。The verification module is configured to generate a second token according to the user ID, the temporary verification key, the authority calling interface parameter, and the time stamp; compare whether the first token and the second token are If they are consistent, the authorization application is verified and authorized according to the authorization call interface parameters.
9、一种权限申请验证设备,其中,所述权限申请验证设备包括处理器、与所述处理器耦接的存储器,其中,9. A permission application verification device, wherein the permission application verification device includes a processor and a memory coupled to the processor, wherein:
所述存储器中存储有计算机可读指令,所述计算机可读指令被所述处理器执行时,使得所述处理器执行如下步骤:The memory stores computer-readable instructions, and when the computer-readable instructions are executed by the processor, the processor executes the following steps:
接收申请权限的第一令牌,所述第一令牌包括用户ID、权限调用接口参数及时间戳;Receiving a first token for applying for permission, where the first token includes a user ID, permission calling interface parameters, and a timestamp;
依据所述用户ID获取用户密钥;Obtaining a user key according to the user ID;
依据所述用户密钥及所述权限调用接口参数获取临时验证密钥;Obtaining a temporary verification key according to the user key and the permission call interface parameters;
依据所述用户ID、所述临时验证密钥、所述权限调用接口参数及所述时间戳生成第二令牌;Generate a second token according to the user ID, the temporary verification key, the authority calling interface parameter, and the timestamp;
对比所述第一令牌与所述第二令牌是否一致,若一致,则权限申请验证通过并依据所述权限调用接口参数进行授权。Compare whether the first token and the second token are consistent. If they are consistent, the authorization application is verified and authorization is performed according to the authorization call interface parameters.
10、根据权利要求9所述权限申请验证设备,其中,所述第一令牌还包括临时申请密钥,所述临时申请密钥采用如下方法获得:10. The authorization application verification device according to claim 9, wherein the first token further includes a temporary application key, and the temporary application key is obtained by the following method:
获取所述用户密钥及待授权的至少一个权限ID;Obtaining the user key and at least one authorization ID to be authorized;
依据所述权限ID计算权限终止期,所述权限终止期为终止权限授权的时间;Calculate the permission termination period according to the permission ID, and the permission termination period is the time for terminating the permission authorization;
依据所述权限ID、所述权限终止期生成权限信息;Generating authority information according to the authority ID and the authority termination period;
使用所述用户密钥对所述权限信息加密生成第一信息;Encrypting the authority information by using the user key to generate first information;
依据所述第一信息和所述用户密钥生成所述临时申请密钥。The temporary application key is generated according to the first information and the user key.
11、根据权利要10所述权限申请验证设备,其中,所述依据所述待授权权限名称获取待授权的至少一个权限ID,包括:11. The permission application verification device according to claim 10, wherein the obtaining at least one permission ID to be authorized according to the name of the permission to be authorized includes:
依据所述权限名称从存储有多个权限名称与多个权限ID对应关系的数据库中获取至少一个与其对应的所述权限ID。According to the authority name, at least one authority ID corresponding to the authority ID is obtained from a database storing a plurality of authority names and a plurality of authority IDs.
12、根据权利要求11所述权限申请验证设备,其中,所述依据所述权限ID计算权限终止期,包括:12. The authorization application verification device according to claim 11, wherein the calculating the authorization termination period according to the authorization ID includes:
依据所述权限ID的个数及其对应的权限计算所述权限终止期。The right termination period is calculated according to the number of the right ID and the corresponding right.
13、根据权利要10所述权限申请验证设备,其中,所述依据所述第一信息和所述用户密钥生成所述临时申请密钥,包括;13. The authorization application verification device according to claim 10, wherein said generating said temporary application key based on said first information and said user key includes;
依据所述第一信息和所述用户密钥生成第一数字签名;及Generate a first digital signature according to the first information and the user key; and
依据所述第一数字签名与所述第一信息生成所述临时申请密钥。The temporary application key is generated according to the first digital signature and the first information.
14、根据权利要求10所述权限申请验证设备,其中,所述第一令牌中的所述权限调用接口参数包括权限范围参数,所述权限范围参数包括所述第一信息,所述依据所述用户密钥及所述权限调用接口参数获取临时验证密钥,包括:14. The permission application verification device according to claim 10, wherein the permission call interface parameter in the first token includes a permission range parameter, the permission range parameter includes the first information, and the basis The user key and the authorization call interface parameters to obtain the temporary verification key include:
依据所述第一信息和所述用户密钥生成第二数字签名;及Generate a second digital signature according to the first information and the user key; and
依据所述第二数字签名与所述第一信息生成所述临时验证密钥。The temporary verification key is generated according to the second digital signature and the first information.
