CN118233156A - Multi-area system, single sign-on method for multi-area system and storage medium - Google Patents
Multi-area system, single sign-on method for multi-area system and storage medium Download PDFInfo
- Publication number
- CN118233156A CN118233156A CN202410251052.XA CN202410251052A CN118233156A CN 118233156 A CN118233156 A CN 118233156A CN 202410251052 A CN202410251052 A CN 202410251052A CN 118233156 A CN118233156 A CN 118233156A
- Authority
- CN
- China
- Prior art keywords
- user
- node
- authentication
- area
- global
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 230000001960 triggered effect Effects 0.000 claims abstract description 18
- 238000012795 verification Methods 0.000 claims abstract description 14
- 238000013507 mapping Methods 0.000 claims description 3
- 238000012423 maintenance Methods 0.000 abstract description 11
- 238000007726 management method Methods 0.000 description 27
- 238000004590 computer program Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 9
- 238000004891 communication Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 241000251468 Actinopterygii Species 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002045 lasting effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000001012 protector Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/23—Updating
- G06F16/2365—Ensuring data consistency and integrity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- General Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Power Engineering (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a multi-zone system, a single sign-on method of the multi-zone system and a storage medium. The multi-zone system has independent service nodes, storage nodes, and authentication nodes in each zone. Responding to a registration request triggered by a user in a first area, storing user data in a first storage node by a first service node, generating a global index of the user and synchronizing the global index to a system; responding to a login request triggered by a user in a second area, and routing the login request to a first authentication node by a second service node according to a global index; the first authentication node authenticates the login request according to the user data of the first storage node, and generates a user token and returns the user token if authentication is successful; and responding to the access request triggered by the user in the third area, and verifying the user token of the access request by the third authentication node, and allowing access if the verification passes. The application can effectively ensure the data consistency of the cross-regional system, ensure the data security of the user and the real-time performance of the service, and reduce the complexity of system management and maintenance.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a multi-area system, a single sign-on method of the multi-area system, and a storage medium.
Background
Single sign-On (SINGLE SIGN On, SSO) is an authentication mechanism that supports multiple mutually trusted applications in a multi-application system where a user can access one time. When multiple application systems are distributed in different areas, the implementation of single sign-on faces the problems of data security, instantaneity, complexity and the like.
At present, some technical schemes adopt data synchronization among areas to realize multi-area single sign-on, and the mode has data delay on one hand, and on the other hand, the method is easy to violate the user data protection regulations and personal information security protection regulations of regions/countries, and can cause illegal treatment on user privacy. In other technical schemes, users register for multiple times in different areas to avoid information leakage caused by data synchronization, but the method increases the operation complexity of the users, reduces the overall user experience, has data redundancy, and increases the cost of system storage and maintenance.
Therefore, there is a need for a single sign-on method based on multiple regions, which can effectively solve the problem of data consistency between different regions, and reduce the complexity of system management and maintenance while ensuring the security of user data and the real-time performance of service.
Disclosure of Invention
In order to achieve the above objective, the present application provides a multi-zone system, a single sign-on method of the multi-zone system, and a storage medium, which can effectively solve the problem of data consistency between different zones, and reduce complexity of system management and maintenance while ensuring user data security and business instantaneity.
In a first aspect, the present application provides a single sign-on method for a multi-zone system, where each zone of the system corresponds to an independent service node, storage node, and authentication node; the method comprises the following steps:
S1, responding to a registration request triggered by a user in a first area of the multi-area system, storing user data of the user in a first storage node by a first service node, generating a global index of the user and synchronizing the global index to the system, wherein the global index indicates that the user finishes registration in the first area;
s2, responding to a login request triggered by the user in a second area in the multi-area system, and routing the login request to a first authentication node by a second service node according to a global index of the user;
S3, the first authentication node authenticates the login request according to the user data stored in the first storage node, and generates a user token and returns the user token to the user under the condition that authentication is successful;
and S4, responding to an access request triggered by the user in a third area, verifying the user token carried by the access request by a third authentication node, and allowing access under the condition that the verification is passed.
In one possible implementation manner, the step S1 includes:
S11, the first service node responds to a registration request triggered based on a user account, hashes the user account to obtain an encrypted user identifier, and combines the encrypted user identifier with the identifier information of the first area to obtain a global index of the user;
And S12, the first service node stores the user data and the copy of the global index in the first storage node, and persists the global index to a global storage space of the multi-region system, wherein the global storage space supports access by a node corresponding to any region in the system.
In one possible embodiment, the method further comprises:
The storage node corresponding to any region loads the stored copy of the global index into the memory or the Redis cache to respond to the query request for the global index.
In one possible implementation manner, the step S2 includes:
S21, in the second area, a terminal where a user is located triggers a login request according to a user account number and login credentials of the user, and an intelligent DNS module of the multi-area system routes the login request to a nearest second service node by analyzing a network address of the login request;
wherein, the intelligent DNS module records mapping relations between different network addresses and each service node address;
S22, the second service node queries the global index of the user based on the user account carried by the login request, and routes the login request to the first authentication node according to the identification information of the first area in the queried global index.
In one possible implementation manner, the first area, the second area and the third area are any area in the multi-area system, and the authentication nodes in different areas in the multi-area system are in communication connection by adopting a virtual private network.
In one possible implementation manner, the step S3 includes:
S31, the first authentication node authenticates a user account and a login credential carried by the login request according to the user data in the first storage node;
s32, under the condition that authentication is successful, the first authentication node generates a user token JWT based on the user account and a given expiration time, and encrypts the user token JWT by adopting a given JWK signature;
s33, the first authentication node returns an encrypted user token JWT to the user.
In one possible implementation, the header of the user token JWT contains a key identification KID, the KID indicating a target public key for verifying the JWK signature, the step S4 comprising:
S41, responding to an access request triggered by the user in a third area, and reading the KID from the user token JWT head carried by the access request by a third authentication node;
S42, the third authentication node acquires a target public key according to the read KID, verifies JWK signature of the user token JWT by adopting the target public key, and allows access under the condition that verification is passed.
In one possible implementation, the system further comprises a global key management module, the method further comprising at least one of:
A. The global key management module provides a private key used for JWK signature to any authentication node;
B. the global keylocker module provides the public key used to verify JWK the signature to any authentication node;
C. The global key management module obtains a white list according to a preset public key, and provides a public key used for verifying JWK signature to at least one authentication node through a key service interface;
D. the global key management module updates the managed at least one public key and/or at least one private key every preset period.
In a second aspect, a multi-zone system is provided, the system corresponding to an independent service node, storage node and authentication node in each zone; the service node, storage node and authentication node of each zone in the system are configured to perform a single sign-on method of the multi-zone system according to the first aspect, so as to provide a single sign-on service to a user in any zone of the system.
In a third aspect, a computing device is provided that includes a memory storing at least one program that is executed by a processor to implement a single sign-on method of a multi-zone system as provided in the first aspect.
In a fourth aspect, a computer readable storage medium is provided, in which at least one program is stored, the at least one program being executed by a processor to implement the single sign-on method of the multi-zone system as provided in the first aspect.
The technical scheme provided by the application at least comprises the following technical effects:
(1) Data compliance: with the multi-zone storage scheme, user data does not flow out of the registered zone, conforming to relevant regulations.
(2) Efficient indexing mechanism: the global index is provided as an efficient user identifier, so that cross-regional user management and identity recognition are simplified, other operations after user registration do not need to carry redundant information, and complexity of system management and maintenance is reduced.
(3) Data security: the encrypted JWK token and authentication service in the registration area are adopted, so that the security of user login and access is ensured; efficient management of the generation, transmission, verification, expiration and other aspects of JWK tokens is supported, security and availability are ensured, and complexity of system management and maintenance is reduced.
(4) Cross-domain data consistency: the authentication services of different areas can keep consistency, and authentication differences are avoided when users access different areas.
(5) Business instantaneity: the multi-area system can rapidly and immediately complete the authentication process, and ensure the accuracy and instantaneity of the user identity.
(6) And the user experience is improved: single sign-on authentication provides a good user experience with seamless access by the user between different regions.
In conclusion, the application can effectively ensure the data consistency of the cross-regional system, ensure the data security of the user and the real-time performance of the service, and reduce the complexity of system management and maintenance.
Drawings
FIG. 1 is a block diagram of a multi-zone system according to an embodiment of the present application;
FIG. 2 is a flow chart of a single sign-on method for a multi-zone system according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a global index format provided by an embodiment of the present application;
FIG. 4 is a registration flow chart of a multi-zone system provided by an embodiment of the present application;
FIG. 5 is a single sign-on flow chart of a multi-zone system provided by an embodiment of the present application;
FIG. 6 is a schematic diagram of a user token provided by an embodiment of the present application;
FIG. 7 is a user access flow chart of a multi-zone system provided by an embodiment of the present application;
fig. 8 is a schematic hardware structure of a computing device according to an embodiment of the present application.
Detailed Description
For further illustration of the various embodiments, the application is provided with the accompanying drawings. The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate embodiments and together with the description, serve to explain the principles of the embodiments. With reference to these matters, one of ordinary skill in the art will understand other possible embodiments and advantages of the present application. The components in the figures are not drawn to scale and like reference numerals are generally used to designate like components. The term "at least one" in the present application means one or more, and the term "plurality" in the present application means two or more.
The application will now be further described with reference to the drawings and detailed description.
First, a multi-zone system provided by the present application will be described.
The embodiment of the application provides a multi-region system which is distributed and deployed across regions. The system corresponds to independent service nodes, storage nodes and authentication nodes in each area. The service node, the storage node and the authentication node in each area in the system cooperatively execute the single sign-on method, so that single sign-on service can be provided for a user in any area of the system.
In the embodiment of the application, the region refers to a geographical region divided according to a ground relation, an administrative region or a network address segment. For example, the plurality of regions include an eastern region, a southward region, a westward region, and a northwest region, and for example, the plurality of regions include a domestic region and a foreign region. Of course, other different partitioning criteria may also be supported, and the application is not limited to the above examples.
By way of example, the service node is a computing hardware unit such as a single server, a plurality of servers, a cloud server, or a cloud server cluster; for example, the application is not limited to the implementation form of the node, and may be a virtual machine, a container, or a computing instance running/hosted in any server, a cloud server, or the like. The authentication node and the service node are implemented in the same manner and are not described in detail herein. It will be appreciated that in some embodiments, the service node and authentication node may be considered as a functional service provided by a multi-zone system, and the service node may provide access and management services for user requests from the system edge; the authentication node can provide safe identity authentication service under the support of the local storage node, and identity authentication and token issuing are independently carried out.
The storage node is, for example, an actual storage hardware device, e.g., a storage server; the storage nodes may also be virtualized storage space, e.g., cloud storage resources provided by cloud servers.
In one possible implementation, the authentication nodes of the respective areas are communicatively connected to each other using a virtual private network (VPC). The storage nodes of each area can only be accessed by the service node and the authentication node of the area, and the user data is only stored in the storage nodes of the area where the user is registered, so that a user data storage architecture divided by the area is formed, and the user data cannot flow out of the registered area.
Fig. 1 is a schematic diagram of a multi-zone system according to an embodiment of the present application. The connection relationship between the functional nodes of each area in the multi-area system according to the embodiment of the present application will be described with reference to fig. 1.
As shown in fig. 1, different areas in the system correspond to independent service nodes, storage nodes and authentication nodes; taking the first area as an example, a first authentication node, a first storage node and a first service node are corresponding to the first area, and the second area and the third area are the same. The storage node of each zone is only accessible to the serving node and authentication node of the zone.
As shown in fig. 1, the authentication nodes in each area are connected by adopting a virtual private network (VPC) in a communication manner, so that global fast routing can be realized between the authentication nodes in each area. When registering, the user initiates a request to the service node of the area where the user is located through the user terminal equipment, and the user data is only stored in the storage node of the area where the user is located.
The method for single sign-on of the multi-zone system according to the embodiment of the present application is described in detail below based on the multi-zone system described above, and the method is applied to the multi-zone system described above, and the content related to the system architecture principle in the method embodiment may refer to the above.
Fig. 2 is a flowchart of a single sign-on method of a multi-zone system according to an embodiment of the present application, where, as shown in fig. 2, the method at least includes steps S1 to S4 described below, which are executed cooperatively by corresponding nodes in the multi-zone system.
S1, responding to a registration request triggered by a user in a first area of a multi-area system, storing user data of the user in a first storage node by a first service node, generating a global index of the user and synchronizing the global index to the system.
Wherein the global index indicates that the user has completed registration in the first area. The first zone is any zone in a multi-zone system.
In one possible implementation, the present step S1 includes a step S11 and a step S12.
S11, the first service node responds to a registration request triggered based on the user account, hashes the user account to obtain an encrypted user identifier, and combines the encrypted user identifier with the identifier information of the first area to obtain a global index of the user.
In the embodiment of the application, a global index for identifying the user registration area is generated during user registration. Specifically, the user account is used as the user identifier, and a given hash function is adopted to process the user account, so that the user sensitive information can be prevented from flowing out of the registration area. And a global index which does not contain user sensitive information can be obtained by adopting a simple data combination structure, and related regulations are strictly complied with.
The relevant regulations are determined according to the actual area, for example, the common data protection regulations (GDPR) used by the European Union, and the personal information protection laws used by China.
The application adopts a multi-region storage scheme to ensure that the user data is stored in a compliance way in a global/global range, and meets the requirements of data privacy and regulations. Further, a globally unique index is generated for each user, the index comprises unique encryption identification of the user and information of a user registration area, and the globally unique index can efficiently realize subsequent identity authentication and login authorization.
Fig. 3 is a schematic format diagram of a global index provided in an embodiment of the present application, and referring to fig. 3, the global index of a user includes an encrypted user identifier obtained by hash processing of a user account and identifier information of a registration area.
S12, the first service node stores the user data and the copy of the global index in the first storage node, and persists the global index to a global storage space of the multi-region system, wherein the global storage space supports access by a node corresponding to any region in the system.
The global storage space is, for example, a shared memory accessible to each node of the system, and service nodes and authentication nodes in each region can access the shared memory to obtain a global index of a user.
In the embodiment of the application, the storage node of each area can only be accessed by the service node and the authentication node of the area, and the user data is only stored in the storage node of the area where the user is registered, so that a user data storage architecture divided by the area is formed, and the user data cannot flow out of the registered area.
In the embodiment of the application, a copy of a global index is stored in a storage node of a registration area while a global index is stored in a global readable shared memory. The global index is stored in the shared memory in a lasting way to avoid data loss, and the copy in the storage node of any area can support the quick inquiry of the authentication node of the area to the global index.
In one possible implementation, the storage node corresponding to any region loads a copy of the stored global index into the memory or the dis cache, in response to a query request for the global index. Based on the above, the organization and the read-write efficiency of the global index can be further improved.
In order to facilitate understanding of the user registration process introduced in the steps S11 to S12, the embodiment of the present application provides a registration process diagram of a multi-area system, as shown in fig. 4, after a user triggers a registration request in a first area, a first service node stores user data of the user in a first storage node; the first service node generates a global index of the fish protector and stores the global index into a global index control to finish the registration of the user.
S2, responding to a login request triggered by a user in a second area in the multi-area system, and routing the login request to the first authentication node by the second service node according to the global index of the user.
In the embodiment of the present application, the second area may be any area in the multi-area system. The second authentication node performs routing according to the instruction of the global index of the user, and selects an area where the user is registered, that is, an area where the user data is uniquely stored for authentication.
In one possible implementation, this step S2 includes a step S21 and a step S22.
S21, in the second area, the terminal where the user is located triggers a login request according to the user account number and the login credentials of the user; the intelligent DNS module of the multi-zone system resolves the network address of the login request to route the login request to the nearest second service node. The network address is, for example, an IP address.
Wherein, the intelligent DNS module records the mapping relation between different network addresses and each service node address. Therefore, the intelligent DNS module can be adopted to realize the intelligent analysis effect of the nearby access based on the geographic position/operator of the user.
In the embodiment of the application, the source area of the login request can be intelligently judged by analyzing through the intelligent DNS, so that the request of different areas is intelligently routed to the service node of the corresponding area, the analysis time delay is effectively reduced, and the login speed is improved.
S22, the second service node queries the global index of the user based on the user account carried by the login request, and routes the login request to the first authentication node according to the identification information of the first area in the queried global index.
The application provides a global index as an efficient user identifier, simplifies the cross-regional user management and identity recognition, does not need to carry redundant information for other operations after user registration, and reduces the complexity of system management and maintenance. Based on the global index, the multi-region system can rapidly and immediately complete the authentication process, and the real-time performance of the service is improved.
And S3, the first authentication node authenticates the login request according to the user data stored in the first storage node, and generates a user token and returns the user token to the user under the condition of successful authentication.
In one possible implementation, a virtual private network (VPC) is employed to communicatively connect authentication nodes in different areas of a multi-area system to ensure secure and efficient area service communications.
In one possible embodiment, the present step S3 includes the following steps S31 to S33.
And S31, the first authentication node authenticates the user account and the login credentials carried by the login request according to the user data in the first storage node.
The first authentication node can provide a secure identity authentication service under the support of the first storage node, and identity authentication and token issuing are independently carried out. Specifically, the login credentials are, for example, user-set login passwords or other trusted credentials. Authentication is performed based on user data stored in the first storage node, and user sensitive information does not flow out during the whole authentication process.
S32, under the condition that authentication is successful, the first authentication node generates a user token JWT based on the user account number and a given expiration time, and encrypts the user token JWT by adopting a given JWK signature.
Specifically, the first authentication node generates an encrypted JSON Web Token (JWT) based on a given JSON Web Key (JWK). The user token JWT contains information such as encrypted user identification (e.g., hashed user account number), expiration time, etc. Encryption through JWK signatures can prevent the token from being tampered or abused, and ensure the data security.
S33, the first authentication node returns an encrypted user token JWT to the user.
Specifically, the first authentication node returns the user token to the user to indicate that the login is completed, and the user token is returned to the user (user terminal) to be used as an effective identity verification means when the user performs single sign-on and access between different areas.
In one possible implementation, the multi-region system further comprises a global key management module for managing keys (including public/private keys) involved in the token issuance and validation process. The global key management module is used for executing at least one management function from A to D.
A. The global key management module provides a private key used for JWK signature to any authentication node;
B. the global keylocker module provides the public key used to verify JWK the signature to any authentication node;
C. the global key management module obtains a white list according to a preset public key, and provides the public key used for verifying JWK signature to at least one authentication node through a key service interface;
D. The global key management module updates the managed at least one public key and/or at least one private key every preset period.
The application establishes a safe and reliable key management flow, ensures that the private key cannot be revealed by managing the private key of the issued token, and provides an interface for the authentication node to acquire the public key for token verification; the security of the token issuance is ensured by updating the public/private key at regular time.
In order to facilitate understanding of the user single sign-on process described in the various possible embodiments in steps S2 to S3, the embodiment of the present application provides a single sign-on process diagram of a multi-area system, as shown in fig. 5, after a user triggers a login request in a second area, selecting a nearest service node according to a network address of the user; after the login request is routed to the nearest second service node, the second service node routes the global authentication node according to the global index of the user in the global storage space, and determines a first authentication node corresponding to a first area where the user is registered from a plurality of authentication nodes connected based on the VPC network; the login request is routed to the first authentication node for identity authentication; after the authentication is passed, a user token is generated; and returning a user token to the user to finish single sign-on of the user in the second area.
And S4, responding to the access request triggered by the user in the third area, verifying the user token carried by the access request by the third authentication node, and allowing access under the condition that the verification is passed.
In one possible implementation, the header (header) of the user token JWT contains a key identification KID, which indicates the target public key used to verify JWK the signature. In this example, the present step S4 includes step S41 and step S42.
S41, responding to an access request triggered by the user in a third area, and reading the KID from the head of a user token JWT carried by the access request by the third authentication node.
Specifically, the KID is used as an indication of token authentication, and the KID determines which public key the current human user token should be authenticated by. When authenticating a user token, the authentication node acquires the KID in the token header, and acquires the target public key from the key management system along with the KID. Further, at least the payload of the user token indicates: user for which the token is intended, expiration time of the token.
Illustratively, the KID indicates the key algorithm employed for token issuance and verification, e.g., key algorithm "RS256" is indicated with KID "key 1". Fig. 6 is a schematic diagram of a user token provided by an embodiment of the present application, referring to fig. 6, a header of the user token includes: key algorithm ALG: "RS256"; key identification KID: "key-id"; indicating the key algorithm as 'RS 256', respectively; and the corresponding target public key is "key-id1". The load of the user token at least comprises: token issuer iss "admin", user-oriented sub "http … …", expiration time exp "1579038087" (time units are seconds).
S42, the third authentication node acquires a target public key according to the read KID, verifies JWK signature of the user token JWT by adopting the target public key, and allows access under the condition that verification passes.
Specifically, the third authentication node can verify the encrypted signature of the user token JWT after obtaining the public key, and after the verification is passed, the user can access the system. Further, after the user logs in, when accessing or attempting to access services in different areas, the local authentication node (in the area) can verify the signature of the user token according to JWK information in the JWT token carried by the user request, so that the identity verification and single sign-on effectiveness of the user in different areas are ensured.
In order to facilitate understanding of the user access flow introduced in the steps S41-S42, the embodiment of the present application provides a user access flow chart of a multi-area system, as shown in fig. 7, a user triggers an access request carrying a user token in any area, any authentication node can acquire a key to authenticate the user token, and after authentication is successful, access is allowed and access data is returned to complete user access.
Through the mechanism, the authentication service among the areas keeps consistent, the authentication state of the user in any one area is ensured to be consistent, the multi-area seamless access is realized, and the cross-area is not required to exit or log in again.
The application can effectively ensure the data consistency of the cross-regional system, ensure the data security of the user and the real-time performance of the service, and reduce the complexity of system management and maintenance. Moreover, based on the above various possible embodiments, the embodiment of the present application further has the following technical effects:
(1) Data compliance: with the multi-zone storage scheme, user data does not flow out of the registered zone, conforming to relevant regulations.
(2) Efficient indexing mechanism: the global index is provided as an efficient user identifier, so that cross-regional user management and identity recognition are simplified, other operations after user registration do not need to carry redundant information, and complexity of system management and maintenance is reduced.
(3) Data security: the encrypted JWK token and authentication service in the registration area are adopted, so that the security of user login and access is ensured; efficient management of the generation, transmission, verification, expiration and other aspects of JWK tokens is supported, security and availability are ensured, and complexity of system management and maintenance is reduced.
(4) Cross-domain data consistency: the authentication services of different areas can keep consistency, and authentication differences are avoided when users access different areas.
(5) Business instantaneity: the multi-area system can rapidly and immediately complete the authentication process, and ensure the accuracy and instantaneity of the user identity.
(6) And the user experience is improved: single sign-on authentication provides a good user experience with seamless access by the user between different regions.
The application also provides a computing device which can be implemented as any functional module or node in the multi-region system; all or part of the steps of the single sign-on method for performing the multi-zone system described above. Fig. 8 is a schematic diagram of a hardware structure of a computing device provided in an embodiment of the present application, where, as shown in fig. 8, the computing device includes a processor 801, a memory 802, a bus 803, and a computer program stored in the memory 802 and capable of running on the processor 801, where the processor 801 includes one or more processing cores, the memory 802 is connected to the processor 801 through the bus 803, and the memory 802 is used to store program instructions, where the processor implements all or part of the steps in the foregoing method embodiments provided by the present application when the processor executes the computer program.
Further, as an executable scheme, the computing device may be a computer unit, and the computer unit may be a computing device such as a desktop computer, a notebook computer, a palm computer, and a cloud server. The computer unit may include, but is not limited to, a processor, a memory. It will be appreciated by those skilled in the art that the constituent structures of the computer unit described above are merely examples of the computer unit and are not limiting, and may include more or fewer components than those described above, or may combine certain components, or different components. For example, the computer unit may further include an input/output device, a network access device, a bus, etc., which is not limited by the embodiment of the present application.
Further, as an executable, the Processor may be a central processing unit (Central Processing Unit, CPU), other general purpose Processor, digital signal Processor (DIGITAL SIGNAL Processor, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), off-the-shelf Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware components, etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like that is a control center of the computer unit, connecting various parts of the entire computer unit using various interfaces and lines.
The memory may be used to store the computer program and/or modules, and the processor may implement the various functions of the computer unit by running or executing the computer program and/or modules stored in the memory, and invoking data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, at least one application program required for a function; the storage data area may store data created according to the use of the cellular phone, etc. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as a hard disk, memory, plug-in hard disk, smart memory card (SMART MEDIA CARD, SMC), secure Digital (SD) card, flash memory card (FLASH CARD), at least one disk storage device, flash memory device, or other volatile solid-state storage device.
The present application also provides a computer readable storage medium storing a computer program which when executed by a processor implements the steps of the above-described method of an embodiment of the present application.
The modules/units integrated with the computer unit may be stored in a computer readable storage medium if implemented in the form of software functional units and sold or used as separate products. Based on such understanding, the present application may implement all or part of the flow of the method of the above embodiment, or may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, and when the computer program is executed by a processor, the computer program may implement the steps of each of the method embodiments described above. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include: any entity or device capable of carrying the computer program code, a recording medium, a U disk, a removable hard disk, a magnetic disk, an optical disk, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a software distribution medium, and so forth. It should be noted that the content of the computer readable medium can be appropriately increased or decreased according to the requirements of the legislation and the patent practice in the jurisdiction.
While the application has been particularly shown and described with reference to a preferred embodiment, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the application as defined by the appended claims.
Claims (10)
1.A single sign-on method of a multi-zone system, wherein each zone of the system corresponds to an independent service node, storage node and authentication node; the method comprises the following steps:
S1, responding to a registration request triggered by a user in a first area of the multi-area system, storing user data of the user in a first storage node by a first service node, generating a global index of the user and synchronizing the global index to the system, wherein the global index indicates that the user finishes registration in the first area;
s2, responding to a login request triggered by the user in a second area in the multi-area system, and routing the login request to a first authentication node by a second service node according to a global index of the user;
S3, the first authentication node authenticates the login request according to the user data stored in the first storage node, and generates a user token and returns the user token to the user under the condition that authentication is successful;
and S4, responding to an access request triggered by the user in a third area, verifying the user token carried by the access request by a third authentication node, and allowing access under the condition that the verification is passed.
2. The single sign-on method according to claim 1, wherein the step S1 comprises:
S11, the first service node responds to a registration request triggered based on a user account, hashes the user account to obtain an encrypted user identifier, and combines the encrypted user identifier with the identifier information of the first area to obtain a global index of the user;
And S12, the first service node stores the user data and the copy of the global index in the first storage node, and persists the global index to a global storage space of the multi-region system, wherein the global storage space supports access by a node corresponding to any region in the system.
3. The single sign-on method of claim 2, further comprising:
The storage node corresponding to any region loads the stored copy of the global index into the memory or the Redis cache to respond to the query request for the global index.
4. The single sign-on method according to claim 1, wherein the step S2 comprises:
S21, in the second area, a terminal where a user is located triggers a login request according to a user account number and login credentials of the user, and an intelligent DNS module of the multi-area system routes the login request to a nearest second service node by analyzing a network address of the login request;
wherein, the intelligent DNS module records mapping relations between different network addresses and each service node address;
S22, the second service node queries the global index of the user based on the user account carried by the login request, and routes the login request to the first authentication node according to the identification information of the first area in the queried global index.
5. The single sign-on method of claim 1 wherein the first, second, and third regions are any regions in the multi-region system, and wherein authentication nodes in different regions in the multi-region system are communicatively connected by a virtual private network.
6. The single sign-on method according to claim 1, wherein the step S3 comprises:
S31, the first authentication node authenticates a user account and a login credential carried by the login request according to the user data in the first storage node;
s32, under the condition that authentication is successful, the first authentication node generates a user token JWT based on the user account and a given expiration time, and encrypts the user token JWT by adopting a given JWK signature;
s33, the first authentication node returns an encrypted user token JWT to the user.
7. The single sign-on method of claim 6 wherein the header of the user token JWT contains a key identification KID, the KID indicating a target public key for verifying the JWK signature, the step S4 comprising:
S41, responding to an access request triggered by the user in a third area, and reading the KID from the user token JWT head carried by the access request by a third authentication node;
S42, the third authentication node acquires a target public key according to the read KID, verifies JWK signature of the user token JWT by adopting the target public key, and allows access under the condition that verification is passed.
8. The single sign-on method of claim 6 or 7, wherein the system further comprises a global key management module, the method further comprising at least one of:
A. The global key management module provides a private key used for JWK signature to any authentication node;
B. the global keylocker module provides the public key used to verify JWK the signature to any authentication node;
C. The global key management module obtains a white list according to a preset public key, and provides a public key used for verifying JWK signature to at least one authentication node through a key service interface;
D. the global key management module updates the managed at least one public key and/or at least one private key every preset period.
9. A multi-zone system, wherein the system has independent service nodes, storage nodes and authentication nodes for each zone; the service node, storage node and authentication node of each zone in the system are configured to perform a single sign-on method of the multi-zone system according to any of claims 1 to 8 to provide a single sign-on service to a user in any zone of the system.
10. A computer readable storage medium, characterized in that at least one program is stored in the storage medium, which is executed by a processor to implement the single sign-on method of the multi-zone system of any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410251052.XA CN118233156A (en) | 2024-03-05 | 2024-03-05 | Multi-area system, single sign-on method for multi-area system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410251052.XA CN118233156A (en) | 2024-03-05 | 2024-03-05 | Multi-area system, single sign-on method for multi-area system and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118233156A true CN118233156A (en) | 2024-06-21 |
Family
ID=91506961
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410251052.XA Pending CN118233156A (en) | 2024-03-05 | 2024-03-05 | Multi-area system, single sign-on method for multi-area system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118233156A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119135453A (en) * | 2024-11-12 | 2024-12-13 | 惠州市乐亿通科技股份有限公司 | Data access control method, device, system and storage medium |
-
2024
- 2024-03-05 CN CN202410251052.XA patent/CN118233156A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119135453A (en) * | 2024-11-12 | 2024-12-13 | 惠州市乐亿通科技股份有限公司 | Data access control method, device, system and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111698228B (en) | System access authority granting method, device, server and storage medium | |
| CN110915183B (en) | Block chain authentication via hard/soft token validation | |
| US20200019714A1 (en) | Distributed data storage by means of authorisation token | |
| US20220394026A1 (en) | Network identity protection method and device, and electronic equipment and storage medium | |
| US11177964B2 (en) | Blockchain based authentication | |
| US8601265B2 (en) | Method and system for improving storage security in a cloud computing environment | |
| US11121876B2 (en) | Distributed access control | |
| US8997198B1 (en) | Techniques for securing a centralized metadata distributed filesystem | |
| US20150222614A1 (en) | Authentication server auditing of clients using cache provisioning | |
| US20210006410A1 (en) | Method for providing virtual asset service based on decentralized identifier and virtual asset service providing server using them | |
| US11757877B1 (en) | Decentralized application authentication | |
| CN110365684B (en) | Access control method and device for application cluster and electronic equipment | |
| EP3537684A1 (en) | Apparatus, method, and program for managing data | |
| US11146379B1 (en) | Credential chaining for shared compute environments | |
| CN114969707A (en) | Single sign-on method, device, equipment and medium | |
| Almutairi et al. | Survey of centralized and decentralized access control models in cloud computing | |
| US20220217000A1 (en) | Attribute-based encryption keys as key material for key-hash message authentication code user authentication and authorization | |
| CN118233156A (en) | Multi-area system, single sign-on method for multi-area system and storage medium | |
| US11954672B1 (en) | Systems and methods for cryptocurrency pool management | |
| EP3373551B1 (en) | Access control in a computer system | |
| US11647020B2 (en) | Satellite service for machine authentication in hybrid environments | |
| JP2016153951A (en) | Authentication cooperation system and authentication method | |
| Ahmed et al. | Transparency of SIM profiles for the consumer remote SIM provisioning protocol | |
| KR102496829B1 (en) | Apparatus and method for managing identity based on blockchain | |
| EP3766221B1 (en) | Relying party certificate validation when client uses relying party's ip address |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |