CN104994064B - A kind of authorization and authentication method and system based on client plug-in - Google Patents
A kind of authorization and authentication method and system based on client plug-in Download PDFInfo
- Publication number
- CN104994064B CN104994064B CN201510258052.3A CN201510258052A CN104994064B CN 104994064 B CN104994064 B CN 104994064B CN 201510258052 A CN201510258052 A CN 201510258052A CN 104994064 B CN104994064 B CN 104994064B
- Authority
- CN
- China
- Prior art keywords
- open platform
- client
- plug
- platform
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000013475 authorization Methods 0.000 title claims abstract description 23
- 238000012546 transfer Methods 0.000 claims description 6
- 230000005540 biological transmission Effects 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 238000002834 transmittance Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Stored Programmes (AREA)
- Information Transfer Between Computers (AREA)
Abstract
A kind of authorization and authentication method and system based on client plug-in, including:By the plug-in unit of the client of platform A, the identification information of platform B is submitted to the client of platform A, it is desirable that B is authorized to use the service of A;After the client authorization of A, the identification information of the identification information of B and user is submitted into back-end server, which returns to client of the authentication code to A;Authentication code is passed to B by the client of A by the plug-in unit of client, and B obtains current user identities, authentication code is converted to access token, returns to the plug-in unit of the access token of generation to the client of A;By the plug-in unit of client, the interface of B is called using access token.The present invention solves two platforms for providing same OAuth protocol authentications mandate, the problem of how cooperating and externally provide service.
Description
Technical field
The present invention relates to field of computer technology more particularly to a kind of authorization and authentication method based on client plug-in and it is
System.
Background technology
In Internet era, the service of itself can be encapsulated as interface by certain platforms, be used for third party developer.These
Platform we be commonly referred to as open platform.Third party developer, can be very easily by the interface that open platform is called to provide
It imports user information, the services such as supplement with money is provided, a large amount of exploitation and operation cost have been saved for third party developer.
For open platform, because user information is supplied to third party developer, this relates to recognizing to user
Card and mandate.OAuth Certificate Authorities agreement is come into being as a result,.One typical OAuth application generally includes Three role,
It is respectively:Consumer:Consumer, Service Provider:ISP and User:User.It is exemplified below:One
There are one functions for SNS tools, can allow member that their contact persons on Google are imported on SNS, then consumption at this time
Side is exactly SNS, and ISP is then Google, and user is SNS user.
Up to the present, OAuth agreements are widely used by everybody there are two version, respectively OAuth1.0a with
OAuth2.0.In OAuth1.0a, pre- one Request Token of first to file (request token) is needed using side, is awarded in user
Quan Hou, application can obtain a Request Token authorized, be changed to this Request Token in rear end
Access Token (access token) hereafter call the service interface of open platform using this Access Token;
In OAuth2.0, directly user is required to authorize using side, after user authorizes, application can obtain an Auth authorized
This Auth Code is changed to Access Token by Code (authentication code) in rear end, hereafter uses this Access Token
Call the service interface of open platform.Simultaneously as OAuth2.0 is by https agreements, and OAuth1.0a is not used
Https needs the calculate the signature when each information is transmitted, and makes OAuth2.0 protocol realizations easy more than OAuth1.0a, so
For OAuth2.0 at present using widely, substantially each open platform both provides the support of OAuth2.0.
Wherein, OAuth1.0 defines Three role:User, Service Provider, Consumer, as shown in Figure 1,
The flow of Oauth1.0a is described below:
1:Consumer asks Request Token;
2:Service provider authorization Request Token;
3:Consumer directional user is to ISP;
4:After obtaining user's mandate, ISP directional user to consumer;
5:Consumer asks Access Token;
6:Service provider authorization Access Token;
7:Consumer accesses shielded resource.
OAuth2.0 then defines four kinds of roles:Resource Owner (Resource Owner):User、Resource
Server (Resource Server):Service Provider (ISP), Client (client):Consumer (consumption
Just), Authorization Server (authentication server):Service Provider.
3 kinds of modes for obtaining Access Token below OAuth2.0 service supports:
A.Authorization Code:Web Server Flow (server-side flow) have Server ends suitable for all
The application of cooperation;(idiographic flow of option A is as shown in Figure 2)
B.Implicit Grant (Implicit authorization):User-Agent Flow (client flow), suitable for being whether there is
The application of Server ends cooperation;
C.Refresh Token (refresh token):Token refreshes mode, has answering for Server ends cooperation suitable for all
With.
At present, it is the one-sided service for using open platform for application side, OAuth has been able to solve this well
A problem.But popularizing with this concept of open platform, much the service of oneself all can be encapsulated as connecing by companies now
Mouthful, externally provide service with the identity of open platform.Thus it is related to how two open platforms cooperate with each other, user is carried
For service.