15、一种存储有计算机可读指令的存储介质,所述计算机可读指令被一个或多个处理器执行时,使得一个或多个处理器执行如下步骤:15. A storage medium storing computer-readable instructions that, when executed by one or more processors, cause one or more processors to perform the following steps:
接收申请权限的第一令牌,所述第一令牌包括用户ID、权限调用接口参数及时间戳;Receiving a first token for applying for permission, where the first token includes a user ID, permission calling interface parameters, and a timestamp;
依据所述用户ID获取用户密钥;Obtaining a user key according to the user ID;
依据所述用户密钥及所述权限调用接口参数获取临时验证密钥;Obtaining a temporary verification key according to the user key and the permission call interface parameters;
依据所述用户ID、所述临时验证密钥、所述权限调用接口参数及所述时间戳生成第二令牌;Generate a second token according to the user ID, the temporary verification key, the authority calling interface parameter, and the timestamp;
对比所述第一令牌与所述第二令牌是否一致,若一致,则权限申请验证通过并依据所述权限调用接口参数进行授权。Compare whether the first token and the second token are consistent. If they are consistent, the authorization application is verified and authorization is performed according to the authorization call interface parameters.
16、根据权利要求15所述存储有计算机可读指令的存储介质,其中,所述第一令牌还包括临时申请密钥,所述临时申请密钥采用如下方法获得:16. The storage medium storing computer-readable instructions according to claim 15, wherein the first token further comprises a temporary application key, and the temporary application key is obtained by the following method:
获取所述用户密钥及待授权的至少一个权限ID;Obtaining the user key and at least one authorization ID to be authorized;
依据所述权限ID计算权限终止期,所述权限终止期为终止权限授权的时间;Calculate the permission termination period according to the permission ID, and the permission termination period is the time for terminating the permission authorization;
依据所述权限ID、所述权限终止期生成权限信息;Generating authority information according to the authority ID and the authority termination period;
使用所述用户密钥对所述权限信息加密生成第一信息;Encrypting the authority information by using the user key to generate first information;
依据所述第一信息和所述用户密钥生成所述临时申请密钥。The temporary application key is generated according to the first information and the user key.
17、根据权利要16所述存储有计算机可读指令的存储介质,其中,所述依据所述待授权权限名称获取待授权的至少一个权限ID,包括:17. The storage medium storing computer-readable instructions according to claim 16, wherein the obtaining at least one right ID to be authorized according to the name of the right to be authorized includes:
依据所述权限名称从存储有多个权限名称与多个权限ID对应关系的数据库中获取至少一个与其对应的所述权限ID。According to the authority name, at least one authority ID corresponding to the authority ID is obtained from a database storing a plurality of authority names and a plurality of authority IDs.
18、根据权利要求17所述存储有计算机可读指令的存储介质,其中,所述依据所述权限ID计算权限终止期,包括:18. The storage medium storing computer-readable instructions according to claim 17, wherein said calculating the permission expiration period according to the permission ID comprises:
依据所述权限ID的个数及其对应的权限计算所述权限终止期。The right termination period is calculated according to the number of the right ID and the corresponding right.
19、根据权利要16所述存储有计算机可读指令的存储介质,其中,所述依据所述第一信息和所述用户密钥生成所述临时申请密钥,包括;19. The storage medium storing computer-readable instructions according to claim 16, wherein said generating said temporary application key based on said first information and said user key includes;
依据所述第一信息和所述用户密钥生成第一数字签名;及Generate a first digital signature according to the first information and the user key; and
依据所述第一数字签名与所述第一信息生成所述临时申请密钥。The temporary application key is generated according to the first digital signature and the first information.
20、根据权利要求16所述存储有计算机可读指令的存储介质,其中,所述第一令牌中的所述权限调用接口参数包括权限范围参数,所述权限范围参数包括所述第一信息,所述依据所述用户密钥及所述权限调用接口参数获取临时验证密钥,包括:20. The storage medium storing computer-readable instructions according to claim 16, wherein the permission calling interface parameter in the first token includes a permission range parameter, and the permission range parameter includes the first information , Said obtaining a temporary verification key according to the user key and the permission call interface parameter includes:
依据所述第一信息和所述用户密钥生成第二数字签名;及Generate a second digital signature according to the first information and the user key; and
依据所述第二数字签名与所述第一信息生成所述临时验证密钥。The temporary verification key is generated according to the second digital signature and the first information.
PCT/CN2020/118444 2020-07-28 2020-09-28 Permissions request verification method and apparatus, device, and storage medium WO2021139244A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010738614.5 2020-07-28
CN202010738614.5A CN111901342B (en) 2020-07-28 2020-07-28 Authority application verification method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
WO2021139244A1 true WO2021139244A1 (en) 2021-07-15

Family

ID=73182246

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/118444 WO2021139244A1 (en) 2020-07-28 2020-09-28 Permissions request verification method and apparatus, device, and storage medium

Country Status (2)

Country Link
CN (1) CN111901342B (en)
WO (1) WO2021139244A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114444029A (en) * 2022-01-11 2022-05-06 北京易智时代数字科技有限公司 Use right verification method and device during VR application operation and electronic equipment
CN114498707A (en) * 2022-02-14 2022-05-13 青岛艾迪森科技股份有限公司 Intelligent peak shifting and valley filling superposed photovoltaic power generation power supply operation system and method
CN114697099A (en) * 2022-03-24 2022-07-01 浪潮云信息技术股份公司 Multi-party authorization authentication scheme based on elliptic curve encryption algorithm

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116720172B (en) * 2023-08-07 2024-01-30 四川神州行网约车服务有限公司 Verification method and device for system permission, computer equipment and readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160277363A1 (en) * 2015-03-17 2016-09-22 Ca, Inc. System and method of mobile authentication
CN108183907A (en) * 2017-12-29 2018-06-19 浪潮通用软件有限公司 A kind of authentication method, server and Verification System
CN108322469A (en) * 2018-02-05 2018-07-24 北京百度网讯科技有限公司 Information processing system, method and apparatus
CN108830099A (en) * 2018-05-04 2018-11-16 平安科技(深圳)有限公司 Call verification method, device, computer equipment and the storage medium of api interface

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102016200003A1 (en) * 2016-01-04 2017-07-06 Bundesdruckerei Gmbh Access control via authentication server

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160277363A1 (en) * 2015-03-17 2016-09-22 Ca, Inc. System and method of mobile authentication
CN108183907A (en) * 2017-12-29 2018-06-19 浪潮通用软件有限公司 A kind of authentication method, server and Verification System
CN108322469A (en) * 2018-02-05 2018-07-24 北京百度网讯科技有限公司 Information processing system, method and apparatus
CN108830099A (en) * 2018-05-04 2018-11-16 平安科技(深圳)有限公司 Call verification method, device, computer equipment and the storage medium of api interface

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114444029A (en) * 2022-01-11 2022-05-06 北京易智时代数字科技有限公司 Use right verification method and device during VR application operation and electronic equipment
CN114498707A (en) * 2022-02-14 2022-05-13 青岛艾迪森科技股份有限公司 Intelligent peak shifting and valley filling superposed photovoltaic power generation power supply operation system and method
CN114498707B (en) * 2022-02-14 2023-04-11 青岛艾迪森科技股份有限公司 Intelligent peak shifting and valley filling superposed photovoltaic power generation power supply operation system and method
CN114697099A (en) * 2022-03-24 2022-07-01 浪潮云信息技术股份公司 Multi-party authorization authentication scheme based on elliptic curve encryption algorithm
CN114697099B (en) * 2022-03-24 2024-05-17 浪潮云信息技术股份公司 Multiparty authorization authentication method based on elliptic curve encryption algorithm

Also Published As

Publication number Publication date
CN111901342A (en) 2020-11-06
CN111901342B (en) 2022-06-17

Similar Documents

Publication Publication Date Title
WO2021114923A1 (en) Data storage method and apparatus and data reading method and apparatus for private data
CN108964885B (en) Authentication method, device, system and storage medium
US9996679B2 (en) Methods and apparatus for device authentication and secure data exchange between a server application and a device
WO2021139244A1 (en) Permissions request verification method and apparatus, device, and storage medium
EP3388965B1 (en) System and method for facilitating multi-connection-based authentication
US10382426B2 (en) Authentication context transfer for accessing computing resources via single sign-on with single use access tokens
EP1914658B1 (en) Identity controlled data center
WO2022121461A1 (en) Method, apparatus and device for constructing token for cloud platform resource access control
US8918641B2 (en) Dynamic platform reconfiguration by multi-tenant service providers
WO2017020452A1 (en) Authentication method and authentication system
CN108809659A (en) Generation, verification method and system, the dynamic password system of dynamic password
CN110096849A (en) A kind of License authorization and authentication method, device, equipment and readable storage medium storing program for executing
US11258601B1 (en) Systems and methods for distributed digital rights management with decentralized key management
US11050560B2 (en) Secure reusable access tokens
CN112487450A (en) File server access grading method
CN106992978B (en) Network security management method and server
CN111563279A (en) Cloud data privacy protection system based on block chain
US11616780B2 (en) Security protection against threats to network identity providers
WO2023116239A1 (en) Permission determination method and apparatus, and computer device and computer-readable storage medium
WO2022144024A1 (en) Attribute-based encryption keys as key material for key-hash message authentication code user authentication and authorization
CN109889342A (en) Interface testing method for authenticating, device, electronic equipment and storage medium
EP3975015B1 (en) Applet package sending method and device and computer readable medium
CN109802927A (en) A kind of security service providing method and device
US9565174B2 (en) Information processing server system, control method, and program
CN107360183A (en) A kind of method and device of hiding checking information

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20911735

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20911735

Country of ref document: EP

Kind code of ref document: A1