CN106713367A - Authentication method, authentication platform, business system and authentication system - Google Patents
Authentication method, authentication platform, business system and authentication system Download PDFInfo
- Publication number
- CN106713367A CN106713367A CN201710122171.5A CN201710122171A CN106713367A CN 106713367 A CN106713367 A CN 106713367A CN 201710122171 A CN201710122171 A CN 201710122171A CN 106713367 A CN106713367 A CN 106713367A
- Authority
- CN
- China
- Prior art keywords
- user information
- service system
- verification
- authentication platform
- authorization token
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 76
- 238000013475 authorization Methods 0.000 claims abstract description 199
- 238000004806 packaging method and process Methods 0.000 claims abstract description 33
- 238000012795 verification Methods 0.000 claims description 105
- 238000012545 processing Methods 0.000 claims description 40
- 108010001267 Protein Subunits Proteins 0.000 claims description 2
- 230000008569 process Effects 0.000 description 17
- 238000010586 diagram Methods 0.000 description 7
- 238000005538 encapsulation Methods 0.000 description 6
- 239000002184 metal Substances 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 4
- 230000002452 interceptive effect Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0892—Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides an authentication method, an authentication platform, a business system and an authentication system. The authentication method applied to the authentication platform comprises the steps of receiving an authorization request including a business system identifier sent by the connected business system; authenticating the business system according to the identifier included by the authorization request; when the business system is authenticated, generating an authorization token, and sending the authorization token to the business system; acquiring user information, and authenticating the user information; when the user information is authenticated, packaging the user information by using a security assertion markup language (SAML) protocol; receiving the authorization token fed back by the business system, and authenticating the feedback authorization token; when the authorization token is authenticated, sending the packaged user information to the business system, thus allowing the business system to login a connected client according to the packaged user information. Therefore, according to the schemes of the method, platform and systems provided by the invention, security can be improved.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to an authentication method, an authentication platform, a service system, and an authentication system.
Background
With the development of the internet, in order to improve convenience of government affair services, an integrated internet government affair service system appears. In order to ensure the safety of the government affair service system in the using process, a unified identity authentication platform system is established.
Currently, a unified identity authentication platform system generally uses an OAuth protocol or a SAML (Security assertion markup Language) protocol for Security authentication. When the OAuth protocol is adopted, the OAuth protocol only focuses on the authorization part, once the user information is successfully verified, the user logs in the government affair service system, but the user information is not protected in the login process, so that the possibility of user information leakage exists. When the SAML protocol is used, after a user logs in, all business systems corresponding to the user can access the user, and therefore, user information may be leaked.
As can be seen from the above, in the prior art, no matter which method is used, the OAuth protocol or the SAML protocol is likely to leak the user information, and thus the security is low.
Disclosure of Invention
The invention provides an authentication method, an authentication platform, a service system and an authentication system, which can improve the security.
In a first aspect, the present invention provides an authentication method applied to an authentication platform, including:
receiving an authorization request sent by a connected service system, wherein the authorization request comprises an identifier of the service system;
verifying the service system according to the identifier included in the authorization request;
when the verification is passed, generating an authorization token and sending the authorization token to the business system;
acquiring user information and verifying the user information;
when the authentication is passed, packaging the user information by utilizing an SAML protocol;
receiving an authorization token fed back by the service system, and verifying the fed-back authorization token;
and when the verification is passed, sending the packaged user information to the service system so that the service system performs login processing on a connected client according to the packaged user information.
Preferably, the first and second electrodes are formed of a metal,
after the obtaining the user information of the user and the verifying the user information, the method further includes:
determining authority information corresponding to the user information according to the user information;
after the receiving the authorization token fed back by the business system and verifying the authorization token fed back, further comprising:
and when the verification is passed, sending the authority information corresponding to the user information to the service system so that the service system opens corresponding authority to the connected client according to the authority information.
Preferably, the first and second electrodes are formed of a metal,
after the authentication is passed, packaging the user information by utilizing a SAML protocol, wherein the packaging comprises:
encrypting the user information through a preset encryption algorithm;
signing the encrypted user information through a preset character string;
the signed user information is encapsulated using the SAML protocol.
In a second aspect, the present invention provides an authentication method applied to a service system, including:
receiving a login request sent by a connected client;
sending an authorization request carrying the identification of the service system to an authentication platform according to the login request so that the authentication platform verifies the service system according to the identification of the service system;
upon receiving an authorization token for the authorization request sent by the authentication platform,
feeding back the authorization token to the authentication platform so that the authentication platform verifies the fed-back authorization token;
upon receiving the user information encapsulated with the SAML protocol sent by the authentication platform,
and performing login processing on the connected client according to the user information.
Preferably, the first and second electrodes are formed of a metal,
before the login processing is performed on the connected client according to the user information, the method further includes:
receiving authority information corresponding to the user information sent by the authentication platform;
and opening corresponding authority to the connected client according to the authority information.
Preferably, the first and second electrodes are formed of a metal,
the login processing of the connected client according to the user information comprises:
checking the user information by a preset checking method;
decrypting the user information of the verification through a preset decryption algorithm;
and performing login processing on the connected client according to the decrypted user information.
In a third aspect, the present invention provides an authentication platform, comprising:
an authorization request receiving unit, configured to receive an authorization request sent by a connected service system, where the authorization request includes an identifier of the service system;
the verification and generation unit is used for verifying the service system according to the identifier included in the authorization request received by the authorization request receiving unit; when the verification is passed, generating an authorization token and sending the authorization token to the business system;
the verification and packaging unit is used for acquiring user information and verifying the user information; when the authentication is passed, packaging the user information by utilizing an SAML protocol;
the verification and sending unit is used for receiving the authorization token fed back by the service system and verifying the fed-back authorization token; and when the verification is passed, sending the user information packaged by the verification and packaging unit to the service system so that the service system performs login processing on a connected client according to the packaged user information.
Preferably, further comprising: a determination unit;
the determining unit is used for determining the authority parameters corresponding to the user information according to the user information acquired by the verifying and packaging unit;
and the verification and sending unit is used for sending the permission parameter corresponding to the user information determined by the determination unit to the service system when the verification is passed, so that the service system opens corresponding permission to the connected client according to the permission parameter.