It can be seen that the OAuth agreements of standard can only handle situation of the platform to an application at present, for application
It is the pure service provided using open platform for side;Two open platforms cannot be supported to cooperate jointly, common service
The situation of user.With popularizing for open platform thought, more and more companies can be by the business of oneself with the shape of open platform
Formula externally provides service.The service that application side will no longer only be provided using open platform at this time also can be one using itself
Open platform also can externally provide service.When user needs the service provided simultaneously using two open platforms, two openings
How platform cooperates, and is current problem to be solved.
Invention content
The technical problems to be solved by the invention are to provide a kind of authorization and authentication method and system based on client plug-in,
Solve two open platforms that same OAuth protocol authentications mandate is all provided, the problem of how cooperating and service is externally provided.
To solve the above-mentioned problems, the present invention provides a kind of authorization and authentication method based on client plug-in, wherein opening
It is laid flat platform A and open platform B and all supports same OAuth agreements, including:
By the plug-in unit of the client of open platform A, the identification information of open platform B is submitted to the visitor of open platform A
Family end, it is desirable that user authorizes open platform B to use the service provided on open platform A;
After the client of open platform A is authorized, the identity of the identification information of open platform B and user are believed
Breath submits to the back-end server of open platform A, which returns to visitors of the authentication code Auth Code to open platform A
Family end;
Auth Code are passed to open platform B, open platform B by the client of open platform A by the plug-in unit of client
By call open platform A interfaces obtain current user identities, Auth Code are converted into access token Access Token,
The Access Token of open platform B return generations are to the plug-in unit of the client of open platform A;
By the plug-in unit of client, the relevant interface of open platform B is called using Access Token.
Further, the above method may also include:The client of the open platform A and the plug-in unit of client are by super
File Transfer security protocol https modes and the back-end server of open platform A interact.
Further, the above method may also include:The client of the open platform A is by the identification information of open platform B
And it after the identification information of user submits to the back-end server of open platform A, further includes:The visitor of the open platform A
The step of displaying of family end authorizes page.
Further, the above method may also include:The open platform B returns to the Access Token of generation to open flat
It the step of plug-in unit of the client of platform A, further includes:
The open platform B by call open platform A interfaces obtain current user identities, inquiry current user identities with
The binding relationship of current account if the two is unbound, is locally generated the local account of current user identities, and record and tie up
Determine relationship;Open platform B directly generates Access Token according to the local account of acquisition, and returns to the visitor of open platform A
The plug-in unit at family end.
Further, the above method may also include:The open platform B is current by the way that open platform A interfaces is called to obtain
After user identity, further include:The open platform B show mandate page, user agree to authorize the plug-in unit of the client of open platform A
After service using open platform B, the Access Token of generation are returned to the plug-in unit of the client of open platform A.
Further, the above method may also include:The back-end server of the open platform A stores the application of the user
Application key A pp Secret.
The present invention also provides a kind of authorization identifying system based on client plug-in, including:The client of open platform A
It end, the plug-in unit of client of open platform A, the back-end server of open platform A and open platform B, wherein open platform A and opens
It is laid flat platform B and all supports same OAuth agreements,
The plug-in unit of the client of the open platform A, for the identification information of open platform B to be submitted to open platform A
Client, it is desirable that user authorize open platform B the service provided on open platform A is provided;Receive the visitor of the open platform A
The authentication code Auth Code of family end transmission simultaneously pass to open platform B;The access token returned using the open platform B
Access Token call the relevant interface of open platform B;
The client of the open platform A, for by the identity of the identification information of the open platform B and user
Information submits to the back-end server of open platform A;The Auth Code that the back-end server of the open platform A returns are received,
And pass to the plug-in unit of client;
The back-end server of the open platform A after being authorized, returns to visitors of the Auth Code to open platform A
Family end;
The open platform B calls open platform A interfaces to obtain current user identities, Auth Code is turned for passing through
Access Token are changed to, return to the plug-in unit of the Access Token of generation to the client of open platform A.
Further, above system may also include:The client of open platform A and the plug-in unit of client are to pass through hypertext
Transmission security protocol https modes and the back-end server of open platform A interact.
Further, above system may also include:The client of the open platform A is additionally operable to the mark of open platform B
After knowledge information and the identification information of user submit to the back-end server of open platform A, displaying authorizes page.
Further, above system may also include:The open platform B is additionally operable to by the way that open platform A interfaces is called to obtain
After obtaining current user identities, inquiry current user identities and the binding relationship of current account, if the two is unbound, in local
The local account of current user identities is generated, and records binding relationship, Access is directly generated according to the local account of acquisition
Token。
Further, above system may also include:The open platform B, is further used for by the way that open platform A is called to connect
After mouth obtains current user identities, displaying authorizes page, and it is open flat that user agrees to that the plug-in unit of the client of mandate open platform A uses
After the service of platform B, the Access Token of generation are returned to the plug-in unit of the client of open platform A.
Further, above system may also include:The back-end server of the open platform A is additionally operable to, and stores user's
The application key A pp Secret of application.
Compared with prior art, with the application of the invention, solving two that same OAuth agreements are supported on client-side program
The problem of how open platform cooperates.By the present invention, two open platforms can transmit OAuth certifications by client plug-in
Information, transmittance process do not have the leakage of information, and user experience is good, the client that user can be provided in an open platform
The smooth service provided using another open platform in program, has realistic meaning.
Description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment
Attached drawing be briefly described, it should be apparent that, the accompanying drawings in the following description is only some embodiments of the present invention, for this
For the those of ordinary skill of field, without creative efforts, others are can also be obtained according to these attached drawings
Attached drawing.
Fig. 1 is the flow diagram when previous Certificate Authority;
Fig. 2 is the flow diagram of current another Certificate Authority;
Fig. 3 is the flow diagram of the authorization and authentication method based on client plug-in of the present invention;
Fig. 4 is the structure diagram of the authorization identifying system based on client plug-in of the present invention;
Fig. 5 is in present example in the flow of the authorization identifying based on client plug-in, and the interaction between each component connects
Connect schematic diagram.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete
Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art are obtained every other without making creative work
Embodiment shall fall within the protection scope of the present invention.
The central scope of the present invention is:Do not preserve the App Secret (using key) of application on client-side program,
App Secret only are stored in back-end server, App Secret are caused to leak so that client-side program to be prevented to be cracked;Client,
Client plug-in calls back-end server interface all by https, to prevent request monitored, key message to be caused to leak;
Auth Code rather than Access Token are transmitted by the plug-in unit of client between open platform, on the one hand due to App
Sercret is not stored in client, and user Auth Code, which change Access Token, needs App Sercret;On the other hand,
Since this Auth Code can only be used once, even if leakage is (such as:Client does not verify https certificates, is likely to result in information
Leakage), safety issue will not be generated.User information will not be directly transmitted between open platform, is disliked to prevent user information
Meaning is distorted, and the loophole of brush account number occurs.
This solution is supported to provide for depth cooperation side and skips the special flow that OAuth authorizes page to improve user experience
Journey.
As shown in figure 3, a kind of authorization and authentication method based on client plug-in of the present invention, wherein open platform A and is opened
It is laid flat platform B and all supports same OAuth agreements, include the following steps:
Step 310, the plug-in unit by the client of open platform A are submitted to the identification information of open platform B open flat
The client of platform A, it is desirable that user authorizes open platform B to use the service provided on open platform A;
Step 320, it is authorized after, the client of open platform A is by the identification information of open platform B and user
Identification information submits to the back-end server of open platform A, which returns to Auth Code and give open platform A
Client;
The client of the open platform A and the plug-in unit of client are by https (Hyper text transfer security protocol) sides
Formula and the back-end server of open platform A interact.
The client of the open platform A submits the identification information of the identification information of open platform B and user
After the back-end server of open platform A, it may also include:The step of client displaying of the open platform A authorizes page.(when
The right step is optional step, to improve user experience, supports to provide for depth cooperation side and skips the special flow that OAuth authorizes page
Journey)
Authorizing interface can be provided by the client of open platform A, also can provide (A by the back-end server of open platform A
Client package the page);If being provided by the back-end server of open platform A, the client of open platform A is needed to open mark
The information of information and identity user identity for being laid flat platform B submits to the back-end server of open platform A, to show mandate page.
Auth Code are passed to open platform B by step 330, the client of open platform A by the plug-in unit of client,
Open platform B by call open platform A interfaces obtain current user identities, Auth Code are converted into Access Token,
The Access Token of open platform B return generations are to the plug-in unit of the client of open platform A;
The open platform B returns to the step of plug-in unit of the Access Token of generation to the client of open platform A, also
Including:
The open platform B by call open platform A interfaces obtain current user identities, inquiry current user identities with
The binding relationship of current account if the two is unbound, is locally generated the local account of current user identities, and record and tie up
Determine relationship;Open platform B directly generates Access Token according to the local account of acquisition, and returns to the visitor of open platform A
The plug-in unit at family end.
After the open platform B is by calling open platform A interfaces to obtain current user identities, it may also include:It is described to open
Platform B show mandate page is laid flat, after user agrees to that the plug-in unit of the client of mandate open platform A uses the service of open platform B, to
The plug-in unit of the client of open platform A returns to the Access Token of generation.(certain step is optional step, is used to improve
Family is experienced, and is supported to provide for depth cooperation side and is skipped the special flow that OAuth authorizes page)
Step 340, the plug-in unit by client call the relevant interface of open platform B using Access Token.
Wherein, the client of the open platform A does not preserve the App Secret, the open platform A of the application of user
Back-end server storage user application App Secret, the client of the open platform A is prevented to be cracked and causes App
Secret leaks.
As shown in figure 4, a kind of authorization identifying system based on client plug-in, including:The client of open platform A is opened
The plug-in unit of the client of platform A, the back-end server of open platform A and open platform B are laid flat, wherein open platform A is put down with open
Platform B supports same OAuth agreements,
The plug-in unit of the client of the open platform A, for the identification information of open platform B to be submitted to open platform A
Client, it is desirable that user authorize open platform B the service provided on open platform A is provided;Receive the visitor of the open platform A
The Auth Code of family end transmission simultaneously pass to open platform B;It is called using the Access Token that the open platform B is returned
The relevant interface of open platform B;
The client of the open platform A, for by the identity mark of the identification information of the open platform B and user
Know the back-end server that information submits to open platform A;Receive the Auth that the back-end server of the open platform A returns
Code, and pass to the plug-in unit of client;
The back-end server of the open platform A after being authorized, returns to visitors of the Auth Code to open platform A
Family end;
The open platform B calls open platform A interfaces to obtain current user identities, Auth Code is turned for passing through
Access Token are changed to, return to the plug-in unit of the Access Token of generation to the client of open platform A.
The client of the open platform A and the plug-in unit of client are taken by the rear end of https modes and open platform A
Business device interacts.
The client of the open platform A is additionally operable to the identity by the identification information of open platform B and user
After information submits to the back-end server of open platform A, displaying authorizes page.
The open platform B, be additionally operable to by call open platform A interfaces obtain current user identities after after, inquiry work as
Preceding user identity and the binding relationship of current account, if the two is unbound, are locally generated the local of current user identities
Account, and binding relationship is recorded, Access Token are directly generated according to the local account of acquisition.
The open platform B, after being further used for by the way that open platform A interfaces is called to obtain current user identities, displaying
After page, user is authorized to agree to that the plug-in unit of the client of mandate open platform A uses the service of open platform B, to open platform A's
The plug-in unit of client returns to the Access Token of generation.
The back-end server of the open platform A is additionally operable to, and stores the App Secret of the application of user, prevents described open
The client for being laid flat platform A is cracked App Secret is caused to leak.
With reference to specific example, the invention will be further described, as shown in figure 5, the mandate based on client plug-in is recognized
In the flow of card, the interactive connection schematic diagram between each component, including:
Step 1, the client-side program for opening open platform A;
Explanation:Client-side program rear end is open platform A, and user passes through OAuth2.0 protocol entries on open platform A
Authorized operation is required for completing by the client-side program, and flow below can be described in detail how to complete login Authorized operation.
Step 2, the plug-in card program by opening client, with the service that open platform B is used to provide;
Explanation:The plug-in unit is typically all for user is allowed the service on open platform B can be used to develop.Work as open platform
When B also provides OAuth2.0 Certificate Authorities, applicable application scenarios as of the invention.
The identification information of open platform B is submitted to client-side program by step 3, client plug-in, it is desirable that user authorizes and opens
It is laid flat platform B and the service provided on open platform A is provided;
Explanation:According to OAuth agreements, open platform A can give open platform B to distribute an identity, commonly referred to as
Client Id or App Key.When user wants to use the service of open platform B by plug-in unit, it is necessary first to allow open platform
B obtains the identity of user from being laid flat on platform A.It just needs Client Id or App Key submitting to client-side program at this time, it
Ask user that open platform B is authorized to use the service (information for reading active user) provided on A.
Step 4, client-side program submit to the identification information of the identification information of open platform B and user certainly
The back-end server of body, displaying authorize page, and user is agreed to after authorizing, and the information of previous step equally is submitted to rear end, rear end is returned
Auth Code are returned to client-side program;
Explanation:In this step, it is optional step that displaying, which authorizes page,.Two platforms are depth cooperation or user authorized mistake
Platform B to improve user experience, can not show mandate page, directly using the service (information for reading active user) of platform A
Return to Auth Code.
