CN113378153B

CN113378153B - Authentication method, first service device, second service device and terminal device

Info

Publication number: CN113378153B
Application number: CN202110921878.9A
Authority: CN
Inventors: 余程钢
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Shanghai ICT Co Ltd; CM Intelligent Mobility Network Co Ltd
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Shanghai ICT Co Ltd; CM Intelligent Mobility Network Co Ltd
Priority date: 2021-08-12
Filing date: 2021-08-12
Publication date: 2021-11-19
Anticipated expiration: 2041-08-12
Also published as: CN113378153A

Abstract

The invention provides an authentication method, a first service device, a second service device and a terminal device, wherein the method comprises the following steps: receiving a first authentication request sent by terminal equipment; under the condition that the first authentication request comprises first authentication information associated with a second service system, sending a first authentication query request to second service equipment; receiving a first return result which is inquired and sent by the second service equipment based on the first authentication information and the authentication record; and sending a first authentication passing message to the terminal equipment under the condition that the first returned result shows that the authentication state of the second service system is successful and the authentication state of the second service system is verified. By the authentication method, the terminal equipment requests login authentication of the first service system, sends the first authentication request to the first service equipment corresponding to the first service system, authenticates through the first service equipment, and sends the first authentication passing message, so that the authentication performance can be improved.

Description

Authentication method, first service device, second service device and terminal device

Technical Field

The present invention relates to the field of login authentication technologies, and in particular, to an authentication method, a first service device, a second service device, and a terminal device.

Background

With the continuous development of services, various service systems can be built, the user authentication management of each service system mainly adopts a uniform user authentication management module to authenticate the user login of each service system, namely, only one user authentication management module is provided, and each service system shares the user authentication management module to authenticate and manage the user.

Because all user authentications need to pass through the unified user authentication management module, the performance bottleneck of the user authentication management module is easily caused, and once the module is crashed, all users cannot be authenticated, namely, the problem of poor authentication performance is easily caused by the authentication mode.

Disclosure of Invention

The invention provides an authentication method, a first service device, a second service device and a terminal device, and aims to solve the problem of poor authentication performance in the prior art.

In order to solve the technical problem, the invention is realized as follows:

in a first aspect, the present invention provides an authentication method applied to a first service device, where the method includes:

receiving a first authentication request sent by a terminal device, wherein the first authentication request is used for requesting login authentication of a first service system corresponding to the first service device;

under the condition that the first authentication request comprises first authentication information associated with a second service system, sending a first authentication query request to second service equipment, wherein the first authentication query request comprises the first authentication information;

receiving a first return result of the second service equipment which is inquired and sent based on the first authentication information and the authentication record;

and sending a first authentication passing message to the terminal equipment under the condition that the first returned result shows that the authentication state of the second service system is successful and the authentication state of the second service system is verified.

In a second aspect, the present invention provides another authentication method applied to a second service device, where the method includes:

receiving a first authentication query request sent by a first service device under the condition of receiving a first authentication request sent by a terminal device, wherein the first authentication query request comprises first authentication information associated with a second service system, and the first authentication request is used for requesting login authentication of the first service system corresponding to the first service device;

inquiring based on the first authentication information and an authentication record, and sending a first return result corresponding to the first authentication inquiry request to the first service equipment;

and the first return result is used for the first service equipment to send a first authentication passing message to the terminal equipment under the condition that the first return result shows that the authentication state of the second service system is successful in authentication and the authentication state of the second service system is verified.

In a third aspect, the present invention provides another authentication method applied to a terminal device, where the method includes:

sending a first authentication request to a first service device, wherein the first authentication request is used for requesting login authentication of a first service system corresponding to the first service device;

receiving a first authentication passing message sent by the first service equipment based on the first authentication request;

the first authentication passing message is a message sent to the terminal device by the first service device when a first returned result shows that the authentication state of the second service system is successful in authentication, and it is determined that the authentication state of the second service system passes verification, the first returned result is a result sent to the first service device by the second service device when the second service device queries based on an authentication record and first authentication information in a first authentication query request sent by the first service device, and the first authentication query request is a request sent to the second service device by the first service device when the first authentication request includes first authentication information associated with the second service system.

In a fourth aspect, the present invention provides a first service device, comprising a transceiver and a processor,

the transceiver is configured to receive a first authentication request sent by a terminal device, where the first authentication request is used to request login authentication for a first service system corresponding to the first service device;

the transceiver is configured to send a first authentication query request to a second service device when the first authentication request includes first authentication information associated with a second service system, where the first authentication query request includes the first authentication information;

the transceiver is configured to receive a first return result that the second service device performs query sending based on the first authentication information and an authentication record;

the transceiver is configured to send a first authentication passing message to the terminal device when the first returned result indicates that the authentication state of the second service system is successful and it is determined that the authentication state of the second service system is verified.

In a fifth aspect, the present invention provides a second service device, comprising a transceiver and a processor,

the transceiver is configured to receive a first authentication query request sent by a first service device when receiving a first authentication request sent by a terminal device, where the first authentication query request includes first authentication information associated with a second service system, and the first authentication request is used to request login authentication for a first service system corresponding to the first service device;

the transceiver is configured to query based on the first authentication information and an authentication record, and send a first return result corresponding to the first authentication query request to the first service device;

In a sixth aspect, the present invention provides a terminal device, comprising a transceiver and a processor,

the transceiver is configured to send a first authentication request to a first service device, where the first authentication request is used to request login authentication of a first service system corresponding to the first service device;

the transceiver is configured to receive a first authentication passing message sent by the first service device based on the first authentication request;

In a seventh aspect, the present invention provides a computer-readable storage medium, having stored thereon a computer program, which when executed by a processor, implements the steps of the authentication method of the first aspect; or the computer program, when executed by a processor, performs the steps of the authentication method of the second aspect; or the computer program when executed by a processor implements the steps of the authentication method of the third aspect described above.

In the authentication method of the invention, an authentication request is not sent to a server in a unified way, the login authentication of each service system is not carried out through unified service equipment, but a terminal equipment requests the login authentication of a first service system, a first authentication request is sent to first service equipment corresponding to the first service system, the authentication is carried out through the first service equipment, and a first authentication passing message is sent, in the authentication of the first service equipment, under the condition that the first authentication request comprises first authentication information associated with a second service system, the authentication of the second service system is shown, a first authentication inquiry request can be sent to the second service equipment, the authentication of the login of the first service system is carried out through a first return result which is received from the second service equipment and is inquired and sent based on the first authentication information and an authentication record, and the authentication state of the second service system is shown as successful in the first return result, and under the condition that the authentication state of the second service system is confirmed to pass, sending a first authentication passing message to the terminal equipment to finish login authentication of the first service system, thus improving the authentication performance.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive exercise.

Fig. 1 is a flowchart of an authentication method according to an embodiment of the present invention;

fig. 2 is a second flowchart of an authentication method according to an embodiment of the present invention;

fig. 3 is a third flowchart of an authentication method according to an embodiment of the present invention;

fig. 4 is an interaction diagram of an authentication method according to an embodiment of the present invention;

fig. 5 is a second interaction diagram of an authentication method according to the embodiment of the present invention;

fig. 6 is a third interaction diagram of an authentication method according to an embodiment of the present invention;

fig. 7 is one of the schematic diagrams of token validity period management in an authentication method according to an embodiment of the present invention;

fig. 8 is a second schematic diagram of token validity period management in an authentication method according to an embodiment of the present invention;

fig. 9 is a schematic structural diagram of a first service device according to an embodiment of the present invention

Fig. 10 is a schematic structural diagram of a second service device according to an embodiment of the present invention;

fig. 11 is a schematic structural diagram of a terminal device according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Referring to fig. 1, fig. 1 is a flowchart of an authentication method provided in an embodiment of the present invention, for a first service device, as shown in fig. 1, the method includes the following steps:

step 101: receiving a first authentication request sent by a terminal device.

The first authentication request is used for requesting login authentication of a first service system corresponding to the first service device.

The first service device may be a first server, the terminal device needs to log in the first service system during the relevant service operation of the first service system, and needs to perform login authentication during the login process, first, a first authentication request is sent to the first service device corresponding to the first service system to request authentication for logging in the first service system, and after the login authentication for the first service system is successful, the terminal device can successfully log in the first service system, so as to perform subsequent relevant service operation, and the like.

Step 102: and under the condition that the first authentication information associated with the second service system is included in the first authentication request, sending a first authentication inquiry request to the second service equipment.

The first authentication challenge request includes first authentication information. If the first authentication request includes first authentication information associated with the second service system, the first authentication information indicates that the first authentication information associated with the second service system is obtained before the terminal device sends the first authentication request of this time, and the first authentication information may indicate that the second service system successfully authenticates the second user identifier, that is, the authentication state of the second service system to the second user identifier is authentication success. In a case where the first authentication request includes first authentication information associated with the second service system, the first authentication query request may be sent to the second service device, and the first authentication query request may be understood as a first verification request to request the second service device to verify the first authentication information. The second service device may be a second server. As an example, the first authentication information is authentication information of the second service system for a second user identifier, and may include a target user identifier and a system identifier of the second service system, where the second user identifier is associated with the target user identifier, and the second user identifier is a user identifier of the target user identifier in the second service system.

In addition, as an example, the first authentication information may be authentication information that the terminal device receives from a third server device corresponding to the second service system, for example, the terminal device may send a third authentication request to a third server device corresponding to the second service system, where the third authentication request is used to request login authentication for the second service system, and the third authentication request includes the second user identifier; then, a third authentication passing message sent by the third service device based on the third authentication request may be received, where the third authentication passing message includes a third authentication success result and the first authentication information; it can be understood that the third authentication passing message is a message that the third service device sends second authentication data to the second service device when the login authentication of the second user identifier is successful in response to the third authentication request, and sends a message to the terminal device when the first authentication information sent by the second service device based on the second authentication data is received, where the second authentication data includes a third authentication success result associated with the second service system and the second user identifier.

It should be noted that the third service device may be a third server, the first authentication information may be encrypted information, that is, before the second service device sends the first authentication information, the first authentication information may be encrypted first, so as to obtain encrypted first authentication information, that is, the first encrypted information, and send the encrypted first authentication information to the third service device, the third service device may receive the first authentication information sent by the second service device based on the second authentication data, the third service device sends a third authentication passing message to the terminal device, and the third authentication passing message may include a third authentication success result and the encrypted first authentication information. The first authentication request may include the encrypted first authentication information, and after the first authentication request is subsequently sent to the second service device through the first query request, the second service device may decrypt the encrypted first authentication information to obtain the first authentication information. As an example, after the second service device receives the second authentication data, an authentication record associated with the second service system may be created, which includes the target user identifier, the authentication status of the second service system for the second user identifier (i.e. authentication is successful), the system identifier of the second service system, and the first token, i.e. the target authentication record may be understood as above.

Step 103: and receiving a first return result which is inquired and sent by the second service equipment based on the first authentication information and the authentication record.

And the second service equipment receives the first authentication query request, namely, the first authentication information is queried and authenticated based on the authentication record, and a first return result is returned. It should be noted that the authentication record is an authentication record of successful authentication in the second service device, that is, the authentication state of the authentication record is successful authentication, and the authentication state of successful authentication is within the validity period, that is, the authentication state of successful authentication is valid. That is, the authentication records of different business systems and the like are managed by the second service device.

Step 104: and sending a first authentication passing message to the terminal equipment under the condition that the first returned result shows that the authentication state of the second service system is successful and the authentication state of the second service system is verified.

If the received first returned result indicates that the authentication state of the second service system is successful, the first service device also needs to verify the authentication state of the second service system, and if the authentication is passed, the first service device indicates that the login authentication of the first service system requested by the terminal device is passed by the first service device, that is, the first authentication passing message is sent to the terminal device, that indicates that the login authentication of the first service system by the terminal device is passed, and that the first service system can be logged in. It should be noted that, after receiving the first returned result indicating that the authentication state of the second service system is successful, the first service device may determine, according to its service rule (mutual authentication rule), whether to receive (identify) the authentication result of the second service system, that is, determine whether the authentication result of the second service system passes verification, if the first service device receives the authentication state of the second service system that is successful, it indicates that the authentication passes, and if not, it indicates that the authentication does not pass. In this embodiment, there are various ways to verify the authentication state of the second service system, which is not limited in this embodiment, as an example, a preset service system list related to the first service system may be preset in the first service device, and the authentication may be performed according to the preset service system list, for example, in a case that the preset service system list includes the second service system, it may be determined that the authentication state of the second service system passes verification, and it may be understood that the first service system recognizes the authentication state of the service system in the preset service system list, that is, the authentication state of the service system in the preset service system list may pass verification by the first service device corresponding to the first service system.

In the authentication method of this embodiment, a terminal device sends a first authentication request for requesting login authentication of a first service system corresponding to a first service device to the first service device, the first service device receives the first authentication request, and sends a first authentication query request including first authentication information to a second service device when the first authentication request includes the first authentication information associated with the second service system, the second service device queries and returns a first return result based on the first authentication information and an authentication record, the first service device receives the first return result sent by the second service device, performs authentication based on the first return result, and when the first return result indicates that an authentication state of the second service system is successful and determines that the authentication state of the second service system passes verification, the login authentication of the first service device to the terminal device request to the first service system passes, the first authentication pass message may be sent to the terminal device. That is, in the authentication method of this embodiment, instead of sending an authentication request to one server in a unified manner, a terminal device requests login authentication of a first service system, and sends a first authentication request to a first service device corresponding to the first service system, the terminal device performs authentication through the first service device and sends a first authentication passing message, in the authentication of the first service device, when the first authentication request includes first authentication information associated with a second service system, it indicates that the second service system is authenticated, a first authentication query request may be sent to the second service device, and authentication of login of the first service system may be performed through a first return result received from the second service device and sent based on the first authentication information and an authentication record, and under the condition that the first returned result shows that the authentication state of the second service system is successful and the authentication state of the second service system is verified, sending a first authentication passing message to the terminal equipment to finish the login authentication of the first service system, thus improving the authentication performance.

In one embodiment, in a case that the first returned result indicates that the authentication status of the second service system is successful in authentication, and it is determined that the authentication status of the second service system is verified, sending a first authentication passing message to the terminal device includes:

under the condition that the first returned result shows that the authentication state of the second service system is successful and the authentication state of the second service system is verified, sending a first authentication success result of the first service system for the first user identifier to the second service equipment;

receiving second authentication information which is sent by second service equipment based on a first authentication success result and is associated with the first service system, wherein the second authentication information is associated with the first user identifier and comprises a target user identifier and a system identifier of the first service system, the first authentication information is associated with the second user identifier and comprises the target user identifier and the system identifier of the second service system, the first user identifier and the second user identifier are both associated with the target user identifier, the first user identifier is a user identifier of the target user identifier in the first service system, and the second user identifier is a user identifier of the target user identifier in the second service system;

and sending a first authentication passing message to the terminal equipment, wherein the first authentication passing message comprises a first authentication success result and second authentication information.

If the first authentication request includes first authentication information associated with the second service system, the second user identifier is subjected to login authentication in the second service system to obtain the first authentication information before the terminal device sends the first authentication request of this time, the first authentication information may indicate authentication information of the second service system to the second user identifier, and the first authentication information is associated with the second user identifier. The first successful authentication result indicates that the first service device successfully authenticates the first user identifier to log in the first service system, the first successful authentication result can be sent to the second service device, the second service device can send the second authentication information to the first service device after receiving the first successful authentication result, the second authentication information can indicate authentication information of the first service system to the first user identifier, and the second authentication information is associated with the first user identifier. In this embodiment, the first service device may send the first authentication success result and the second authentication information to the terminal device, complete login authentication on the first service system, and improve authentication performance.

It should be noted that the second authentication information may be encrypted information, that is, the second authentication information may be encrypted before the first authentication passing message is sent to the terminal device, so as to obtain encrypted second authentication information, that is, the second encryption information, and the first authentication passing message may include the first authentication success result and the encrypted second authentication information.

In an embodiment, the first returned result includes the first subscriber identity, the system identity of the second service system, and the authentication state of the second service system for the first subscriber identity, and the authentication state of the second service system is the authentication state of the second service system for the first subscriber identity.

That is, under the condition that the first returned result indicates that the authentication state of the second service system for the first subscriber identity is successful in authentication, and the first service device determines that the authentication state of the second service system for the first subscriber identity passes verification, it indicates that the first service system receives the authentication result that the authentication source is the authentication source of the second service system for the first subscriber identity, and sends the first authentication success result of the first service system for the first subscriber identity to the second service device, that is, the first service system successfully authenticates the first subscriber identity, and can log in the first service system. It can be understood that, in this embodiment, the authentication state of the second service system for the first user identifier may be successful authentication, and after the first service device receives the first return result, if the authentication state of the second service system for the first user identifier passes verification, the first authentication success result is sent to the second service device.

In one embodiment, the first authentication information includes a first token having a first validity period;

receiving a first return result of the second service device, which is inquired and sent based on the first authentication information and the authentication record, and comprises the following steps:

and receiving a first return result which is inquired by the second service equipment based on the first authentication information and the authentication record and is sent under the condition that the first token is valid, wherein the first return result indicates that the authentication state of the second service system is successful.

The first Token is Token, the first Token has a first validity period, that is, the first Token is a first time-efficiency Token, the second service device can query the first authentication information according to the authentication record after receiving the first authentication query request, if the target authentication record is queried, a first return result indicating that the authentication state of the second service system is successful is sent to the first service device under the condition that the first Token of the target authentication record is valid, and the authentication state of the target authentication record is successful and includes the first authentication information. In this way, the first service device can ensure that the first return result indicating that the authentication state of the second service system is successful is sent by the second service device when the first token is valid, that is, the reliability of the first return result is improved, so that the authentication reliability is improved.

In one embodiment, the second authentication information includes a second token having a second validity period;

after receiving second authentication information associated with the first business system and sent by the second service device based on the first authentication success result, the method further comprises at least one of the following steps:

extending a second validity period of the second token based on the first validity extension notification sent by the second service device;

and sending an aging extension request message to the second service equipment, wherein the aging extension request message is used for requesting the second service equipment to extend the validity period of the second token.

That is, in this embodiment, the token validity period may be managed in an active mode, or may be managed in a passive mode, that is, the first service device may receive a first validity extension notification sent by the second service device, and extend the second validity period of the second token based on the first validity extension notification, so as to implement management of the validity period of the second token, or may send a validity extension request message to the second service device, so as to request the second service device to extend the second validity period of the second token, and after receiving the validity extension request message, the second service device may send the second validity extension notification to the first service device, and the first service device may extend the second validity period of the second token based on the second validity extension notification, so as to implement management of the validity period of the second token. In this embodiment, the validity period of the second token may be managed by at least one of extending the second validity period of the second token based on the first validity period extension notification sent by the second service device and sending a validity period extension request message to the second service device, where the validity period extension request message is used to request the second service device to extend the validity period of the second token, so that flexibility of validity period management of the second token may be improved.

In one embodiment, extending the second validity period of the second token based on the first validity extension notification sent by the second serving device comprises:

under the condition that the time difference between the current time of the first service equipment and the end time of the second validity period of the second token is less than the preset time length, sending a first notification to the second service equipment, wherein the first notification is used for notifying the authentication state of the first user identifier in the first service system;

receiving a first time-efficiency prolonging notification sent by the second service equipment based on the first notification;

extending a second validity period of the second token based on the first validity extension notification.

That is, in this embodiment, the token validity period may be managed in an active mode, and before the second token is invalid, the first service device actively reports the user authentication status to the second service device in the first service system. That is, after the first service system of the first service device completes authentication, the first service device may actively notify the second service device of the authentication state of the first user identifier in the first service system through a first notification after obtaining second authentication information returned by the second service device before the second token fails, and when the authentication state continues to be valid, the validity period of the second token is extended when the authentication state reported by the first service system through the first notification received by the second service device is valid. For example, the second service device may send a first time-duration extension notification to the first service device, and after receiving the first time-duration extension notification, the first service device may extend the second validity period of the second token according to the extension time in the first time-duration extension notification. In addition, in this embodiment, the second service device may also extend the validity period of the second token recorded by itself, for example, according to the extension time in the first validity extension notification. In this embodiment, the first service device actively sends the first notification to notify the second service device of the authentication state of the first user identifier in the first service system, so as to subsequently extend the validity of the second token, thereby implementing effective management on the validity period of the second token.

In one embodiment, sending the age extension request message to the second serving device includes:

receiving a second notification sent by the second service device when the second service device detects that the time difference between the current time of the second service device and the end time of the second validity period of the second token is less than the preset time length, wherein the second notification is used for notifying that the second token is about to fail;

and under the condition that the first user identification is valid in the authentication state of the first service system, sending an aging extension request message to the second service equipment, wherein the aging extension request message is used for requesting the second service equipment to extend the validity period of the second token.

In this embodiment, the token validity period may also be managed through the passive mode, the second service device sends a second notification to the first service system before the second token is valid, the first service device indicates that the authentication state of the first service system of the first user identifier is not expired and the second token is not valid under the condition that the authentication state of the first service system of the first user identifier is valid, at this time, an age extension request message may be sent to the second service device, the age extension request message is used to request the second service device to extend the validity period of the second token, the second service device may send a second age extension notification to the first service device after receiving the age extension request message, and the first service device may extend the second validity period of the second token based on the second age extension notification. For example, after receiving the second age extension notification, the first service device may extend the second validity period of the second token according to the extension time in the second age extension notification. In addition, in this embodiment, the second service device may also extend the validity period of the second token recorded by itself, for example, according to the extension time in the second aging period extension notification. In this embodiment, the second service device sends the second notification to the first service device to notify that the first service device is about to age in the authentication state of the first service system, and the first service device sends an age extension request message to the second service device to request extension of the validity period of the second token when the first user identifier is valid in the authentication state of the first service system, so as to implement effective management of the validity period of the second token.

In one embodiment, after receiving a first return result of the query sending by the second service device based on the first authentication information and the authentication record, the method further includes:

and sending an authentication failure result associated with the first service system to the terminal equipment under the condition that the first returned result shows that the authentication state of the second service system is authentication failure or under the condition that the first returned result shows that the authentication state of the second service system is authentication success and the authentication state verification of the second service system is determined to be failed.

It is understood that, in this embodiment, the first return result includes an authentication failure message of the second service system, and thus, the first return result may indicate that the authentication status of the second service system is authentication failure. As an example, the second service device may return the first return result indicating that the authentication has failed if the target authentication record is not found in the authentication record or if the target authentication record is found and the first token in the target authentication record is invalid. And under the condition that the first returned result shows that the authentication state of the second service system is authentication failure, transmitting an authentication failure result associated with the first service system to the terminal equipment. Or under the condition that the first returned result indicates that the authentication state of the second service system is successful in authentication and the authentication state of the second service system is determined to be not verified, for example, the second service system is not in the preset service list, and the verification is determined to be not verified, it can be understood that the first service system does not accept the authentication state of the second service system that is successful in authentication, and at this time, the authentication failure result associated with the first service system can also be sent to the terminal device. And prompting the terminal equipment that the authentication fails by sending an authentication failure result associated with the first service system to the terminal equipment so as to facilitate the subsequent terminal equipment to perform authentication again.

In one embodiment, after sending the authentication failure result associated with the first service system to the terminal device, the method further includes:

receiving a second authentication request sent by the terminal equipment, wherein the second authentication request is used for requesting login authentication of the first service system and comprises a first user identifier;

under the condition that login authentication of the first user identification is successful in response to the second authentication request, sending first authentication data to the second service equipment, wherein the first authentication data comprises a second authentication success result associated with the first service system and the first user identification;

receiving third authentication information which is sent by second service equipment based on the first authentication data and is associated with the first service system, wherein the third authentication information is associated with the first user identifier and comprises a target user identifier and a system identifier of the first service system, and the target user identifier is associated with the first user identifier;

and sending a second authentication passing message to the terminal equipment, wherein the second authentication passing message comprises a second authentication success result and third authentication information.

That is, in the present embodiment, after transmitting the authentication failure result associated with the first service system to the terminal device, the terminal device makes the authentication request again, that is, the terminal device sends a second authentication request to the first service device, the second authentication request includes the first user identifier, the first service device performs authentication at the local terminal based on the second authentication request, that is, the first user identifier is subjected to login authentication, it should be noted that the second authentication request may further include a first login password corresponding to the first user identifier, the first service device performs login authentication on the first user identifier and the first login password, for example, if the first user identifier is included in the user identifier list stored in the first service device, and if the login password corresponding to the first user identifier in the stored user identifier list is consistent with the first login password, the login authentication can be determined to be successful. The first service equipment can send first authentication data to second service equipment under the condition that login authentication of the first user identification is successful, the second service equipment can generate an authentication record and the like associated with the first service system based on the first authentication data, and send third authentication information associated with the first service system to the first service equipment, wherein the third authentication information is authentication information of the first service system for the first user identification, is associated with the first user identification and comprises a target user identification and a system identification of the first service system. The generated authentication record associated with the first service system may include the third authentication information and an authentication status of the first service system for successful authentication of the first subscriber identity. After receiving the third authentication information, the first service device may send a second authentication passing message to the terminal device, so as to implement successful login authentication of the first service system for the first user identifier, and improve authentication performance.

It should be noted that the third authentication information may be encrypted information, that is, before the second service device sends the third authentication information, the third authentication information may be encrypted first to obtain encrypted third authentication information, that is, third encryption information, and the third encryption information is sent to the first service device, the first service device may receive the encrypted third authentication information, which is sent by the second service device based on the first authentication data and is associated with the first service system, and the second authentication passing message may include a second authentication success result and the encrypted second authentication information.

Referring to fig. 2, fig. 2 is a flowchart of an authentication method provided by an embodiment of the present invention, for a second service device, as shown in fig. 2, the method includes the following steps:

step 201: receiving a first authentication query request sent by a first service device under the condition of receiving a first authentication request sent by a terminal device;

the first authentication query request comprises first authentication information associated with the second service system, and the first authentication request is used for requesting login authentication of the first service system corresponding to the first service equipment;

step 202: and inquiring based on the first authentication information and the authentication record, and sending a first return result corresponding to the first authentication inquiry request to the first service equipment.

And the first return result is used for the first service equipment to send a first authentication passing message to the terminal equipment to realize login authentication under the condition that the first return result shows that the authentication state of the second service system is successful in authentication and the authentication state of the second service system is verified.

It should be noted that the authentication record is an authentication record of successful authentication in the second service device, that is, the authentication state of the authentication record is successful authentication, and the authentication state of successful authentication is within the validity period, that is, the authentication state of successful authentication is valid. That is, the authentication records of different business systems and the like are managed by the second service device.

In the authentication method of this embodiment, a terminal device sends a first authentication request for requesting login authentication of a first service system corresponding to a first service device to the first service device, the first service device receives the first authentication request, the first authentication request includes first authentication information associated with a second service system, the first service device may send a first authentication query request including the first authentication information to the second service device, the second service device queries and returns a first return result based on the first authentication information and an authentication record, the first return result may be used when the first service device indicates that an authentication state of the second service system is successful in authentication in the first return result, and sending a first authentication passing message to the terminal equipment under the condition of confirming that the authentication state of the second service system passes the verification, so as to realize login authentication. That is, in the authentication method of this embodiment, instead of sending an authentication request to one server in a unified manner, a terminal device requests login authentication of a first service system, and sends a first authentication request to a first service device corresponding to the first service system, the first service device may send a first authentication query request to a second service device, the second service device may query based on an authentication record and first authentication information of the first authentication query request, and send a first return result to the first service device, where the first return result is used for the first service device to send a first authentication passing message to the terminal device when the first return result indicates that the authentication state of the second service system is successful, and it is determined that the authentication state of the second service system passes verification, and the login authentication of the first service system is completed, so that the authentication performance can be improved.

In one embodiment, querying based on the first authentication information and the authentication record, and after sending a first return result corresponding to the first authentication query request to the first service device, the method further includes:

under the condition that a first authentication success result sent by the first service equipment is received, creating an authentication record which is successful in authentication and is associated with the first service system;

and sending second authentication information associated with the first service system to the first service equipment.

The first successful authentication result is a result sent to the second service device by the first service device when the first returned result shows that the authentication state of the second service system is successful, and the authentication state of the second service system is verified to pass. After receiving the first authentication success result, the second service device may create an authentication record associated with the first service system, and the authentication state in the authentication record is authentication success, which indicates that the first service system is authenticated successfully, for example, indicates that the first service system is authenticated successfully for the first subscriber identity. As an example, the authentication record created in the second service device and associated with the first business system includes the target user identifier, the system identifier of the first business system identifier, and the second token.

In one embodiment, querying based on the first authentication information and the authentication record, and sending a first return result corresponding to the first authentication query request to the first service device includes:

and under the condition that the target authentication record is inquired in the authentication record with successful authentication, sending a first return result to the first service equipment, wherein the first return result indicates that the authentication state of the second service system is successful, and the authentication state of the target authentication record is successful and comprises first authentication information.

When the target authentication record is inquired from the authentication record with successful authentication, the target authentication record with the information consistent with the first authentication information is included in the authentication record, so that a first return result indicating that the authentication state of the second service system is successful can be sent to the first service device. In this embodiment, when the target authentication record is queried in the authentication record that is successfully authenticated, a first return result indicating that the authentication state of the second service system is successfully authenticated is sent to the first service device, so that the reliability of the entire authentication process is improved.

As an example, the target authentication record further includes a first token with a first validity period, and in the case that the target authentication record is queried in the authentication record with successful authentication, sending the first return result to the first service device may include: and under the condition that the target authentication record is inquired in the authentication record which is successfully authenticated, if the first token in the target authentication record is valid, sending a first return result to the first service equipment.

That is, when the target authentication record having the information consistent with the first authentication information is queried in the authentication, it is further required to detect whether the first token is valid, and when the first token is valid, it is required to send a first return result indicating that the authentication state of the second service system is successful to the first service device.

In another embodiment, querying based on the first authentication information and the authentication record, and sending a first return result corresponding to the first authentication query request to the first service device includes:

and under the condition that the target authentication record is not inquired in the authentication record with successful authentication, sending a first return result indicating that the authentication state of the second service system is authentication failure to the first service equipment, wherein the authentication state of the target authentication record is authentication success and comprises first authentication information.

That is, the second service device may send a first return result indicating that the authentication state of the second service system is authentication failure to the first service device when the target authentication record is not queried in the authentication record of successful authentication, and the first service device may send the authentication failure result associated with the first service system to the terminal device after receiving the first return result. Or, the second service device sends a first return result indicating that the authentication state of the second service system is authentication failure to the first service device under the condition that the target authentication record is inquired in the authentication record with successful authentication and the first token in the target authentication record is invalid, and the target authentication record further includes the first token.

In one embodiment, in a case that the target authentication record is not queried in the authentication record that is successfully authenticated, after sending a first return result indicating that the authentication status of the second service system is authentication failure to the first service device, the method further includes:

receiving first authentication data sent by first service equipment, wherein the first authentication data comprise a second authentication success result associated with a first service system and a first user identifier;

creating an authentication record associated with the first business system and successful in authentication based on the first authentication data,

and sending third authentication information associated with the first service system to the first service device, wherein the third authentication information is associated with the first user identifier and comprises a target user identifier and a system identifier of the first service system, and the target user identifier is associated with the first user identifier.

In this implementation, the terminal device sends a second authentication request to the first service device, where the second authentication request includes the first user identifier, the first service device performs authentication at the local end based on the second authentication request, that is, performs login authentication on the first user identifier, and when the first service device succeeds in login authentication on the first user identifier, the first authentication data may be sent to the second service device, and the second service device may generate an authentication record associated with the first service system based on the first authentication data, and send third authentication information associated with the first service system to the first service device, where the third authentication information is authentication information of the first service system for the first user identifier, is associated with the first user identifier, and includes the target user identifier and the system identifier of the first service system. The generated authentication record associated with the first service system may include the third authentication information and an authentication status of the first service system for successful authentication of the first subscriber identity. After receiving the third authentication information, the first service device may send a second authentication passing message to the terminal device, so as to implement successful login authentication of the first service system for the first user identifier, and improve authentication performance.

Referring to fig. 3, fig. 3 is a flowchart of an authentication method provided in an embodiment of the present invention, for a terminal device, as shown in fig. 3, the method includes the following steps:

step 301: sending a first authentication request to a first service device, wherein the first authentication request is used for requesting login authentication of a first service system corresponding to the first service device;

step 302: receiving a first authentication passing message sent by the first service equipment based on the first authentication request;

the first authentication passing message is a message sent to the terminal device by the first service device under the condition that a first returned result shows that the authentication state of the second service system is successful in authentication and the authentication state of the second service system is verified, the first returned result is a result sent to the first service device by the second service device by inquiring based on the authentication record and first authentication information in a first authentication inquiry request sent by the first service device, and the first authentication inquiry request is a request sent to the second service device by the first service device under the condition that the first authentication request comprises first authentication information associated with the second service system.

In one embodiment, after sending the first authentication request to the first service device, the method further includes:

receiving an authentication failure result which is sent by first service equipment and is associated with a first service system;

and the authentication failure result is a result sent to the terminal device by the first service device when the first returned result indicates that the authentication state of the second service system is authentication failure, or when the first returned result indicates that the authentication state of the second service system is authentication success and the authentication state verification of the second service system is determined to be failed.

In one embodiment, after receiving the authentication failure result associated with the first service system sent by the first service device, the method further includes:

sending a second authentication request to the first service equipment, wherein the second authentication request is used for requesting login authentication of the first service system, and the second authentication request comprises a first user identifier;

receiving a second authentication passing message sent by the first service equipment, wherein the second authentication passing message comprises a second authentication success result and third authentication information;

the second authentication passing message is a message sent to the second service device to the terminal device under the condition that the first service device responds to the second authentication request and login authentication of the first user identifier is successful, and the message is sent to the second service device under the condition that the second service device receives third authentication information which is sent by the second service device based on the first authentication data and is associated with the first service system, wherein the first authentication data comprises a second authentication success result associated with the first service system and the first user identifier, the third authentication information is associated with the first user identifier and comprises a target user identifier and a system identifier of the first service system, and the target user identifier is associated with the first user identifier.

The procedure of the above-described authentication method is specifically described below with reference to specific examples. The first service system is taken as a service system B, corresponds to a first service device, the second service system is taken as a service system a, corresponds to a third service device, and corresponds to a system as a main data system, the first USER identifier is USER _ B, the second USER identifier is USER _ a, and the target USER identifier is USER _ TT.

The service system authentication module is responsible for the user authentication service of each service system, the authentication modules of each service system are mutually independent, and the user authentication and the user authority are independently configured by each service system.

The master data system is a new system introduced by implementing the method implemented by the present inventors. It is connected with the authentication module of each service system, and acquires the user information of each service system, such as user identification (i.e. user ID), user name, etc. through the synchronous interface or asynchronous interface.

In addition, for the USER information stored in each service system in the main data system, the main data system may perform association, and use a uniform global USER identifier to identify the association relationship of the same USER in different service systems, for example, for the first USER identifier USER _ B and the second USER identifier USER _ a, the global USER identifier is a target USER identifier, i.e. USER _ TT, it can be understood that the USER identifier of the global USER identifier USER _ TT in the first service system is USER _ B, and the USER identifier in the second service system is USER _ a.

For example, the following steps are carried out: a USER TT, where the USER ID of the service system a is USER _ a, the USER ID of the service system B is USER _ B, and the main data system in the second service device creates a global USER identity, USER _ TT, as shown in table 1, where the global USER identity, USER _ TT, is used to associate the USER ID of the service system a with the USER ID of the service system B.

TABLE 1

Global user identification	User identification in service system A	User identification in service system B
			USER_TT	USER_A	USER_B

Besides associating the user identification of the same user in each system service, the main data system also maintains the authentication state of the user in each service system. When a user logs in a certain service system, the user firstly authenticates in the current service system, after the authentication is passed, the service system needs to access the main data system to update the user authentication state, after the user authentication state is updated, the main data system returns the global user identifier and the time effectiveness information (token) of the authentication state and the authentication state to the service system, the service system encrypts the global user identifier, the authentication state and the time effectiveness information and the like and returns the encrypted global user identifier, the authentication state and the time effectiveness information to the terminal equipment, for example, the user logs in through an APP (application) or a browser, and the encrypted information is returned to the APP or the browser.

User information synchronization: when a user administrator of the business system creates a new user in a user authentication module of the business system, user-related information is synchronized to the main data system through synchronization (namely, an API (application program interface) interface or asynchronization (a message queue interface) of the main data system; after the main data system receives the new user creating information of the service system, corresponding new user information is inserted into the main data system, and the user state is an 'unassociated state'. The master data administrator processes the user information in the state of 'unassociated', and according to the user information created in the master data system by different service systems, the administrator creates a new global user identifier to associate the users from different service systems, or associates the users in the state of 'unassociated' to the created global user identifier. When the user administrator of the service system logs off the system user, the above process is reversible, i.e. the service system synchronizes the logged-off user information to the main data system through the synchronous or asynchronous interface, and the main data system marks the state of the user as a 'logged-off' state.

As shown in fig. 4 and 5, taking two service systems as an example, the user authentication process is as follows:

the user U sends a third authentication request to the service system A through the terminal equipment, and user authentication is completed according to the authentication strategy of the service system A;

after the service system A finishes USER authentication and the authentication is passed, synchronizing second authentication data (including a USER identification USER _ A and a third authentication success result) to the main data system; when the authentication fails, directly returning the authentication failure result to the user U;

the main data system finds a global USER identifier USER _ TT according to a USER identifier USER _ A of a service system A, creates an authentication record associated with the service system A to record that the authentication state of a USER U in the service system A is successful, records that the USER authentication source is the service system A, namely records the system identifier of the service system A, and simultaneously generates a first token with timeliness for authentication, and also records the first token, namely the authentication record associated with the service system A can comprise the global USER identifier USER _ TT, the authentication state of the service system A for the USER identifier USER _ A (namely successful authentication), the system identifier of the service system A and the first token;

the main data system packs and encrypts first authentication information comprising a global USER identifier USER _ TT, a first token and a system identifier of a service system A (an authentication source), generates first encryption information and returns the first encryption information to the service system A;

after receiving the first encrypted information returned by the main data system, the service system A returns a third authentication passing message (including the first encrypted information and a third authentication success result) to the terminal equipment;

when a user U logs in a service system B by the same client at a terminal device, the terminal device transmits first encryption information to the service system B through a first authentication request, and after the service system B receives the first authentication request and detects that the first authentication request comprises the first encryption information, the first encryption information can be transmitted to a main data system through a first authentication query request for query and verification;

the main data system receives the first encrypted information sent by the service system B, decrypts the first encrypted information, and analyzes information such as a global USER identifier USER _ TT, a first token, a system identifier of the service system A and the like;

the main data system compares the authentication records reserved by the main data system with the first authentication information obtained by decryption, and returns a first return result indicating authentication failure to the service system B when the authentication records do not comprise the target authentication records, namely the information comparison is inconsistent;

when the authentication record comprises a target authentication record with information consistent with the first authentication information, detecting the validity of the first token:

if the first token is valid, namely the validity period is not reached, inquiring a USER identification USER _ B of a service system B according to the global USER identification USER _ TT, and returning a first return result comprising a system identification of an authentication source system (service system A), an authentication state (successful authentication) and the USER identification USER _ B of the USER in the service system B to the service system B;

if the first token is invalid, namely expired, returning a first return result indicating authentication failure to the business system B;

the service system B receives a first return result returned by the main data system:

when the first returned result returned by the main data system shows that the authentication is successful, the service system B judges whether to accept the result of successful authentication of other systems according to the service rule of the service system B, namely whether the service system B accepts the authentication result of the authentication source system to the USER USER _ B of the service system A is judged, if so, the first authentication successful result is returned to the main data system, the main data system creates an authentication record associated with the service system B, then the second authentication information is encrypted to obtain second encryption information and then is sent to the service system B, and the service system B sends a first authentication passing message to the terminal equipment based on the second encryption information, wherein the first authentication passing message comprises the first authentication successful result and the second encryption information. When the service system B does not receive the authentication result of the service system A to the USER _ B, the authentication failure result is directly returned to the terminal equipment, and the service system B starts USER authentication according to the authentication strategy of the service system B;

when the first return result returned from the main data system to the service system indicates that authentication fails, or the service system B does not receive the authentication result of the service system a for the USER _ B, and the service system B returns the authentication failure result to the terminal device, the service system B starts USER authentication according to its own authentication policy, as shown in fig. 5. Specifically, the terminal device sends the second authentication request to the service system B again, the service system B starts user authentication according to its own authentication policy, and sends a second authentication success result to the master data system when the authentication is passed. After the main data system receives a second authentication success result of the service system B to the USER _ B, the main data system creates an authentication record associated with the service system B, encrypts third authentication information to obtain third encryption information and then sends the third encryption information to the service system B, and the service system B sends a second authentication passing message to the terminal equipment based on the third encryption information.

That is, after the primary data system receives the first authentication success result or the second authentication success result, an authentication record can be added to the primary data system, namely the authentication record associated with the service system B, the marked user U is successfully authenticated in the service system B, at this time, the main data system includes two authentication records of the user, one is the authentication record of the service system a, the other is the authentication record of the service system B, in the process of creating the authentication record associated with the business system B, a second token with timeliness can be generated, and recorded in the authentication record, the master data system will include the global USER identification USER _ TT, the second token, encrypting the authentication information of the system identifier of the authentication source system (namely, the service system B) to obtain encryption information (second encryption information or third encryption information), and returning the encryption information to the service system B;

and the service system B receives the second encrypted information or the third encrypted information returned by the main data system, and directly returns a first authentication passing message comprising the second encrypted information and a first authentication result to the terminal equipment, or directly returns a second authentication passing message comprising the third encrypted information and a second authentication success result to the terminal equipment, so that the unified authentication login of the service system A and the service system B is completed.

As shown in fig. 6, when the user U subsequently logs in the service system C through the terminal device by using the same client, the authentication process is similar to the authentication process of the login service system B, and the process is as follows:

the terminal equipment can transmit the second encryption information to fourth service equipment through a fourth authentication request, namely service equipment corresponding to the service system C, and after the service system C receives the fourth authentication request, the service system C transmits the second encryption information to the main data system for verification through a second authentication query request under the condition that the fourth authentication request comprises the second encryption information;

the main data system receives the second encrypted information sent by the service system C, decrypts the second encrypted information, and analyzes information such as a global USER identifier USER _ TT, a second token, a system identifier of an authentication source system (namely, the service system B) and the like;

the main data system compares the authentication records reserved by the main data system with the decrypted second authentication information, takes the target authentication records containing the first authentication information as first target authentication records, and returns a second return result indicating authentication failure to the service system B when the authentication records do not contain the second target authentication records, namely, the information comparison is inconsistent; the second target authentication record comprises second authentication information, the authentication state is authentication success, and the second target authentication record also comprises a target user identification second token.

When the authentication record comprises a second target authentication record with information consistent with the second authentication information, the validity of the second token is detected:

if the second token is valid, namely the validity period is not reached, inquiring the USER identification USER _ C of the service system C according to the global USER identification USER _ TT, and returning a second return result comprising the system identification of the authentication source system (service system B), the authentication state (successful authentication) and the USER identification USER _ C of the USER in the service system C to the service system B;

if the second token is invalid, namely expired, returning a second return result indicating authentication failure to the service system C;

and the service system B receives a second return result returned by the main data system:

and when the second returned result returned by the main data system shows that the authentication is successful, the service system C judges whether to accept the result of successful authentication of other systems according to the service rule of the service system C, namely whether the service system C accepts the authentication result of the service system B to the USER USER _ C, and if so, returns a fourth authentication success result to the main data system. When the service system C does not receive the authentication result of the service system B to the USER _ C, directly returning an authentication failure result to the terminal equipment, and starting USER authentication by the service system C according to the authentication strategy of the service system C;

and when the result returned by the main data system to the service system ER indicates that the authentication fails, or the service system C does not receive the authentication result of the service system B to the USER USER _ C, the service system C starts the USER authentication according to the authentication strategy thereof.

After receiving the fourth authentication success result of the USER _ C by the service system C, the master data system creates an authentication record associated with the service system C, encrypts the fourth authentication information to obtain fourth encryption information, and sends the fourth encryption information to the service system C, and the service system C sends a fourth authentication passing message to the terminal device based on the fourth encryption information. That is, an authentication record is added to the main data system, the marked USER U is successfully authenticated in the service system C, at this time, the main data system includes 3 authentication records of the USER, one is an authentication record of the service system a, the other is an authentication record of the service system B, and the other is an authentication record of the service C, in the process of creating the authentication record associated with the service system C, a third token with timeliness can be generated, and is recorded in the authentication record, the main data system encrypts fourth authentication information including the global USER _ TT, the third token and the system identifier of the authentication source system (i.e., the service system C) to obtain fourth encryption information, and returns the fourth encryption information to the service system C;

and the service system C receives the fourth encryption information returned by the main data system, and directly returns a fourth authentication passing message comprising the fourth encryption information and a fourth authentication result to the terminal equipment to finish the authentication of the service system C.

For a user to log out of the system: for example, when the user U exits the service system a, after the service system a updates the user authentication state, a message is sent to notify the main data system that the updated user authentication state is "unauthenticated"; and after the main data system receives the user U quit authentication sent by the service system A, the authentication record of the user U in the main data system can be deleted, or the authentication record of the user U in the main data system is updated to be 'unauthenticated'.

Validity period management for tokens: there are two modes for Token validity management, one is active mode: the service system actively reports the user authentication state to the main data system before the Token expiration date; the passive mode is that the main data system sends a notification message to the service system when Token is about to fail, and queries the user authentication state. The principle of the two modes is as follows:

as shown in fig. 7, active mode: and the user U finishes user authentication when the service system B acquires second encryption information returned by the main data system, the service system B can actively inform the main data system of the user authentication state before the expiration date of the second token, and when the user authentication continues to be effective and the main data system receives the user authentication state reported by the service system B and is effective, the effectiveness of the second token is prolonged.

As shown in fig. 8, passive mode: when the main data system detects that the second token of the service system B is about to fail, the main data system can also actively send a notification message to the service system B, after the service system B receives the message that the second token is about to fail, if the user authentication continues to be valid, the service system B sends a message for prolonging the validity of the second token to the main data system, and if the user authentication is failed, the service system directly returns to fail.

In addition, after the token in the main data system is invalid, the corresponding authentication state can be updated to be an 'unauthenticated' state; when the user state is not authenticated for a certain service system in the main data system, the encrypted information forwarded by the service system is not analyzed, and the authentication failure is directly returned.

According to the authentication method, unified authentication of users of multiple systems can be achieved under the mode of keeping the user authentication modules of all service systems. The user authentication module independent of each service system is reserved to realize the user authentication of a single service system, and meanwhile, when a user accesses another system again after finishing authentication in a certain system, the system does not need to authenticate again to realize the unified authentication service requirement.

Besides, an independent main data system is established outside each service system, the user information and the user login state of each service system are stored through the main data system, and a user can log in other systems only by completing the user authentication of one service system of a plurality of service systems without remembering a large number of accounts and passwords. The user authentication works in each service system to authenticate independently, and the authentication result is synchronized to the main data system, so that when one user completes authentication in one system and accesses the other system again, the system does not need to authenticate again. The user authentication work is independently authenticated in each service system, uniform authentication is not completed in the main data system, only the authentication result is synchronized to the main data system, and each service system can independently and normally work when the main data system is abnormal. The user authentication result mutual-authentication rule control of the service systems is determined by each service system, and the main data system stores and manages the authentication result, so that the independence of user authority management of each service system is ensured, and the complexity of the main data service is also reduced. The main data and service system can carry out validity period management on the token, and effective management of the user login state is ensured. The system authentication reliability can be enhanced, the system bottleneck caused by only one unified authentication module is avoided, and the authentication performance is improved.

An embodiment of the present invention further provides a first service device, including: the processor, the memory, and the program stored in the memory and capable of running on the processor, when executed by the processor, implement the processes of the above-described authentication method embodiment applied to the first service device, and can achieve the same technical effects, and in order to avoid repetition, details are not described here again.

Specifically, referring to fig. 9, an embodiment of the present invention further provides a first service device, which includes a bus 901, a transceiver 902, an antenna 903, a bus interface 904, a processor 905, and a memory 906.

The transceiver 902 is configured to receive a first authentication request sent by a terminal device, where the first authentication request is used to request login authentication of a first service system corresponding to a first service device;

a transceiver 902, configured to send a first authentication query request to the second service device when the first authentication request includes first authentication information associated with the second service system, where the first authentication query request includes the first authentication information;

the transceiver 902 is configured to receive a first return result that the second service device performs query sending based on the first authentication information and the authentication record;

and the transceiver 902 is configured to send a first authentication passing message to the terminal device if the first returned result indicates that the authentication status of the second service system is successful and it is determined that the authentication status of the second service system is verified.

In one embodiment, the transceiver 902 is configured to send, to the second service device, a first authentication success result of the first service system for the first subscriber identity, if the first returned result indicates that the authentication status of the second service system is authentication success, and it is determined that the authentication status of the second service system passes verification;

the transceiver 902 is configured to receive second authentication information associated with the first service system and sent by the second service device based on the first authentication success result, where the second authentication information is associated with the first user identifier and includes a target user identifier and a system identifier of the first service system, the first authentication information is associated with the second user identifier and includes the target user identifier and the system identifier of the second service system, both the first user identifier and the second user identifier are associated with the target user identifier, the first user identifier is a user identifier of the target user identifier in the first service system, and the second user identifier is a user identifier of the target user identifier in the second service system;

the transceiver 902 is configured to send a first authentication passing message to the terminal device, where the first authentication passing message includes a first authentication success result and second authentication information.

In one embodiment, the first return result includes the first subscriber identity, the system identity of the second service system, and the authentication status of the second service system for the first subscriber identity;

the authentication state of the second service system is the authentication state of the second service system for the first subscriber identity.

after receiving second authentication information associated with the first business system and sent by the second service equipment based on the first authentication success result, performing at least one of the following:

a processor 905 configured to extend a second validity period of the second token based on the first validity extension notification sent by the second serving device;

a transceiver 902 configured to send an age extension request message to the second serving device, the age extension request message being configured to request the second serving device to extend the validity period of the second token.

In one embodiment, the transceiver 902 is configured to, after receiving second authentication information associated with the first business system and sent by the second service device based on the first authentication success result, send a first notification to the second service device in a case that a time difference between a current time of the first service device and an end time of a second validity period of the second token is less than a preset time length, where the first notification is used to notify that the first user identifier is in an authentication state of the first business system;

a transceiver 902 for receiving a first time-lapse extension notification transmitted by the second serving device based on the first notification;

a processor 905 configured to extend the second validity period of the second token based on the first validity extension notification.

In one embodiment, the transceiver 902 is configured to receive, after second authentication information associated with the first business system and sent by the second service device based on the first authentication success result, a second notification sent when the second service device detects that a time difference between a current time of the second service device and an end time of a second validity period of the second token is less than a preset time length, where the second notification is used to notify that the second token is about to fail;

a transceiver 902, configured to send, to the second service device, an age extension request message for requesting the second service device to extend the validity period of the second token if the first subscriber identity is valid in the authentication state of the first service system.

In an embodiment, the transceiver 902 is configured to, after receiving a first return result obtained by querying and sending by the second service device based on the first authentication information and the authentication record, send an authentication failure result associated with the first service system to the terminal device if the first return result indicates that the authentication state of the second service system is authentication failure, or if the first return result indicates that the authentication state of the second service system is authentication success and it is determined that the authentication state of the second service system fails to be verified.

In an embodiment, the transceiver 902 is configured to receive a second authentication request sent by the terminal device after sending an authentication failure result associated with the first service system to the terminal device, where the second authentication request is used to request login authentication for the first service system, and the second authentication request includes the first user identifier;

a transceiver 902, configured to send, in a case that login authentication for the first user identifier is successful in response to the second authentication request, first authentication data to the second service device, where the first authentication data includes a second authentication success result associated with the first service system and the first user identifier;

a transceiver 902, configured to receive third authentication information associated with the first service system and sent by the second service device based on the first authentication data, where the third authentication information is associated with the first user identifier and includes a target user identifier and a system identifier of the first service system, and the target user identifier is associated with the first user identifier;

the transceiver 902 is configured to send a second authentication passing message to the terminal device, where the second authentication passing message includes a second authentication success result and third authentication information.

In fig. 9, a bus architecture (represented by the bus 901), the bus 901 may comprise any number of interconnected buses and bridges, the bus 901 linking together various circuits including one or more processors, represented by the processor 905, and memory, represented by the memory 906. The bus 901 may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. A bus interface 904 provides an interface between the bus 901 and the transceiver 902. The transceiver 902 may be one element or multiple elements, such as multiple receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. Data processed by the processor 905 is transmitted over a wireless medium via the antenna 903, and further, the antenna 903 receives the data and transmits the data to the processor 905.

The processor 905 is responsible for managing the bus 901 and general processing, and may also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. And memory 906 may be used to store data used by processor 905 in performing operations.

Optionally, the processor 905 may be a CPU, ASIC, FPGA or CPLD.

An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when executed by a processor, the computer program implements the processes of the authentication method applied to the first service device, and can achieve the same technical effects, and in order to avoid repetition, the descriptions are omitted here. The computer readable storage medium may include ROM, RAM, magnetic or optical disk, etc.

An embodiment of the present invention further provides a second service device, including: the processor, the memory, and the program stored in the memory and capable of running on the processor, when being executed by the processor, implement the processes of the above-described authentication method embodiment applied to the second service device, and can achieve the same technical effects, and in order to avoid repetition, details are not described here again.

Specifically, referring to fig. 10, the embodiment of the present invention further provides a second service device, which includes a bus 1001, a transceiver 1002, an antenna 1003, a bus interface 1004, a processor 1005, and a memory 1006.

The transceiver 1002 is configured to receive a first authentication query request sent by a first service device when receiving a first authentication request sent by a terminal device, where the first authentication query request includes first authentication information associated with a second service system, and the first authentication request is used to request login authentication for a first service system corresponding to the first service device;

the transceiver 1002, configured to perform query based on the first authentication information and the authentication record, and send a first return result corresponding to the first authentication query request to the first service device;

In an embodiment, the processor 1005 is configured to perform an inquiry based on the first authentication information and the authentication record, and after sending a first return result corresponding to the first authentication inquiry request to the first service device, create an authentication record associated with the first service system and having a successful authentication in case of receiving a first authentication success result sent by the first service device;

a transceiver 1002, configured to send second authentication information associated with the first service system to the first service device.

In an embodiment, the transceiver 1002 is configured to, in a case that a target authentication record is not queried in an authentication record that is successfully authenticated, send a first return result indicating that an authentication state of the second service system is authentication failure to the first service device, and then receive first authentication data sent by the first service device, where the first authentication data includes a second authentication success result associated with the first service system and a first user identifier;

a processor 1005 for creating an authentication record associated with the first business system and being successfully authenticated based on the first authentication data,

the transceiver 1002 is configured to send third authentication information associated with the first service system to the first service device, where the third authentication information is associated with the first user identifier and includes a target user identifier and a system identifier of the first service system, and the target user identifier is associated with the first user identifier.

In fig. 10, a bus architecture (represented by bus 1001), bus 1001 may include any number of interconnected buses and bridges, and bus 1001 links together various circuits including one or more processors, represented by processor 1005, and memory, represented by memory 1006. The bus 1001 may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. A bus interface 1004 provides an interface between the bus 1001 and the transceiver 1002. The transceiver 1002 may be one element or may be multiple elements, such as multiple receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. Data processed by the processor 1005 is transmitted over a wireless medium via the antenna 1003, and further, the antenna 1003 receives the data and transmits the data to the processor 1005.

Processor 1005 is responsible for managing bus 1001 and general processing, and may also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. And memory 1006 may be used for storing data used by processor 1005 in performing operations.

Alternatively, the processor 1005 may be a CPU, ASIC, FPGA or CPLD.

An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when executed by a processor, the computer program implements each process of the authentication method applied to the second service device, and can achieve the same technical effect, and is not described herein again to avoid repetition. The computer readable storage medium is, for example, ROM, RAM, magnetic disk or optical disk.

An embodiment of the present invention further provides a terminal device, including: the processor, the memory and the program stored in the memory and capable of running on the processor, when the program is executed by the processor, the processes of the authentication method embodiment applied to the terminal device are realized, and the same technical effect can be achieved.

Specifically, referring to fig. 11, an embodiment of the present invention further provides a terminal device, which includes a bus 1101, a transceiver 1102, an antenna 1103, a bus interface 1104, a processor 1105, and a memory 1106.

The transceiver 1102 is configured to report first information to a network device;

the transceiver 1102 is configured to send a first authentication request to a first service device, where the first authentication request is used to request login authentication of a first service system corresponding to the first service device;

a transceiver 1102, configured to receive a first authentication passing message sent by the first service device based on the first authentication request;

In an embodiment, the transceiver 1102 is configured to send a third authentication request to a third service device corresponding to the second service system before sending the first authentication request to the first service device, where the third authentication request is used to request login authentication for the second service system, and the third authentication request includes the second user identifier;

a transceiver 1102, configured to receive a third authentication passing message sent by the third service device based on the third authentication request, where the third authentication passing message includes a third authentication success result and the first authentication information;

the third authentication passing message is a message which is sent by the third service device to the second service device under the condition that the third service device responds to the third authentication request and the login authentication of the second user identification is successful, and is sent to the terminal device under the condition that the first authentication information sent by the second service device based on the second authentication data is received, wherein the second authentication data comprises a third authentication success result associated with the second service system and the second user identification.

In fig. 11, a bus architecture (represented by bus 1101), bus 1101 may include any number of interconnecting buses and bridges, bus 1101 linking together various circuits including one or more processors represented by processor 1105 and memory represented by memory 1106. The bus 1101 may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. A bus interface 1104 provides an interface between the bus 1101 and the transceiver 1102. The transceiver 1102 may be one element or multiple elements, such as multiple receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. Data processed by processor 1105 is transmitted over a wireless medium via antenna 1103. further, antenna 1103 may receive and transmit data to processor 1105.

Processor 1105 is responsible for managing bus 1101 and the usual processing and may also provide various functions including timing, peripheral interfaces, voltage regulation, power management and other control functions. And memory 1106 may be used to store data used by processor 1105 in performing operations.

Alternatively, the processor 1105 may be a CPU, ASIC, FPGA, or CPLD.

The embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the computer program implements the processes of the authentication method applied to the terminal device, and can achieve the same technical effects, and in order to avoid repetition, the computer program is not described herein again. The computer-readable storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.

While the present invention has been described with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, which are illustrative and not restrictive, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention as defined in the appended claims.

Claims

1. An authentication method applied to a first service device, the method comprising:

under the condition that the first returned result shows that the authentication state of the second service system is successful and the authentication state of the second service system is verified, sending a first authentication passing message to the terminal equipment;

and sending a first authentication passing message to the terminal device under the condition that the first returned result shows that the authentication state of the second service system is successful and the authentication state of the second service system is verified, wherein the sending of the first authentication passing message comprises:

receiving second authentication information which is sent by the second service equipment based on the first authentication success result and is associated with the first business system;

and sending the first authentication passing message to the terminal equipment, wherein the first authentication passing message comprises the first authentication success result and the second authentication information.

2. The method according to claim 1, wherein the second authentication information is associated with the first subscriber identity and includes a target subscriber identity and a system identity of the first service system, the first authentication information is associated with a second subscriber identity and includes the target subscriber identity and a system identity of the second service system, the first subscriber identity and the second subscriber identity are both associated with the target subscriber identity, the first subscriber identity is a subscriber identity of the target subscriber identity in the first service system, and the second subscriber identity is a subscriber identity of the target subscriber identity in the second service system.

3. The method according to claim 2, wherein the first return result includes the first subscriber identity, the system identity of the second service system, and the authentication status of the second service system for the first subscriber identity;

and the authentication state of the second service system is the authentication state of the second service system for the first user identifier.

4. The method according to any of claims 1-3, wherein the first authentication information comprises a first token having a first validity period;

the receiving of the first return result of the second service device, which is queried and sent based on the first authentication information and the authentication record, includes:

5. The method of claim 2, wherein the second authentication information comprises a second token having a second validity period;

after the receiving of the second authentication information associated with the first business system and sent by the second service device based on the first authentication success result, the method further includes at least one of:

extending a second validity period of the second token based on a first validity extension notification sent by the second service device;

sending an age extension request message to the second service device, wherein the age extension request message is used for requesting the second service device to extend the validity period of the second token.

6. The method according to claim 1, wherein after receiving the first return result of the second service device querying and sending based on the first authentication information and the authentication record, the method further comprises:

7. The method of claim 6, wherein after sending the authentication failure result associated with the first service system to the terminal device, further comprising:

receiving a second authentication request sent by the terminal device, wherein the second authentication request is used for requesting login authentication of the first service system, and the second authentication request comprises a first user identifier;

under the condition that login authentication on the first user identification is successful in response to the second authentication request, sending first authentication data to the second service equipment, wherein the first authentication data comprises a second authentication success result associated with the first business system and the first user identification;

receiving third authentication information which is sent by the second service device based on the first authentication data and is associated with the first service system, wherein the third authentication information is associated with the first user identifier and comprises a target user identifier and a system identifier of the first service system, and the target user identifier is associated with the first user identifier;

and sending a second authentication passing message to the terminal equipment, wherein the second authentication passing message comprises a second authentication success result and the third authentication information.

8. An authentication method applied to a second service device, the method comprising:

the first return result is used for the first service device to send a first authentication passing message to the terminal device when the first return result indicates that the authentication state of the second service system is successful and the authentication state of the second service system is verified;

after the querying is performed based on the first authentication information and the authentication record and the first return result corresponding to the first authentication query request is sent to the first service device, the method further includes:

9. The method according to claim 8, wherein the querying based on the first authentication information and the authentication record, and sending a first return result corresponding to the first authentication query request to the first service device includes:

sending the first return result to the first service device under the condition that a target authentication record is inquired in the authentication records with successful authentication, wherein the first return result represents that the authentication state of the second service system is successful, and the authentication state of the target authentication record is successful authentication and comprises the first authentication information; or

And under the condition that a target authentication record is not inquired in the authentication record with successful authentication, sending a first return result indicating that the authentication state of the second service system is authentication failure to the first service equipment, wherein the authentication state of the target authentication record is authentication success and comprises the first authentication information.

10. The method according to claim 9, wherein after sending a first return result indicating that the authentication status of the second service system is authentication failure to the first service device in a case that the target authentication record is not queried in the authentication record that has been successfully authenticated, the method further comprises:

receiving first authentication data sent by the first service equipment, wherein the first authentication data comprises a second authentication success result associated with the first service system and a first user identification;

creating an authentication record associated with the first business system that is successfully authenticated based on the first authentication data,

11. An authentication method, which is applied to a terminal device, includes:

the first authentication passing message is a message sent to the terminal device by the first service device under the condition that a first returned result shows that the authentication state of the second service system is successful in authentication and the authentication state of the second service system is verified, the first returned result is a result sent to the first service device by the second service device by inquiring based on an authentication record and first authentication information in a first authentication inquiry request sent by the first service device, and the first authentication inquiry request is a request sent to the second service device by the first service device under the condition that the first authentication request comprises first authentication information associated with the second service system;

the first authentication passing message is a message sent to the terminal device by the first service device after the first returned result shows that the authentication state of the second service system is successful, and the authentication state of the second service system is verified, wherein the first authentication passing message is a message sent to the terminal device by the second service device after the first authentication passing message is sent to the second service device and the second authentication information associated with the first service system is received, and the first authentication passing message comprises the first authentication success result and the second authentication information.

12. A first service device comprising a transceiver and a processor,

the transceiver is configured to send a first authentication passing message to the terminal device when the first returned result indicates that the authentication state of the second service system is successful and it is determined that the authentication state of the second service system is verified;

the transceiver is further configured to send a first authentication success result of the first service system for the first subscriber identity to the second service device when the first returned result indicates that the authentication state of the second service system is successful and it is determined that the authentication state of the second service system passes verification;

the transceiver is further configured to receive second authentication information associated with the first service system, which is sent by the second service device based on the first authentication success result;

the transceiver is further configured to send a first authentication passing message to the terminal device, where the first authentication passing message includes a first authentication success result and second authentication information.

13. A second service device, comprising: comprising a transceiver and a processor, wherein the transceiver is connected to the processor,

the processor is configured to perform querying based on the first authentication information and an authentication record, and after sending a first return result corresponding to the first authentication query request to the first service device, create an authentication record associated with the first service system and having a successful authentication in case of receiving a first authentication success result sent by the first service device;

the transceiver is further configured to send second authentication information associated with the first service system to the first service device.

14. A terminal device, comprising a transceiver and a processor,

15. A computer-readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7, or carries out the steps of the method of any one of claims 8 to 10, or carries out the steps of the method of claim 11.