Preferably, the first and second electrodes are formed of a metal,
the verification and packaging unit comprises: the encryption sub-unit, the signature sub-unit and the packaging sub-unit; wherein,
the encryption subunit is configured to encrypt the user information through a preset encryption algorithm;
the signature subunit is configured to sign the user information encrypted by the encryption subunit through a preset character string;
the packaging subunit is configured to package the user information signed by the signing subunit by using the SAML protocol.
In a fourth aspect, the present invention provides a service system, including:
a login request receiving unit, configured to receive a login request sent by a connected client;
a sending unit, configured to send, according to the login request received by the login request receiving unit, an authorization request carrying an identifier of the service system to an authentication platform, so that the authentication platform verifies the service system according to the identifier of the service system;
the feedback unit is used for feeding back the authorization token to the authentication platform when receiving the authorization token aiming at the authorization request sent by the authentication platform, so that the authentication platform verifies the fed-back authorization token;
and the login unit is used for performing login processing on the connected client according to the user information when receiving the user information which is sent by the authentication platform and encapsulated by the SAML protocol.
Preferably, further comprising: a right processing unit;
the authority processing unit is used for receiving the authority parameters corresponding to the user information sent by the authentication platform; and opening corresponding authority to the connected client according to the authority parameters.
Preferably, the first and second electrodes are formed of a metal,
the login unit comprises: the system comprises a signature verification subunit, a decryption subunit and a login subunit; wherein,
the signature verification subunit is used for verifying the signature of the user information by a preset signature verification method;
the decryption subunit is used for decrypting the user information verified by the verification subunit through a preset decryption algorithm;
and the login subunit is used for performing login processing on the connected client according to the user information decrypted by the decryption subunit.
In a fifth aspect, the present invention provides an authentication system, comprising:
the authentication platform and at least one service system are provided.
The embodiment of the invention provides an authentication method, an authentication platform, a service system and an authentication system, wherein the authentication method applied to the authentication platform comprises the following steps: and verifying the received authorization request including the service system identifier, generating an authorization token after the verification is passed, and sending the authorization token to the service system. And then acquiring and verifying the user information, and after the user information passes the verification, packaging the acquired user information by utilizing an SAML protocol. And then receiving an authorization token fed back by the service system, verifying, and sending the packaged user information to the service system when the verification is passed so that the service system logs in a client connected with the service system according to the packaged user information. Through the process, the authorization token is generated for the service system aiming at the authorization request of the service system, the verified user information is packaged by utilizing the SAML protocol, and the packaged user information is sent to the service system only after the authorization token fed back by the service system passes the verification, so that the safety can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of an authentication method applied to an authentication platform according to an embodiment of the present invention;
fig. 2 is a flowchart of an authentication method applied to a business system according to an embodiment of the present invention;
FIG. 3 is a flow chart of an authentication method provided by an embodiment of the invention;
FIG. 4 is a block diagram of an authentication platform according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an authentication platform including a determination unit according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an authentication platform according to another embodiment of the present invention;
fig. 7 is a schematic structural diagram of a service system according to an embodiment of the present invention;
FIG. 8 is a schematic structural diagram of a business system including a privilege processing unit according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a service system according to another embodiment of the present invention;
fig. 10 is a schematic structural diagram of an authentication system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.
As shown in fig. 1, an embodiment of the present invention provides an authentication method, which is applied to an authentication platform, and the method may include the following steps:
step 101: receiving an authorization request sent by a connected service system, wherein the authorization request comprises an identifier of the service system;
step 102: verifying the service system according to the identifier included in the authorization request;
step 103: when the verification is passed, generating an authorization token and sending the authorization token to the business system;
step 104: acquiring user information and verifying the user information;
step 105: when the authentication is passed, packaging the user information by utilizing an SAML protocol;
step 106: receiving an authorization token fed back by the service system, and verifying the fed-back authorization token;
step 107: and when the verification is passed, sending the packaged user information to the service system so that the service system performs login processing on a connected client according to the packaged user information.
According to the embodiment shown in fig. 1, the authentication method applied to the authentication platform comprises the following steps: and verifying the received authorization request including the service system identifier, generating an authorization token after the verification is passed, and sending the authorization token to the service system. And then acquiring and verifying the user information, and after the user information passes the verification, packaging the acquired user information by utilizing an SAML protocol. And then receiving an authorization token fed back by the service system, verifying, and sending the packaged user information to the service system when the verification is passed so that the service system logs in a client connected with the service system according to the packaged user information. Through the process, the authorization token is generated for the service system aiming at the authorization request of the service system, the verified user information is packaged by utilizing the SAML protocol, and the packaged user information is sent to the service system only after the authorization token fed back by the service system passes the verification. Therefore, the embodiment of the invention can improve the safety.
In an embodiment of the present invention, the identifications of the business systems involved in the flowchart shown in fig. 1 may be stored in the authentication platform in advance, and the identification of each business system is unique. When an authorization request including a service system identifier sent by a service system is received, whether the received identifier exists in the prestored identifier is determined, and when the received identifier exists in the prestored identifier, the identifier passes verification, and an authorization token is generated.
In the present embodiment, for example, the identifiers 45a001, 45a002, and 45b001 stored in the authentication platform in advance. When the identifier included in the received authorization request is 45a001, verification is performed, it is determined that 45a001 exists in the pre-stored identifiers, the identifiers pass verification, and an authorization token is generated. When the identifier included in the received authorization request is 43a001, when the authentication is performed, it is determined that 43a001 does not exist in the pre-stored identifiers, and the identifier is not legal, and the authentication is not passed.
In an embodiment of the present invention, the obtaining process of the user information involved in the flowchart shown in fig. 1 may be: when the authentication platform passes the verification of the service system, the authentication platform guides the user to a login page so that the user inputs user information on the login page, and after the user inputs the user information, the authentication platform can acquire the user information.
In an embodiment of the present invention, the user information referred to in the flowchart shown in fig. 1 may be stored in the authentication platform in advance, and each user information is unique. And when the user information is acquired, determining whether the user information exists in the pre-stored user information, and when the user information exists in the pre-stored user information, verifying the user information, and packaging the user information by utilizing the SAML protocol. And when the user information does not exist in the pre-stored user information, the user information is proved to be illegal, and the verification is not passed.
In this embodiment, the content included in the user information may be determined according to the service requirement, and may include a user name and a user password, for example.
In an embodiment of the present invention, while step 103 in the flow shown in fig. 1 is executed to send the authorization token to the business system, the authorization token may also be stored, so that when the authorization token fed back by the business system is received, the stored authorization token is used to verify the fed-back authorization token, where the verification may be: and comparing the fed-back authorization token with the stored authorization token, and when the fed-back authorization token is completely consistent with the stored authorization token, passing the verification. And when the fed-back authorization token is inconsistent with the stored authorization token, the fed-back authorization token is not legal, and the authentication is not passed.
In this embodiment, the form of the authorization token may be determined according to the service requirement, such as a character string.
In this embodiment, for example, if the generated authorization token is 123456AEC, the authentication platform stores 123456AEC when the authorization token 123456AEC is sent to the business system. When the authorization token 123456AEC fed back by the service system is received, the fed-back authorization token 123456AEC is compared with the stored authorization token 123456AEC, and when the two are determined to be completely consistent, the verification is passed. When the authorization token 723456AEC fed back by the business system is received, the fed-back authorization token 723456AEC is compared with the stored authorization token 123456AEC, and if the two are determined to be inconsistent, the verification is not passed.
In an embodiment of the present invention, the obtaining user information of the user in step 104 in the flow illustrated in fig. 1, and after the verifying the user information, may further include:
determining authority information corresponding to the user information according to the user information;
then after receiving the authorization token fed back by the business system and verifying the authorization token fed back by the business system in step 106, the method may further include:
and when the verification is passed, sending the authority information corresponding to the user information to the service system so that the service system opens corresponding authority to the connected client according to the authority information.
In this embodiment, the specific content included in the right information may be determined according to the service requirement. For example, the rights information may include: the range of data in the access service system, the type of operation on the data in the service system, and the time for accessing the data in the service system.
In this embodiment, the authority information corresponding to each piece of user information may be stored in advance, and after the user information is acquired, the corresponding authority information is determined in the correspondence between the pre-stored user information and the authority information according to the user information.
In this embodiment, after the authorization token fed back by the verification passes, the authority information corresponding to the user information may be sent to the service system, so that the service system opens a corresponding authority to the connected client according to the received authority information. For example, the right information corresponding to the user information 1 includes: and accessing the data in the file A in the service system 1, and after sending the authority information corresponding to the user information 1 to the service system 1, enabling the service system 1 to open the data in the file A for the connected client according to the authority information including the file A in the access service system 1.
According to the embodiment, the authority information corresponding to the user information can be determined according to the user information, and after the authorization token fed back by the service system is verified to pass, the authority information corresponding to the user information is sent to the service system, so that the service system can open corresponding authority to the connected client according to the authority information, and the data outside the access authority of the client is avoided, and therefore the confidentiality of the data in the service system can be improved.
In an embodiment of the present invention, step 105 in the flowchart shown in fig. 1, when the authentication is passed, encapsulating the user information by using the SAML protocol may include:
encrypting the user information through a preset encryption algorithm;
signing the encrypted user information through a preset character string;
the signed user information is encapsulated using the SAML protocol.
In this embodiment, the encryption algorithm may be determined according to the service requirements. For example, the encryption algorithm may be a PBE (Password-based encryption) encryption algorithm. The user information may be encrypted by a PBE encryption algorithm using a key determined by the authentication platform in the encryption process, where the key may be determined according to service requirements, for example, the key may be an identifier of a service system.
In this embodiment, the character string may be determined according to the service requirement. Such as jiami 010. And after the user information is encrypted, signing the user information by using the character string.
In this embodiment, after the user information is signed, the user information is encapsulated by using the SAML protocol, and the encapsulation is SAML assertion.
In this embodiment, for example, the user information 1 is obtained, and the preset key is 01234, the character string is jiami010, and the encryption algorithm is a PBE encryption algorithm, then after the user information 1 passes verification, the user information 1 is encrypted by using the key 01234 through the PBE encryption algorithm, after the encryption is completed, the user information 1 is signed by using the character string jiami010, and after the signature is completed, the user information 1 is packaged by using the SAML protocol, and the package is the SAML assertion.
According to the embodiment, after the user information is successfully verified, the user information can be encrypted through a preset encryption algorithm, then the encrypted user information is signed through a preset character string, and finally the signed user information is packaged by using an SAML protocol. As described above, since the user information is subjected to processes such as encryption, signature, and encapsulation, the probability of user information leakage can be reduced.
As shown in fig. 2, an embodiment of the present invention provides an authentication method, which is applied to a service system, and the method may include the following steps:
step 201: receiving a login request sent by a connected client;
step 202: sending an authorization request carrying the identification of the service system to an authentication platform according to the login request so that the authentication platform verifies the service system according to the identification of the service system;
step 203: when receiving an authorization token aiming at the authorization request sent by the authentication platform, feeding the authorization token back to the authentication platform so that the authentication platform verifies the fed-back authorization token;
step 204: and when receiving the user information which is sent by the authentication platform and encapsulated by the SAML protocol, performing login processing on the connected client according to the user information.
According to the embodiment shown in fig. 2, the authentication method applied to the business system comprises the following steps: and sending an authorization request carrying the service system identifier to the authentication platform according to the login request sent by the receiving client, so that the authentication platform can verify the service system according to the identifier. And then when receiving an authorization token aiming at the authorization request sent by the authentication platform, feeding the authorization token back to the authentication platform so that the authentication platform verifies the fed-back authorization token. And then, when receiving the user information encapsulated by the SAML protocol sent by the authentication platform, performing login processing on the connected client according to the user information. Through the process, the scheme receives the user information encapsulated by the SAML protocol only after the authorization fed back by the service system is successfully verified in the authentication platform through the interactive transmission of the authorization token between the service system and the authentication platform, and logs in the client by using the user information, so that the safety can be improved.
In one embodiment of the present invention, the identifier of the service system should be an identifier agreed with the authentication platform, and the identifier has uniqueness. So that the authentication platform can verify the service system according to the identification. For example, the identity of the service system is 45a001, the authentication platform needs to store the identity of 45a 001.
In an embodiment of the present invention, before performing login processing on the connected client according to the user information in step 204 in the flowchart shown in fig. 2, the method may further include:
receiving authority information corresponding to the user information sent by the authentication platform;
and opening corresponding authority to the connected client according to the authority information.
In this embodiment, for example, the authority information corresponding to the user information sent by the receiving authentication platform is data in the file a in the access service system, and the service system may open the data in the file a for the connected client according to the authority information.
According to the embodiment, the corresponding authority is opened for the client according to the authority information corresponding to the received user information, and the client is limited from executing the operation or access in the corresponding authority, so that the data outside the operation or access authority of the client is avoided, and the safety of the data in the service system can be improved.
In an embodiment of the present invention, the step 204 in the flow shown in fig. 2 performs login processing on the connected client according to the user information, which may include:
checking the user information by a preset checking method;
decrypting the user information of the verification through a preset decryption algorithm;
and performing login processing on the connected client according to the decrypted user information.
In this embodiment, the signature verification method may be determined according to the service requirement, and the signature verification method may be an SDK (Software Development Kit) provided by the authentication platform.
In this embodiment, the decryption algorithm may be determined according to the service requirements, but it should be noted that the decryption algorithm corresponds to the encryption algorithm used in the authentication platform, so that the user information can be decrypted smoothly. For example, when the authentication platform encrypts the user information through the PBE encryption algorithm by using the key, the service system decrypts the user information through the PBE decryption algorithm by using the key.
In this embodiment, after the user information is decrypted, the service system may log the client into the service system to obtain data or perform an operation according to the user information.
In this embodiment, for example, the preset signature verification method is an SDK and the decryption algorithm is a PBE decryption algorithm, after receiving the user information 1, the SDK is used to verify the signature of the user information 1, then the PBE decryption algorithm is used to decrypt the signed user information 1, and after the decryption is completed, the client is logged in according to the user information 1.
According to the embodiment, after the user information is received, the user information can be checked through a preset checking method, then the checked user information is decrypted through a preset decryption algorithm, and the connected client side is logged in according to the decrypted user information. As can be seen from the above, since the user information is subjected to processing such as signature verification and decryption, the probability of user information leakage is reduced.
In the following, the authentication platform is connected to the service system a, and the client needs to log in the service system a. Explaining the authentication method, as shown in fig. 3, the authentication method may include the following steps:
step 301: the method comprises the steps of presetting an encryption algorithm and a character string on an authentication platform, presetting an identifier of at least one service system and at least one user message, and presetting a signature verification method and a decryption algorithm in a service system A.
In this step, the identities of the business systems stored in the authentication platform are 45a001, 45a002 and 45b001, respectively. The user information stored in the authentication platform includes user information 1 and user information 2. The encryption algorithm preset in the authentication platform is a PBE encryption algorithm, and the character string is jiami 010. The service system A presets an SDK (service data link) as a signature verification method and a PBE (provider-based encryption/decryption) algorithm as a PBE (provider-based encryption/decryption) algorithm.
Step 302: and the service system A receives a login request sent by the connected client.
Step 303: and the service system A sends an authorization request carrying the identification of the service system A to the authentication platform according to the login request.
In this step, the service system a sends an authorization request carrying its own identifier 45a001 to the authentication platform according to the login request received in step 302.
Step 304: the authentication platform receives an authorization request including its own identity sent by the service system a.
In this step, the authentication platform receives an authorization request including its own identity 45a001 sent by the service system a.
Step 305: the authentication platform verifies the service system A according to the identifier included in the authorization request, and if the verification is passed, step 306 is executed; otherwise, the current flow is ended.
In this step, it is determined whether the identifier 45a001 included in the authentication platform verification authorization request exists in the identifiers 45a001, 45a002, and 45b001 pre-stored in the authentication platform in step 201, and it can be seen that the identifier 45a001 exists in the pre-stored identifiers, so step 306 is executed.
Step 306: and when the authentication platform passes the verification, generating an authorization token and sending the authorization token to the service system A.
In this step, the authorization token generated by the authentication platform is 123456AEC, and the authorization token 123456AEC is sent to the business system a.
Step 307: the authentication platform acquires user information, verifies the user information, and executes step 308 when the user information passes the verification; otherwise, the current flow is ended.
In this step, the authentication platform acquires user information 1, which includes a user name and a user password, determines whether the user information 1 exists in the user information pre-stored in the authentication platform in step 301, and if so, passes the verification and executes step 308; and if the current flow does not exist, the user is illegal, and the current flow is ended. Which is present in this embodiment, step 308 is performed.
Step 308: the authentication platform determines the authority information of the user information and encrypts the user information through a preset encryption algorithm.
In this step, when the authentication platform verifies the user information 1, the authentication platform encrypts the user information 1 through the PBE encryption algorithm preset in step 301.
In this step, the determined authority information is to access the file 1 of the service system a.
Step 309: the authentication platform signs the encrypted user information through a preset character string.
In this step, the authentication platform signs the encrypted user information 1 with the character string jiami010 set in advance in step 301.
Step 310: the authentication platform encapsulates the signed user information using the SAML protocol.
In this step, the authentication platform encapsulates the signed user information 1 using the SAML protocol.
Step 311: and when receiving the authorization token aiming at the authorization request sent by the authentication platform, the service system A feeds back the authorization token to the authentication platform.
In this step, the service system a feeds back the accepted authorization token 123456AEC to the authentication platform.
Step 312: the authentication platform receives the authorization token fed back by the service system, verifies the fed-back authorization token, and executes step 313 when the verification is passed; otherwise, ending the current flow.
In this step, the authentication platform receives the authorization token 123456AEC fed back by the service system, determines whether the authorization token is consistent with the authorization token 123456AEC generated in step 306, and if so, executes step 313.
Step 313: and sending the encapsulated user information and the authority information corresponding to the user information to a service system A.
In this step, the packaged user information 1 and the authority information corresponding to the user information 1 are: file 1 in service system a can be accessed and sent to service system a.
Step 314: and the service system A receives the user information packaged by the SAML protocol and the authority information corresponding to the user information, which are sent by the authentication platform.
In this step, the service system a receives the user information 1 encapsulated by the SAML protocol and the authority information corresponding to the user information 1, which are sent by the authentication platform: file 1 in business system a may be accessed.
Step 315: and the service system A opens corresponding authority to the connected client according to the authority information corresponding to the user information.
In this step, the service system a, according to the authority information: file 1 in the access service system a opens the data in file 1 for the connected clients.
Step 316: and the service system A checks the user information through a preset checking method.
In this step, the service system a checks the user information 1 by using the preset check-signing method SDK in step 301.
Step 317: and the service system A decrypts the user information of the verification through a preset decryption algorithm.
In this step, the service system a decrypts the user information 1 subjected to the verification through the PBE decryption algorithm preset in step 301.
Step 318: and the service system A performs login processing on the connected client according to the decrypted user information.
In this step, the service system a makes the connected client perform login access to the data in the file 1 according to the decrypted user information 1.
As shown in fig. 4, an embodiment of the present invention provides an authentication platform, where the authentication platform includes:
an authorization request receiving unit 401, configured to receive an authorization request sent by a connected service system, where the authorization request includes an identifier of the service system;
a verification and generation unit 402, configured to verify the service system according to the identifier included in the authorization request received by the authorization request receiving unit 401; when the verification is passed, generating an authorization token and sending the authorization token to the business system;
an authentication and encapsulation unit 403, configured to acquire user information and authenticate the user information; after the verification is passed, packaging the user information by utilizing a Security Assertion Markup Language (SAML) protocol;
a verification and sending unit 404, configured to receive the authorization token fed back by the service system, and verify the authorization token fed back; and when the verification is passed, sending the user information packaged by the verification and packaging unit 403 to the service system, so that the service system performs login processing on a connected client according to the packaged user information.
According to the embodiment shown in fig. 4, the authentication platform verifies the service system through the verification and generation unit according to the identifier included in the authorization request received by the authorization request receiving unit, generates the authorization token when the verification is passed, and sends the authorization token to the service system. And then, the obtained user information is verified through the verification and packaging unit, and when the user information passes the verification, the user information is packaged by utilizing the SAML protocol. And when the verification and sending unit passes the verification of the authorization token fed back by the service system, sending the user information packaged by the verification and packaging unit to the service system so as to log in the client connected with the service system. According to the scheme, the encapsulated user information is sent to the service system only after the verification and encapsulation unit verifies that the authorization token fed back by the service system passes, so that the safety can be improved.
In an embodiment of the present invention, as shown in fig. 5, the authentication platform may further include: a determination unit 501;
the determining unit 501 is configured to determine, according to the user information obtained by the verifying and packaging unit 403, an authority parameter corresponding to the user information;
the verifying and sending unit 404 is configured to send the permission parameter corresponding to the user information determined by the determining unit 501 to the service system after the verification is passed, so that the service system opens a corresponding permission to a connected client according to the permission parameter.
In an embodiment of the present invention, as shown in fig. 6, the verifying and packaging unit 403 includes: an encryption subunit 601, a signature subunit 602, and a packaging subunit 603; wherein,
the encryption subunit 601 is configured to encrypt the user information through a preset encryption algorithm;
the signature subunit 602, configured to sign the user information encrypted by the encryption subunit 601 through a preset character string;
the encapsulating subunit 603 is configured to encapsulate the user information signed by the signing subunit 602 by using the SAML protocol.
As shown in fig. 7, an embodiment of the present invention provides a service system, where the service system includes:
a login request receiving unit 701 configured to receive a login request sent by a connected client;
a sending unit 702, configured to send, according to the login request received by the login request receiving unit 701, an authorization request carrying an identifier of the service system to an authentication platform, so that the authentication platform verifies the service system according to the identifier of the service system;
a feedback unit 703, configured to, when receiving an authorization token sent by the authentication platform for the authorization request, feed back the authorization token to the authentication platform, so that the authentication platform verifies the fed-back authorization token;
a login unit 704, configured to perform login processing on the connected client according to the user information when receiving the user information encapsulated by the SAML protocol sent by the authentication platform.
According to the embodiment shown in fig. 7, the sending unit sends an authorization request carrying the identifier of the service system to the authentication platform according to the login request received by the login request receiving unit, so that the authentication platform verifies the service system according to the identifier of the service system. And then the feedback unit feeds the authorization token back to the authentication platform when receiving the authorization token sent by the authentication platform, so that the authentication platform verifies the fed-back authorization token. And then the login unit performs login processing according to the client connected with the user information which is sent by the authentication platform and encapsulated by the SAML protocol. Through the process, the feedback unit enables interactive transmission of the authorization token between the service system and the authentication platform, and the login unit receives the user information encapsulated by the SAML protocol and performs login processing on the client by using the user information only after the authorization fed back by the service system is successfully verified in the authentication platform.
In an embodiment of the present invention, as shown in fig. 8, the service system may further include: a right processing unit 801;
the authority processing unit 801 is configured to receive an authority parameter corresponding to the user information sent by the authentication platform; and opening corresponding authority to the connected client according to the authority parameters.
In an embodiment of the present invention, as shown in fig. 9, the login unit 704 includes: a signature verification subunit 901, a decryption subunit 902 and a login subunit 903; wherein,
the signature verification subunit 901 is configured to verify the signature of the user information by using a preset signature verification method;
the decryption subunit 902 is configured to decrypt, by using a preset decryption algorithm, the user information signed by the signature verification subunit 901;
the login subunit 903 is configured to perform login processing on the connected client according to the user information decrypted by the decryption subunit 902.
As shown in fig. 10, an embodiment of the present invention provides an authentication system, including: any one of the above authentication platforms 1001, and at least one of the above business systems 1001.
As an embodiment shown in fig. 10, the authentication system includes: the system comprises an authentication platform and at least one service system, wherein each service system can log in a connected client through the authentication platform, and all user information is processed through the authentication platform, so that the safety can be improved.
In one embodiment of the present invention, a readable medium is provided, the readable medium including: executing instructions, and when the processor of the storage controller executes the executing instructions, the storage controller executes any one of the authentication methods.
In one embodiment of the present invention, there is provided a memory controller including: a processor, a memory, and a bus; the memory is used for storing execution instructions; the processor and the memory are connected through the bus; when the storage controller is running, the processor executes the execution instructions stored in the memory to cause the storage controller to execute any one of the above authentication methods.
Because the information interaction, execution process, and other contents between the units in the above-mentioned apparatus and system are based on the same concept as the method embodiment of the present invention, specific contents may refer to the description in the method embodiment of the present invention, and are not described herein again.
In summary, the embodiments of the present invention can at least achieve the following beneficial effects:
1. in the embodiment of the present invention, the authentication method applied to the authentication platform includes: and verifying the received authorization request including the service system identifier, generating an authorization token after the verification is passed, and sending the authorization token to the service system. And then acquiring and verifying the user information, and after the user information passes the verification, packaging the acquired user information by utilizing an SAML protocol. And then receiving an authorization token fed back by the service system, verifying, and sending the packaged user information to the service system when the verification is passed so that the service system logs in a client connected with the service system according to the packaged user information. Through the process, the scheme not only generates the authorization token for the service system aiming at the authorization request of the service system, but also encapsulates the verified user information by utilizing the SAML protocol, and sends the encapsulated user information to the service system only after the authorization token fed back by the service system passes the verification, so that the safety can be improved.
2. In the embodiment of the invention, the authority information corresponding to the user information can be determined according to the user information, and after the authorization token fed back by the service system is verified to pass, the authority information corresponding to the user information is sent to the service system, so that the service system can open corresponding authority to the connected client according to the authority information, and the data outside the access authority of the client is avoided, thereby improving the confidentiality of the data in the service system.
3. In the embodiment of the invention, after the user information is successfully verified, the user information can be encrypted through a preset encryption algorithm, then the encrypted user information is signed through a preset character string, and finally the signed user information is packaged by utilizing an SAML protocol. As described above, since the user information is subjected to processes such as encryption, signature, and encapsulation, the probability of user information leakage can be reduced.
4. In the embodiment of the present invention, an authentication method applied to a service system includes: and sending an authorization request carrying the service system identifier to the authentication platform according to the login request sent by the receiving client, so that the authentication platform can verify the service system according to the identifier. And then when receiving an authorization token aiming at the authorization request sent by the authentication platform, feeding the authorization token back to the authentication platform so that the authentication platform verifies the fed-back authorization token. And then, when receiving the user information encapsulated by the SAML protocol sent by the authentication platform, performing login processing on the connected client according to the user information. Through the process, the scheme receives the user information encapsulated by the SAML protocol only after the authorization fed back by the service system is successfully verified in the authentication platform through the interactive transmission of the authorization token between the service system and the authentication platform, and logs in the client by using the user information, so that the safety can be improved.
5. In the embodiment of the invention, the corresponding authority is opened for the client according to the authority information corresponding to the received user information, and the client is limited from executing the operation or access in the corresponding authority, so that the data outside the operation or access authority of the client is avoided, and the safety of the data in the service system can be improved.
6. In the embodiment of the invention, after the user information is received, the user information can be checked through a preset checking method, then the checked user information is decrypted through a preset decryption algorithm, and the connected client is logged in according to the decrypted user information. As can be seen from the above, since the user information is subjected to processing such as signature verification and decryption, the probability of user information leakage is reduced.
7. In the embodiment of the invention, the authentication platform verifies the service system through the verification and generation unit according to the identifier included in the authorization request received by the authorization request receiving unit, generates the authorization token when the verification is passed, and sends the authorization token to the service system. And then, the obtained user information is verified through the verification and packaging unit, and when the user information passes the verification, the user information is packaged by utilizing the SAML protocol. And when the verification and sending unit passes the verification of the authorization token fed back by the service system, sending the user information packaged by the verification and packaging unit to the service system so as to log in the client connected with the service system. According to the scheme, the encapsulated user information is sent to the service system only after the verification and encapsulation unit verifies that the authorization token fed back by the service system passes, so that the safety can be improved.
8. In the embodiment of the invention, the sending unit is used for sending the authorization request carrying the identification of the service system to the authentication platform according to the login request received by the login request receiving unit, so that the authentication platform verifies the service system according to the identification of the service system. And then the feedback unit feeds the authorization token back to the authentication platform when receiving the authorization token sent by the authentication platform, so that the authentication platform verifies the fed-back authorization token. And then the login unit performs login processing according to the client connected with the user information which is sent by the authentication platform and encapsulated by the SAML protocol. Through the process, the feedback unit enables interactive transmission of the authorization token between the service system and the authentication platform, and the login unit receives the user information encapsulated by the SAML protocol and performs login processing on the client by using the user information only after the authorization fed back by the service system is successfully verified in the authentication platform.
9. In an embodiment of the present invention, an authentication system includes: the system comprises an authentication platform and at least one service system, wherein each service system can log in a connected client through the authentication platform, and all user information is processed through the authentication platform, so that the safety can be improved.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a" does not exclude the presence of other similar elements in a process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it is to be noted that: the above description is only a preferred embodiment of the present invention, and is only used to illustrate the technical solutions of the present invention, and not to limit the protection scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.
Claims (10)
1. An authentication method applied to an authentication platform includes:
receiving an authorization request sent by a connected service system, wherein the authorization request comprises an identifier of the service system;
verifying the service system according to the identifier included in the authorization request;
when the verification is passed, generating an authorization token and sending the authorization token to the business system;
acquiring user information and verifying the user information;
when the verification is passed, packaging the user information by utilizing a Security Assertion Markup Language (SAML) protocol;
receiving an authorization token fed back by the service system, and verifying the fed-back authorization token;
and when the verification is passed, sending the packaged user information to the service system so that the service system performs login processing on a connected client according to the packaged user information.
2. The method of claim 1, wherein after the obtaining user information of the user and the verifying the user information, further comprising:
determining authority information corresponding to the user information according to the user information;
after the receiving the authorization token fed back by the business system and verifying the authorization token fed back, further comprising:
and when the verification is passed, sending the authority information corresponding to the user information to the service system so that the service system opens corresponding authority to the connected client according to the authority information.
3. Method according to claim 1 or 2, wherein encapsulating said user information using SAML protocol when said authentication is passed comprises:
encrypting the user information through a preset encryption algorithm;
signing the encrypted user information through a preset character string;
the signed user information is encapsulated using the SAML protocol.
4. A method for authentication is applied to a service system, and comprises the following steps:
receiving a login request sent by a connected client;
sending an authorization request carrying the identification of the service system to an authentication platform according to the login request so that the authentication platform verifies the service system according to the identification of the service system;
upon receiving an authorization token for the authorization request sent by the authentication platform,
feeding back the authorization token to the authentication platform so that the authentication platform verifies the fed-back authorization token;
upon receiving the user information encapsulated with the SAML protocol sent by the authentication platform,
and performing login processing on the connected client according to the user information.
5. The method according to claim 4, further comprising, before the login processing for the connected client according to the user information:
receiving authority information corresponding to the user information sent by the authentication platform;
opening corresponding authority to the connected client according to the authority information;
and/or the presence of a gas in the gas,
the login processing of the connected client according to the user information comprises:
checking the user information by a preset checking method;
decrypting the user information of the verification through a preset decryption algorithm;
and performing login processing on the connected client according to the decrypted user information.
6. An authentication platform, comprising:
an authorization request receiving unit, configured to receive an authorization request sent by a connected service system, where the authorization request includes an identifier of the service system;
the verification and generation unit is used for verifying the service system according to the identifier included in the authorization request received by the authorization request receiving unit; when the verification is passed, generating an authorization token and sending the authorization token to the business system;
the verification and packaging unit is used for acquiring user information and verifying the user information; when the verification is passed, packaging the user information by utilizing a Security Assertion Markup Language (SAML) protocol;
the verification and sending unit is used for receiving the authorization token fed back by the service system and verifying the fed-back authorization token; and when the verification is passed, sending the user information packaged by the verification and packaging unit to the service system so that the service system performs login processing on a connected client according to the packaged user information.
7. The authentication platform of claim 6, further comprising: a determination unit;
the determining unit is used for determining the authority parameters corresponding to the user information according to the user information acquired by the verifying and packaging unit;
the verification and sending unit is used for sending the authority parameters corresponding to the user information determined by the determination unit to the service system when the verification is passed, so that the service system opens corresponding authority to a connected client according to the authority parameters;
and/or the presence of a gas in the gas,
the verification and packaging unit comprises: the encryption sub-unit, the signature sub-unit and the packaging sub-unit; wherein,
the encryption subunit is configured to encrypt the user information through a preset encryption algorithm;
the signature subunit is configured to sign the user information encrypted by the encryption subunit through a preset character string;
the packaging subunit is configured to package the user information signed by the signing subunit by using the SAML protocol.
8. A business system, comprising:
a login request receiving unit, configured to receive a login request sent by a connected client;
a sending unit, configured to send, according to the login request received by the login request receiving unit, an authorization request carrying an identifier of the service system to an authentication platform, so that the authentication platform verifies the service system according to the identifier of the service system;
the feedback unit is used for feeding back the authorization token to the authentication platform when receiving the authorization token aiming at the authorization request sent by the authentication platform, so that the authentication platform verifies the fed-back authorization token;
and the login unit is used for performing login processing on the connected client according to the user information when receiving the user information which is sent by the authentication platform and encapsulated by the SAML protocol.
9. The business system of claim 8, further comprising: a right processing unit;
the authority processing unit is used for receiving the authority parameters corresponding to the user information sent by the authentication platform; opening corresponding authority to the connected client according to the authority parameters;
and/or the presence of a gas in the gas,
the login unit comprises: the system comprises a signature verification subunit, a decryption subunit and a login subunit; wherein,
the signature verification subunit is used for verifying the signature of the user information by a preset signature verification method;
the decryption subunit is used for decrypting the user information verified by the verification subunit through a preset decryption algorithm;
and the login subunit is used for performing login processing on the connected client according to the user information decrypted by the decryption subunit.
10. An authentication system, comprising: an authentication platform as claimed in claim 6 or 7, and at least one business system as claimed in claim 8 or 9.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710122171.5A CN106713367A (en) | 2017-03-02 | 2017-03-02 | Authentication method, authentication platform, business system and authentication system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710122171.5A CN106713367A (en) | 2017-03-02 | 2017-03-02 | Authentication method, authentication platform, business system and authentication system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106713367A true CN106713367A (en) | 2017-05-24 |
Family
ID=58912052
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710122171.5A Pending CN106713367A (en) | 2017-03-02 | 2017-03-02 | Authentication method, authentication platform, business system and authentication system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106713367A (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107508793A (en) * | 2017-07-13 | 2017-12-22 | 微梦创科网络科技(中国)有限公司 | A kind of method and device based on towards tangent plane programming AOP certifications and mandate |
CN107911366A (en) * | 2017-11-17 | 2018-04-13 | 天脉聚源(北京)科技有限公司 | Auth method and device |
CN107968779A (en) * | 2017-11-17 | 2018-04-27 | 天脉聚源(北京)科技有限公司 | Auth method and device |
CN108881232A (en) * | 2018-06-21 | 2018-11-23 | 北京海泰方圆科技股份有限公司 | Sign-on access method, apparatus, storage medium and the processor of operation system |
CN109274650A (en) * | 2018-08-30 | 2019-01-25 | 山东浪潮通软信息科技有限公司 | A kind of management system and method that electron image is had access to |
CN112532599A (en) * | 2020-11-19 | 2021-03-19 | 北京信安世纪科技股份有限公司 | Dynamic authentication method, device, electronic equipment and storage medium |
CN112579997A (en) * | 2020-12-17 | 2021-03-30 | 数字广东网络建设有限公司 | User permission configuration method and device, computer equipment and storage medium |
CN113194077A (en) * | 2021-04-19 | 2021-07-30 | 中国建设银行股份有限公司 | Login method and device, computer equipment and computer readable storage medium |
CN115189919A (en) * | 2022-06-17 | 2022-10-14 | 浪潮软件股份有限公司 | Method and system for sharing information between platform and living application based on cryptographic algorithm |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103023856A (en) * | 2011-09-20 | 2013-04-03 | 中兴通讯股份有限公司 | Single sign-on method, single sign-on system, information processing method and information processing system |
CN103051630A (en) * | 2012-12-21 | 2013-04-17 | 微梦创科网络科技(中国)有限公司 | Method, device and system for implementing authorization of third-party application based on open platform |
US20150007299A1 (en) * | 2012-09-19 | 2015-01-01 | Secureauth Corporation | Mobile multifactor single-sign-on authentication |
US9148460B1 (en) * | 2012-12-31 | 2015-09-29 | Cellco Partnership | Push notifications for enterprise applications |
CN105847220A (en) * | 2015-01-14 | 2016-08-10 | 北京神州泰岳软件股份有限公司 | Authentication method and system, and service platform |
-
2017
- 2017-03-02 CN CN201710122171.5A patent/CN106713367A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103023856A (en) * | 2011-09-20 | 2013-04-03 | 中兴通讯股份有限公司 | Single sign-on method, single sign-on system, information processing method and information processing system |
US20150007299A1 (en) * | 2012-09-19 | 2015-01-01 | Secureauth Corporation | Mobile multifactor single-sign-on authentication |
CN103051630A (en) * | 2012-12-21 | 2013-04-17 | 微梦创科网络科技(中国)有限公司 | Method, device and system for implementing authorization of third-party application based on open platform |
US9148460B1 (en) * | 2012-12-31 | 2015-09-29 | Cellco Partnership | Push notifications for enterprise applications |
CN105847220A (en) * | 2015-01-14 | 2016-08-10 | 北京神州泰岳软件股份有限公司 | Authentication method and system, and service platform |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107508793A (en) * | 2017-07-13 | 2017-12-22 | 微梦创科网络科技(中国)有限公司 | A kind of method and device based on towards tangent plane programming AOP certifications and mandate |
CN107911366A (en) * | 2017-11-17 | 2018-04-13 | 天脉聚源(北京)科技有限公司 | Auth method and device |
CN107968779A (en) * | 2017-11-17 | 2018-04-27 | 天脉聚源(北京)科技有限公司 | Auth method and device |
CN108881232B (en) * | 2018-06-21 | 2019-07-02 | 北京海泰方圆科技股份有限公司 | Sign-on access method, apparatus, storage medium and the processor of operation system |
CN108881232A (en) * | 2018-06-21 | 2018-11-23 | 北京海泰方圆科技股份有限公司 | Sign-on access method, apparatus, storage medium and the processor of operation system |
CN109274650B (en) * | 2018-08-30 | 2020-12-08 | 浪潮通用软件有限公司 | Electronic image retrieval management system and method |
CN109274650A (en) * | 2018-08-30 | 2019-01-25 | 山东浪潮通软信息科技有限公司 | A kind of management system and method that electron image is had access to |
CN112532599A (en) * | 2020-11-19 | 2021-03-19 | 北京信安世纪科技股份有限公司 | Dynamic authentication method, device, electronic equipment and storage medium |
CN112532599B (en) * | 2020-11-19 | 2023-04-18 | 北京信安世纪科技股份有限公司 | Dynamic authentication method, device, electronic equipment and storage medium |
CN112579997A (en) * | 2020-12-17 | 2021-03-30 | 数字广东网络建设有限公司 | User permission configuration method and device, computer equipment and storage medium |
CN112579997B (en) * | 2020-12-17 | 2024-03-12 | 数字广东网络建设有限公司 | User permission configuration method and device, computer equipment and storage medium |
CN113194077A (en) * | 2021-04-19 | 2021-07-30 | 中国建设银行股份有限公司 | Login method and device, computer equipment and computer readable storage medium |
CN115189919A (en) * | 2022-06-17 | 2022-10-14 | 浪潮软件股份有限公司 | Method and system for sharing information between platform and living application based on cryptographic algorithm |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11736467B2 (en) | Technologies for token-based authentication and authorization of distributed computing resources | |
CN106713367A (en) | Authentication method, authentication platform, business system and authentication system | |
US9847882B2 (en) | Multiple factor authentication in an identity certificate service | |
CN108023874B (en) | Single sign-on verification device and method and computer readable storage medium | |
CN111512608B (en) | Trusted execution environment based authentication protocol | |
CN109672675B (en) | OAuth 2.0-based WEB authentication method of password service middleware | |
CN105471833A (en) | Safe communication method and device | |
CN107733636B (en) | Authentication method and authentication system | |
CN105743638A (en) | System client authorization authentication method based on B/S framework | |
CN104639506A (en) | Terminal and application program installation controlling method and system | |
CN107277017A (en) | Purview certification method, apparatus and system based on encryption key and device-fingerprint | |
CN107204985A (en) | Purview certification method based on encryption key, apparatus and system | |
CN113395406A (en) | Encryption authentication method and system based on power equipment fingerprints | |
CN111917536A (en) | Identity authentication key generation method, identity authentication method, device and system | |
CN108650239A (en) | A kind of authentication method of OAuth agreements | |
CN112560102A (en) | Resource sharing method, resource accessing method, resource sharing equipment and computer readable storage medium | |
CN110912857B (en) | Method and storage medium for sharing login between mobile applications | |
CN115529591B (en) | Authentication method, device, equipment and storage medium based on token | |
CN112688949B (en) | Access method, device, equipment and computer readable storage medium | |
CN112953711B (en) | Database security connection system and method | |
CN113536238A (en) | Software use authorization authentication method and system based on cryptographic technology and related products | |
CN117792802B (en) | Identity verification and application access control method and system based on multi-system interaction | |
CN116074129B (en) | Login method and system integrating and compatible with third party authentication | |
CN115996126B (en) | Information interaction method, application device, auxiliary platform and electronic device | |
CN117828561B (en) | Method, device, system and storage medium for safely burning chip firmware data |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170524 |
|
RJ01 | Rejection of invention patent application after publication |