Auth Code are returned to client plug-in by step 5, client-side program;
Auth Code are passed to open platform B by step 6, client plug-in;
Explanation:The interface of the Auth Code of special receiving platform A is needed on open platform B
Auth Code are changed to Access Token by step 7, open platform B, by the way that open platform A interfaces is called to obtain
Current user identities;
Explanation:The interface that this step is mentioned is the interface that OAuth2.0 normal process is mentioned
Step 8, open platform B inquire the binding relationship of current account, if unbound, can be locally generated account,
Record binding relationship;
Step 9, open platform B directly return to Access Token to client plug-in;Can also show mandate page, with
Agree to authorization plug using return Access Token after the service of open platform B to client plug-in in family;
Explanation:Open platform directly generates Access Token according to the local account that previous step obtains.
Step 10, using client plug-in, client plug-in calls the correlation of open platform B to connect using Access Token
Mouthful.
Each embodiment in this specification is generally described by the way of progressive, the highlights of each of the examples are
Difference from other examples, just to refer each other for identical similar part between each embodiment.
The application can be described in the general context of computer executable instructions, such as program
Module or unit.Usually, program module or unit can include performing particular task or realize particular abstract data type
Routine, program, object, component, data structure etc..In general, program module or unit can be by softwares, hardware or both
Combination realize.The application can also be put into practice in a distributed computing environment, in these distributed computing environment, by passing through
Communication network and connected remote processing devices perform task.In a distributed computing environment, program module or unit can
To be located in the local and remote computer storage media including storage device.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by
One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation
Between there are any actual relationship or orders.Moreover, term " comprising ", "comprising" or its any other variant meaning
Covering non-exclusive inclusion, so that process, method, commodity or equipment including a series of elements not only include that
A little elements, but also including other elements that are not explicitly listed or further include for this process, method, commodity or
The intrinsic element of equipment.In the absence of more restrictions, the element limited by sentence "including a ...", is not arranged
Except also there are other identical elements in the process including the element, method, commodity or equipment.
The principle and implementation of this application are described for specific case used herein, and above example is said
It is bright to be merely used to help understand the present processes and its main thought;Meanwhile for those of ordinary skill in the art, foundation
The thought of the application, there will be changes in specific embodiments and applications, in conclusion the content of the present specification is not
It is interpreted as the limitation to the application.
A1, a kind of authorization and authentication method based on client plug-in, wherein open platform A and open platform B are supported together
One OAuth agreements, which is characterized in that including:
By the plug-in unit of the client of open platform A, the identification information of open platform B is submitted to the visitor of open platform A
Family end, it is desirable that user authorizes open platform B to use the service provided on open platform A;
After the client of open platform A is authorized, the identity of the identification information of open platform B and user are believed
Breath submits to the back-end server of open platform A, which returns to visitors of the authentication code Auth Code to open platform A
Family end;
Auth Code are passed to open platform B, open platform B by the client of open platform A by the plug-in unit of client
By call open platform A interfaces obtain current user identities, Auth Code are converted into access token Access Token,
The Access Token of open platform B return generations are to the plug-in unit of the client of open platform A;
By the plug-in unit of client, the relevant interface of open platform B is called using Access Token.
A2, the method as described in claim a1, which is characterized in that
The client of the open platform A and the plug-in unit of client are by Hyper text transfer security protocol https modes
It is interacted with the back-end server of open platform A.
A3, the method as described in claim a1, which is characterized in that
The client of the open platform A submits the identification information of the identification information of open platform B and user
After the back-end server of open platform A, further include:The step of client displaying of the open platform A authorizes page.
A4, the method as described in claim a1, which is characterized in that
The open platform B returns to the step of plug-in unit of the Access Token of generation to the client of open platform A, also
Including:
The open platform B by call open platform A interfaces obtain current user identities, inquiry current user identities with
The binding relationship of current account if the two is unbound, is locally generated the local account of current user identities, and record and tie up
Determine relationship;Open platform B directly generates Access Token according to the local account of acquisition, and returns to the visitor of open platform A
The plug-in unit at family end.
A5, the method as described in claim a2, which is characterized in that
After the open platform B is by calling open platform A interfaces to obtain current user identities, further include:The opening
Platform B show mandate page, after user agrees to that the plug-in unit of the client of mandate open platform A uses the service of open platform B, Xiang Kai
The plug-in unit for being laid flat the client of platform A returns to the Access Token of generation.
A6, the method as described in claim a1, which is characterized in that
It further includes:The back-end server of the open platform A stores the application key A pp of the application of the user
Secret。
B7, a kind of authorization identifying system based on client plug-in, which is characterized in that including:The client of open platform A
It end, the plug-in unit of client of open platform A, the back-end server of open platform A and open platform B, wherein open platform A and opens
It is laid flat platform B and all supports same OAuth agreements,
The plug-in unit of the client of the open platform A, for the identification information of open platform B to be submitted to open platform A
Client, it is desirable that user authorize open platform B the service provided on open platform A is provided;Receive the visitor of the open platform A
The authentication code Auth Code of family end transmission simultaneously pass to open platform B;The access token returned using the open platform B
Access Token call the relevant interface of open platform B;
The client of the open platform A, for by the identity of the identification information of the open platform B and user
Information submits to the back-end server of open platform A;The Auth Code that the back-end server of the open platform A returns are received,
And pass to the plug-in unit of client;
The back-end server of the open platform A after being authorized, returns to visitors of the Auth Code to open platform A
Family end;
The open platform B calls open platform A interfaces to obtain current user identities, Auth Code is turned for passing through
Access Token are changed to, return to the plug-in unit of the Access Token of generation to the client of open platform A.
B8, the system as described in claim b7, which is characterized in that the client of the open platform A and client
Plug-in unit is interacted by Hyper text transfer security protocol https modes and the back-end server of open platform A.
B9, the system as described in claim b7, which is characterized in that the client of the open platform A is additionally operable to open
It is laid flat the identification information of platform B and after the identification information of user submits to the back-end server of open platform A, displaying authorizes
Page.
B10, the system as described in claim b7, which is characterized in that the open platform B is additionally operable to open by calling
After being laid flat platform A interfaces acquisition current user identities, inquiry current user identities and the binding relationship of current account, if the two is not
Binding, then be locally generated the local account of current user identities, and record binding relationship, direct according to the local account of acquisition
Generate Access Token.
B11, the system as described in claim b7, which is characterized in that the open platform B is further used for passing through tune
After obtaining current user identities with open platform A interfaces, displaying authorizes page, and user agrees to authorize the client of open platform A
After plug-in unit is using the service of open platform B, the Access Token of generation are returned to the plug-in unit of the client of open platform A.
B12, the system as described in claim b7, which is characterized in that the back-end server of the open platform A is also used
In storing the application key A pp Secret of the application of user.
Claims (10)
1. a kind of authorization and authentication method based on client plug-in, wherein open platform A and open platform B are all supported same
OAuth agreements, which is characterized in that including:
By the plug-in unit of the client of open platform A, the identification information of open platform B is submitted to the client of open platform A,
It is required that user authorizes open platform B to use the service provided on open platform A;
After the client of open platform A is authorized, the identification information of the identification information of open platform B and user is carried
The back-end server of open platform A is given, which returns to clients of the authentication code Auth Code to open platform A;
Auth Code are passed to open platform B by the client of open platform A by the plug-in unit of client, and open platform B passes through
Open platform A interfaces is called to obtain current user identities, Auth Code are converted into access token Access Token, it is open
The Access Token of platform B return generations are to the plug-in unit of the client of open platform A;
By the plug-in unit of client, the relevant interface of open platform B is called using Access Token;
The client of the open platform A submits to out the identification information of the identification information of open platform B and user
After being laid flat the back-end server of platform A, further include:The step of client displaying of the open platform A authorizes page;
Wherein, the mandate page is corresponding authorizes interface by the client of open platform A or the back-end server of open platform A
It provides.
2. the method as described in claim 1, which is characterized in that
The client of the open platform A and the plug-in unit of client are with opening by Hyper text transfer security protocol https modes
The back-end server for being laid flat platform A interacts.
3. the method as described in claim 1, which is characterized in that
The open platform B returns to the step of plug-in unit of the Access Token of generation to the client of open platform A, also wraps
It includes:
The open platform B obtains current user identities by calling open platform A interfaces, inquiry current user identities with it is current
The binding relationship of account if the two is unbound, is locally generated the local account of current user identities, and records binding and close
System;Open platform B directly generates Access Token according to the local account of acquisition, and returns to the client of open platform A
Plug-in unit.
4. method as claimed in claim 2, which is characterized in that
After the open platform B is by calling open platform A interfaces to obtain current user identities, further include:The open platform B
It is flat to opening after displaying authorizes page, user to agree to that the plug-in unit of the client of mandate open platform A uses the service of open platform B
The plug-in unit of the client of platform A returns to the Access Token of generation.
5. the method as described in claim 1, which is characterized in that
It further includes:The back-end server of the open platform A stores the application key A pp Secret of the application of the user.
6. a kind of authorization identifying system based on client plug-in, which is characterized in that including:The client of open platform A, opening
The plug-in unit of the client of platform A, the back-end server of open platform A and open platform B, wherein open platform A and open platform B
All support same OAuth agreements,
The plug-in unit of the client of the open platform A, for the identification information of open platform B to be submitted to the visitor of open platform A
Family end, it is desirable that user authorizes open platform B to use the service provided on open platform A;Receive the client of the open platform A
The authentication code Auth Code of transmission simultaneously pass to open platform B;The access token Access returned using the open platform B
Token calls the relevant interface of open platform B;
The client of the open platform A, for by the identification information of the identification information of the open platform B and user
Submit to the back-end server of open platform A;The Auth Code that the back-end server of the open platform A returns are received, and are passed
Pass the plug-in unit of client;
The back-end server of the open platform A after being authorized, returns to clients of the Auth Code to open platform A
End;
The open platform B calls open platform A interfaces to obtain current user identities, Auth Code is converted to for passing through
Access Token return to the plug-in unit of the Access Token of generation to the client of open platform A;
The client of the open platform A is additionally operable to carry the identification information of the identification information of open platform B and user
After the back-end server for giving open platform A, displaying authorizes page;
Wherein, the mandate page is corresponding authorizes interface by the client of open platform A or the back-end server of open platform A
It provides.
7. system as claimed in claim 6, which is characterized in that the client of the open platform A and the plug-in unit of client are
It is interacted by Hyper text transfer security protocol https modes and the back-end server of open platform A.
8. system as claimed in claim 6, which is characterized in that the open platform B is additionally operable to by calling open platform A
After interface obtains current user identities, inquiry current user identities and the binding relationship of current account, if the two is unbound,
The local account of current user identities is locally generated, and records binding relationship, is directly generated according to the local account of acquisition
Access Token。
9. system as claimed in claim 6, which is characterized in that the open platform B is further used for open flat by calling
After platform A interfaces obtain current user identities, displaying authorizes page, and user agrees to authorize the plug-in unit of the client of open platform A to use
After the service of open platform B, the Access Token of generation are returned to the plug-in unit of the client of open platform A.
10. system as claimed in claim 6, which is characterized in that the back-end server of the open platform A is additionally operable to, storage
The application key A pp Secret of the application of user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510258052.3A CN104994064B (en) | 2012-03-29 | 2012-03-29 | A kind of authorization and authentication method and system based on client plug-in |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210088441.2A CN102761537B (en) | 2012-03-29 | 2012-03-29 | Method and system for authentication and authorization on basis of client-side plug-in |
| CN201510258052.3A CN104994064B (en) | 2012-03-29 | 2012-03-29 | A kind of authorization and authentication method and system based on client plug-in |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210088441.2A Division CN102761537B (en) | 2012-03-29 | 2012-03-29 | Method and system for authentication and authorization on basis of client-side plug-in |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104994064A CN104994064A (en) | 2015-10-21 |
| CN104994064B true CN104994064B (en) | 2018-06-26 |
Family
ID=47055859
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210088441.2A Active CN102761537B (en) | 2012-03-29 | 2012-03-29 | Method and system for authentication and authorization on basis of client-side plug-in |
| CN201510258052.3A Expired - Fee Related CN104994064B (en) | 2012-03-29 | 2012-03-29 | A kind of authorization and authentication method and system based on client plug-in |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210088441.2A Active CN102761537B (en) | 2012-03-29 | 2012-03-29 | Method and system for authentication and authorization on basis of client-side plug-in |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN102761537B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104022875B (en) * | 2013-03-01 | 2017-09-01 | 中兴通讯股份有限公司 | A kind of two-way authorization system, client and method |
| BR112016002242B1 (en) * | 2013-07-31 | 2022-09-27 | Hewlett-Packard Development Company, L.P. | NON-TRANSITORY STORAGE MEDIUM THAT CAN BE READ ON A MACHINE, SYSTEM COMPRISING A MAIN COMPUTER AND PROCESSOR IMPLEMENTED METHOD |
| US9160731B2 (en) | 2013-09-06 | 2015-10-13 | International Business Machines Corporation | Establishing a trust relationship between two product systems |
| CN104917721B (en) * | 2014-03-10 | 2019-05-07 | 腾讯科技(北京)有限公司 | Authorization method, device and system based on oAuth agreement |
| CN104539589A (en) * | 2014-12-10 | 2015-04-22 | 华为软件技术有限公司 | Authorization method, server and client |
| CN105099704B (en) * | 2015-08-13 | 2018-12-28 | 上海博路信息技术有限公司 | A kind of OAuth service based on bio-identification |
| CN106878099B (en) * | 2015-12-11 | 2020-10-30 | 中国移动通信集团公司 | Traffic management method, terminal equipment, server and system |
| CN105897757B (en) * | 2016-06-12 | 2019-01-04 | 上海携程商务有限公司 | Authorization identifying system and authorization and authentication method |
| CN106357643B (en) * | 2016-09-20 | 2019-08-27 | 福建新和兴信息技术有限公司 | It can recognize the method and system for calling the application of cloud platform data |
| CN107465768A (en) * | 2017-07-11 | 2017-12-12 | 上海精数信息科技有限公司 | Short chain based on Implicit authorization clicks on monitoring method and system |
| CN110048926B (en) * | 2018-01-15 | 2021-03-09 | 亦非云互联网技术(上海)有限公司 | User circulation method, system, medium and electronic device based on WeChat public number |
| CN112311783B (en) * | 2020-10-24 | 2023-02-28 | 尺度财金(北京)智能科技有限公司 | Method and system for authenticating reverse proxy |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101247344A (en) * | 2008-03-28 | 2008-08-20 | 中国电信股份有限公司 | Access method supporting multiple IPTV services platform and IPTV terminal unit |
| US7945774B2 (en) * | 2008-04-07 | 2011-05-17 | Safemashups Inc. | Efficient security for mashups |
| CN102291467A (en) * | 2011-09-15 | 2011-12-21 | 电子科技大学 | Communication platform and method suitable for private cloud environment |
| CN102394887A (en) * | 2011-11-10 | 2012-03-28 | 杭州东信北邮信息技术有限公司 | OAuth protocol-based safety certificate method of open platform and system thereof |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110113102A1 (en) * | 2009-11-09 | 2011-05-12 | Cbs Interactive Inc. | Method and apparatus for integrating a participant into programming |
| JP5540119B2 (en) * | 2010-02-09 | 2014-07-02 | インターデイジタル パテント ホールディングス インコーポレイテッド | Method and apparatus for trusted federated identity |
-
2012
- 2012-03-29 CN CN201210088441.2A patent/CN102761537B/en active Active
- 2012-03-29 CN CN201510258052.3A patent/CN104994064B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101247344A (en) * | 2008-03-28 | 2008-08-20 | 中国电信股份有限公司 | Access method supporting multiple IPTV services platform and IPTV terminal unit |
| US7945774B2 (en) * | 2008-04-07 | 2011-05-17 | Safemashups Inc. | Efficient security for mashups |
| CN102291467A (en) * | 2011-09-15 | 2011-12-21 | 电子科技大学 | Communication platform and method suitable for private cloud environment |
| CN102394887A (en) * | 2011-11-10 | 2012-03-28 | 杭州东信北邮信息技术有限公司 | OAuth protocol-based safety certificate method of open platform and system thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102761537B (en) | 2015-06-17 |
| CN102761537A (en) | 2012-10-31 |
| CN104994064A (en) | 2015-10-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104994064B (en) | A kind of authorization and authentication method and system based on client plug-in | |
| AU2021206913B2 (en) | Systems and methods for distributed data sharing with asynchronous third-party attestation | |
| US11700257B2 (en) | System and method for storing and distributing consumer information | |
| CN111448565B (en) | Data authorization based on decentralised identification | |
| CN101727552B (en) | The method and system of the tactical management of Digital Right Management is enabled in federated environment | |
| Torres et al. | A survey on identity management for the future network | |
| CN103716326B (en) | Resource access method and URG | |
| CN100571129C (en) | The method and system that the trust infrastructure of federated user life cycle management is supported | |
| US20180336554A1 (en) | Secure electronic transaction authentication | |
| US8726358B2 (en) | Identity ownership migration | |
| CN103916244B (en) | Verification method and device | |
| CN106170964A (en) | User's virtual identity based on different identity service | |
| CN105207970B (en) | Authentication method, safety certification middleware and cloud computing resource pool based on public cloud | |
| CN114513373B (en) | Trusted data exchange method, device, system, electronic equipment and storage medium | |
| Martinez Jurado et al. | Applying assurance levels when issuing and verifying credentials using Trust Frameworks | |
| CA3050487A1 (en) | System and method for storing and distributing consumer information | |
| El Maliki et al. | Online identity and user management services | |
| Chadwick et al. | Openid for verifiable credentials | |
| Kutera et al. | Single sign on as an effective way of managing user identity in distributed web systems. The ActGo-Gate project case study | |
| Palfrey et al. | Digital identity interoperability and einnovation | |
| Agbede | Strong Electronic Identification: Survey & Scenario Planning | |
| CN105187356A (en) | Method and system for verifying identity of website user | |
| Song et al. | A Blockchain-Based Digital Identity System with Privacy, Controllability, and Auditability | |
| Saadatmandi | Enhanced attribute retrieval and provisioning through the eIDAS digital identity infrastructure | |
| Tsehaye | An Interoperable Identity Management Framework (In the Case of Ethiopian e-government) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20180626 Termination date: 20210329 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |