CN106330813A - Method, device and system for processing authorization - Google Patents
Method, device and system for processing authorization Download PDFInfo
- Publication number
- CN106330813A CN106330813A CN201510333657.4A CN201510333657A CN106330813A CN 106330813 A CN106330813 A CN 106330813A CN 201510333657 A CN201510333657 A CN 201510333657A CN 106330813 A CN106330813 A CN 106330813A
- Authority
- CN
- China
- Prior art keywords
- user
- group
- resource
- authorization
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/104—Grouping of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Storage Device Security (AREA)
Abstract
本发明提供了一种处理授权的方法、设备和系统。该处理授权的方法,包括接收第一用户通过第一客户端发送的授权请求,所述授权请求包括所述第一用户的用户标识ID和请求访问的资源的标识;根据所述第一用户的用户ID,确定所述第一用户所属群组的群组信息;根据保存的授权记录,确定所述群组已经获得所述资源的标识对应的资源所有者的授权;生成第一访问令牌,并将所述第一访问令牌发送给所述第一客户端。本发明提供的方法有效的解决了多个用户来访问资源时,需要资源所属的资源所有者多次授权的技术问题。
The invention provides a method, device and system for processing authorization. The method for processing authorization includes receiving an authorization request sent by a first user through a first client, where the authorization request includes a user ID of the first user and an identifier of a resource requested to be accessed; according to the first user's User ID, determining the group information of the group to which the first user belongs; according to the stored authorization record, determining that the group has obtained the authorization of the resource owner corresponding to the resource identifier; generating a first access token, And send the first access token to the first client. The method provided by the invention effectively solves the technical problem that the resource owner to whom the resource belongs needs multiple authorizations when multiple users access the resource.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method, a device, and a system for processing authorization.
Background
With the rapid development of the internet, the ideas of one network in the whole country and one network in the whole world are rapidly popularized, the situation that operators in various provinces and bases independently fight cannot meet the user requirements, and various capacity centers are produced at the same time. For example, the China Mobile user center manages all user information in a unified way, and other applications can realize centralized management of the user information by accessing an interface provided by the user center when needing to acquire the user information, so that the user resources are centralized and the value of the big data is exerted greatly. After the capability center collects the resource data related to the capability, the capability center needs to open the data to a third-party client (hereinafter, referred to as a client for short) for access. In open access, the security of the data is crucial. Oauth2.0, as a simple, secure, open authentication and authorization protocol, may be introduced by the capability center to solve the data open security problem.
The resources of the capability center are typically protected, and in the OAuth protocol, the client does not directly use the resource owner's private certificate to access the protected resource, but gets an access token-a string representing a certain scope (authorization scope), duration, and other attributes. The access token is generated by the authentication server and distributed to the client under the direction of the resource owner. The client uses the access token to access a protected resource hosted by the resource server.
Specifically, when the user accesses the resource through the client, the flow is as follows:
1. the client requests authorization from the authentication server;
2. the authentication server guides the request of the client to the resource owner and requests the resource owner for authorization;
3. after the resource owner audits the request message, the resource owner agrees to authorization;
4. after receiving the information of agreeing to authorization returned by the resource owner, the authentication server generates and issues an access token to the client;
5. the client carries an access token to a resource server to request for accessing resource information;
6. and the resource server returns resource information to the client.
It can be seen that each user requesting access to a resource needs to be directed to the resource owner for authorization for security, which greatly increases the authorization workload of the resource owner.
Disclosure of Invention
The invention provides a method, equipment and a system for processing authorization, which are used for solving the technical problem that multiple times of authorization of a resource owner to which resource information belongs are required when multiple users access the resource information.
In a first aspect, the present invention provides an authorization method, including: receiving an authorization request sent by a first user through a first client, wherein the authorization request comprises a user Identification (ID) of the first user and an identification of a resource requested to be accessed; determining group information of a group to which the first user belongs according to the user ID of the first user; determining that the group has obtained the authorization of the resource owner corresponding to the identifier of the resource according to the stored authorization record; and generating a first access token and sending the first access token to the first client.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the determining, according to the user ID of the first user, group information of a group to which the first user belongs specifically is: sending a group query message containing the user ID of the first user to a group server; and receiving a group confirmation message returned by the group server, wherein the group confirmation message comprises group information to which the first user belongs, and the group information comprises a group identifier of a group to which the first user belongs.
With reference to the first aspect, in a second possible implementation manner of the first aspect, the determining, according to the user ID of the first user, group information of a group to which the first user belongs specifically is: inquiring a locally stored group database, wherein the group database comprises stored group identification and corresponding group member information; and determining the group identification of the group to which the first user belongs according to the user ID of the first user.
With reference to the first aspect, or the first possible implementation manner of the first aspect, or the second possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, before the receiving an authorization request sent by a first user through a first client, the method further includes: receiving an authorization request sent by a second user through a second client, wherein the authorization request comprises a user ID of the second user and an identifier of the resource; determining that the second user belongs to the group according to the user ID of the second user; determining that the group is not authorized by the resource owner; sending an authentication request to the resource owner, the authentication request including the group information; receiving an authentication response returned by the resource owner, wherein the authentication response comprises indication information that the resource owner agrees to authorize the group; storing an authorization record of the access authority of the resource corresponding to the identifier of the resource obtained by the group; and generating a second access token and sending the second access token to the second client.
With reference to the first aspect or the first to third possible implementation manners of the first aspect, in a fourth possible implementation manner of the first aspect, before determining, according to the user ID of the first user, group information of a group to which the first user belongs, the method further includes: determining that the resource owner is not authorized for the first user.
In a second aspect, there is provided an authentication server comprising: the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving an authorization request sent by a first user through a first client, and the authorization request comprises a user Identification (ID) of the first user and an identification of a resource requested to be accessed; the determining module is used for determining the group information of the group to which the first user belongs according to the user ID of the first user received by the receiving module; determining that the group has obtained the authorization of the resource owner corresponding to the identifier of the resource according to the stored authorization record; and the sending module is used for generating a first access token and sending the first access token to the first client.
With reference to the second aspect, in a first possible implementation manner of the second aspect, the determining module is configured to determine, according to the user ID of the first user, group information of a group to which the first user belongs, and specifically: sending a group query message containing the user ID of the first user to a group server; and receiving a group confirmation message returned by the group server, wherein the group confirmation message comprises group information to which the first user belongs, and the group information comprises a group identifier of a group to which the first user belongs.
With reference to the second aspect, in a second possible implementation manner of the second aspect, the determining module is configured to determine, according to the user ID of the first user, group information of a group to which the first user belongs, and specifically: inquiring a locally stored group database, wherein the group database comprises stored group identification and corresponding group member information; and determining the group identification of the group to which the first user belongs according to the user ID of the first user.
With reference to the second aspect, or the first possible implementation manner of the second aspect, or the second possible implementation manner of the second aspect, in a third possible implementation manner of the second aspect, the authentication server further includes: the receiving module is further configured to receive an authorization request sent by a second user through a second client, where the authorization request includes a user ID of the second user and an identifier of the resource; the determining module is further configured to determine, according to the user ID of the second user received by the receiving module, that the second user belongs to the group; determining that the group is not authorized by the resource owner; the sending module is further configured to send an authentication request to the resource owner, where the authentication request includes the group information; the receiving module is further configured to receive an authentication response returned by the resource owner, where the authentication response includes indication information that the resource owner agrees to authorize the group; the storage module is used for storing an authorization record of the access authority of the resource corresponding to the identifier of the resource obtained by the group; the sending module is further configured to generate a second access token, and send the second access token to the second client.
With reference to the second aspect or the first to third possible implementation manners of the second aspect, in a fourth possible implementation manner of the second aspect, before the determining module is configured to determine, according to the user ID of the first user, group information of a group to which the first user belongs, the determining module is further configured to determine that the resource owner does not authorize the first user.
In a third aspect, a system for processing authorization is further provided, including a first client configured to send an authorization request to an authentication server, where the authorization request includes a user identifier ID of a first user and an identifier of a resource requested to be accessed; the authentication server is used for receiving an authorization request sent by a first user through a first client, wherein the authorization request comprises a user Identification (ID) of the first user and an identification of a resource requested to be accessed; determining group information of a group to which the first user belongs according to the user ID of the first user; determining that the group has obtained the authorization of the resource owner corresponding to the identifier of the resource according to the stored authorization record; and generating a first access token and sending the first access token to the first client.
With reference to the third aspect, in a first possible implementation manner of the third aspect, the system further includes: the second client is used for sending an authorization request to the authentication server, wherein the authorization request comprises a user Identification (ID) of a second user and the identification of the resource; the authentication server is further configured to receive an authorization request sent by a second user through a second client, where the authorization request includes a user ID of the second user and an identifier of the resource; determining that the second user belongs to the group according to the user ID of the second user; determining that the group is not authorized by the resource owner; sending an authentication request to the resource owner, the authentication request including the group information; receiving an authentication response returned by the resource owner, wherein the authentication response comprises indication information that the resource owner agrees to authorize the group; storing an authorization record of the access authority of the resource corresponding to the identifier of the resource obtained by the group; and generating a second access token and sending the second access token to the second client.
According to the technical scheme provided by the invention, the resource owner authorizes the group and the authentication server stores the authorization records of the group and the resource, so that when other group members in the group request authorization for the resource, the authentication server does not need to continuously apply permission to the resource owner, and directly generates the access token according to the corresponding authorization records and returns the access token to the client, thereby effectively lightening the authorization burden of the resource owner.
Drawings
FIG. 1 is a block diagram of a system for handling authorization according to an embodiment of the present invention;
FIG. 2 is a flowchart of a method for handling authorization according to an embodiment of the present invention;
fig. 3 is an exemplary signaling diagram of a method for handling grants according to an embodiment of the present invention;
fig. 4 is an exemplary signaling diagram of another method for handling grants according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an authentication server according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an authentication server according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a system for handling authorization according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention are described in further detail below with reference to the accompanying drawings. In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the invention. It will be understood by those skilled in the art, however, that the present invention may be practiced without these specific details. In other instances, well-known methods, procedures, components, circuits, and the like have not been described in detail so as not to unnecessarily obscure the embodiments. It is to be understood that the embodiments described below are only some of the embodiments of the present invention, and not all of them. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the functions related to the authentication server, the group server, and the resource server described in the embodiment of the present invention may be implemented by different function modules of the same device, or implemented by different devices, respectively, which is not limited in the present invention.
Further, in some of the flows described below, multiple operations are included in a particular order, but it should be clearly understood that these operations may be performed out of order or in parallel as they appear herein, with the order of the operations, e.g., 101, 102, etc., merely to distinguish between the various operations, and the order itself does not represent any order of execution. Additionally, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel. It should be noted that, the descriptions of "first", "second", etc. in this document are used for distinguishing different messages, devices, modules, etc., and do not represent a sequential order, nor limit the types of "first" and "second" to be different.
Fig. 1 is a block diagram of a system for handling authorization provided in accordance with an embodiment of the present invention. The system comprises a plurality of communication devices, which communicate with each other via a wired or wireless communication network. Wherein,
the client 102: generally refers to an application provided to a user for obtaining authorization and accessing resource information on a resource server.
The resource server 104: a server for storing resource information (e.g., pictures, videos, consumption information, etc.) and providing access thereto. When a user requests to access resource information on a resource server through a client, an access token issued by an authentication server establishing a trust relationship with the user must be provided, and the resource server returns the resource information requesting access to the user after passing the verification.
The authentication server 106: the service provider is a server dedicated to handling user authentication and issuing access tokens for clients. Can be combined with the resource server or can be independently arranged.
The group server 108: for storing the relationship of the user and the group. Specifically, it may be a system administrator, resource owner, or other user with access to the group server to set the relationship between the user and the group. For example, user a logs in the group server, and sets group X on the group server, and the group X includes user a, user B, and user C, then the relationship between user a, user B, user C, and group X is stored on the group server. When the group is created, the creator of the group may authorize other users to manage the created group. It should be noted that, the specific way of creating and managing the group is not limited in the present invention.
The resource owner 110: when other users access the resource information stored in the resource server, the owner of the resource information (such as pictures, videos, consumption information and the like) needs to pass the permission of the resource owner, and the authentication server generates an access token for the client according to the permission information of the resource owner on the premise that the resource owner agrees to authorize.
The following describes implementations of the authorization method, apparatus, and system according to the present application in detail with reference to the accompanying drawings.
Fig. 2 is a flowchart of an authorization method provided in the present invention. In this embodiment, an authorization process is provided for a user to access resource information on a resource server through a client. In a specific implementation, the method of handling authorization may be performed by an authentication server. The authentication server is used for issuing an access token for the client under the condition of permission of the resource owner. The client accesses the protected resource by presenting the access token to the resource server. The authentication server may be co-located with the resource server or may exist as a separate device. After receiving an authorization request sent by a client, an authentication server determines a group to which a user belongs according to a user identifier in the authorization request. If the group has been authorized, the authentication server sends the access token directly to the user without applying for permission again to the resource owner; if the group of the group does not obtain the permission of the resource owner, the authentication server applies for the permission of the group to the resource owner, if the resource owner agrees to authorize the group, the authentication server stores the authorization record of the group and the resource which is requested to be accessed, generates an access token and returns the access token to the client. Specifically, the method comprises the following steps:
step 202: receiving an authorization request sent by a first user through a first client, wherein the authorization request comprises a user Identification (ID) of the first user and an identification of a resource requested to be accessed;
specifically, the client may be application software developed by a third party or a browser plug-in. The user sends an authorization request to the authentication server through the client, and the authorization request carries a user ID and an Identifier of a Resource requested to be accessed, where the Identifier of the Resource requested to be accessed may be a Uniform Resource Identifier (URI) corresponding to the Resource. The authentication server can determine a resource owner corresponding to the resource according to the identifier of the resource requested to be accessed in the authorization request, when a user corresponding to the user ID does not obtain the access right of the resource corresponding to the identifier of the resource requested to be accessed, the authentication server applies authorization permission to the resource owner, only when the resource owner agrees to authorize the user, the authentication server generates an access token and sends the access token to the client, otherwise, the request for applying authorization by the user is rejected, and the user cannot access the resource desired to be accessed.
Step 204: determining group information of a group to which the first user belongs according to the user ID of the first user;
optionally, a group database is stored on the authentication server, and the group database records group information, where the group information includes a group name and group member information included in the group. The group member information may specifically be group member identification or description information of other group member characteristics. The determining, according to the user ID of the first user, group information of a group to which the first user belongs specifically includes: and querying the group database to obtain the group information containing the user ID of the first user in the group members.
Optionally, in the authorization system, a group server is further provided, and the group server records group information. The determining, according to the user ID of the first user, group information of a group to which the first user belongs specifically includes: sending a group query message containing the user ID of the first user to a group server; and receiving a group confirmation message returned by the group server, wherein the group confirmation message comprises group information of the first user. It should be noted that, in a specific implementation, the group information returned by the group server to the authentication server may only include the group identifier of the group to which the first user belongs, or may further include the group member identifier of the group to which the first user belongs. Optionally, when the received group information includes the group identifier and the group member identifier, the authentication server may store the received group information in the local database, when the authentication server receives the authorization request next time and needs to query the group information to which the user identifier belongs, the local database is preferentially queried, and if the local database has no record, the group query message is sent to the group server.
Optionally, before step 204, the authorization method further includes: the authentication server determines that the resource owner corresponding to the resource requested to be accessed does not authorize the first user. In the solution provided by the present invention, when the authentication server receives the authorization request sent by the user through the client, it may first determine whether the resource owner has authorized the user, and if the resource owner has authorized the user to access the resource, directly execute step 214. If the resource owner does not authorize the user to access the resource, it needs to be further determined whether the resource owner authorizes a certain group containing the user. When the resource owner authorizes the group X to access the resource, the resource owner does not need to apply for authorization again when the group X is taken as a group member to access the resource.
The method for the authentication server to determine whether the resource owner corresponding to the resource requested to be accessed authorizes the user belongs to the prior art, and is not described in detail in the invention.
Step 206: determining that the group has obtained the authorization of the resource owner corresponding to the identifier of the resource according to the stored authorization record;
the authorization record for the group to obtain the access right is stored in the local or remote database of the authenticator, the authorization record may be in the form of the following mapping table, or in any other form.
| Group name | Accessing resources |
| Group A | Resource 1 |
| Group B | Resource 2 |
And after determining the group to which the first user belongs, the authentication server inquires the authorization record, and when the authorization record has an authorization relationship between the group to which the first user belongs and the resource requested to be accessed, the authentication server determines that the resource owner corresponding to the resource requested to be accessed by the first user has authorized the group to which the first user belongs.
Step 208: and generating a first access token and sending the first access token to the first client.
Specifically, after determining that the group to which the first user belongs has been authorized by the resource owner, the authentication server may directly generate the access token, and return the generated access token to the first client, so that the first user accesses the resource through the first client.
Optionally, before the authentication server receives the authorization request sent by the first user through the first client, when another group member in the group corresponding to the first user, such as the second user, also requests to access the resource, the authorization method further includes: receiving an authorization request sent by a second user through a second client, wherein the authorization request comprises a user ID of the second user and an identifier of a resource requested to be accessed; determining that the second user belongs to the group according to the user ID of the second user; determining that the group does not obtain the authorization of the resource owner according to the stored authorization record; sending an authentication request to the resource owner, the authentication request including the group information; receiving an authentication response returned by the resource owner, wherein the authentication response comprises indication information that the resource owner agrees to authorize the group; storing an authorization record of the access authority of the resource corresponding to the identifier of the resource obtained by the group; and generating a second access token and sending the second access token to the second client. It should be noted that, the first client and the second client may be the same client or different clients, and the present invention is not limited to this. Specifically, when it is determined that the group does not obtain the authorization of the resource owner, the authentication server sends an authentication request to the resource owner to request the resource owner to authorize the group to which the first user belongs. In order to facilitate the resource owner to determine the scope of the authorization object, the group information in the authentication request may further include group member identification in addition to the group name.
And when the authentication response message contains indication information indicating that the owner of the resource does not agree with the group authorization, the authorization equipment rejects the received authorization request, and the authorization process is ended. When the authentication server receives the indication information of agreeing to authorize the group returned by the resource owner, the authentication server stores the authorization record of the group for obtaining the resource access authority. The form of the mapping table in step 206 may be used in particular implementations.
In the authorization method provided by this embodiment, since the resource owner has authorized the group, and the authentication server stores the authorization records of the group and the resource, when other group members in the group request authorization for the resource, the authentication server does not need to continuously apply for permission to the resource owner, and directly generates the access token according to the corresponding authorization record and returns the access token to the client, thereby effectively reducing the authorization burden of the resource owner.
Fig. 3 is an exemplary signaling diagram of a method for handling grants according to an embodiment of the present invention. In this embodiment, a user accesses a resource stored on a resource server through a client. The client can authenticate the identity of the user through at least one of an account password, biometric authentication or other identity authentication modes. The client maintains authentication information for each user, and each user has a unique user identification.
In order to reduce the authorization burden on the resource owner when multiple users access the resource on the resource server, in an embodiment of the present invention, a group may be established for the multiple users on the group server by a system administrator. The resource owner only needs to authorize the group once, and the members in the group can all obtain the right to access the resource. For example, in the same project group, a certain group member X uploads project data to the server, and then the group member X is the resource owner. The system administrator may establish a group for the project group on the group server, where the group members include all members of the project group, and assuming that the group has three members, A, B and C, it should be noted that the group members of the group may include the resource owner X or may not include the resource owner X, and the method includes, without limitation, the following steps:
step 301: the method comprises the steps that a user A sends an authorization request to an authentication server through a client, wherein the authorization request comprises a universal resource identifier URI and a user identifier A of a resource which the user A wishes to access;
step 302: the authentication server sends a group relation query request to a group server, wherein the group relation query request comprises the user identification A;
step 303: the group server returns a group relation query response to the authentication server, wherein the group relation query response comprises the group information to which the user A belongs;
specifically, the group server determines the group to which the user belongs according to the user identifier. In a possible implementation manner, a corresponding relationship between a group name and a group member list is stored in a group server, and the group server traverses the corresponding relationship according to a received user identifier, and determines the group member list to which the user identifier belongs and a corresponding group name. The group information includes a group name, and optionally, the group information further includes a group member list corresponding to the group name.
Step 304: the authentication server determines that the group to which the user A belongs does not have an authorization record;
specifically, the authentication server may query an authorization relationship mapping table of a locally stored group and a resource that is requested to be accessed, where the authorization relationship mapping table records a correspondence between the group that is authorized and the resource that is requested to be accessed. When the authentication server determines that the group to which the user belongs has not been authorized to record, it indicates that the user is the first user in the group to apply for accessing the resource, and at this time, the authentication server needs to obtain the authorization permission of the resource owner before issuing the token for the user.
Step 305: the authentication server sends an authentication request to a resource owner, wherein the authentication request comprises the group information;
step 306-step 307: the resource owner determines an authorization range according to the group information and returns an authentication response to the authentication server;
specifically, the resource owner determines to agree with authorization according to the group information, and returns an authentication response to the authentication server, where the authentication response includes identity authentication information and authorization permission information of the resource owner.
Optionally, if the group information further includes a group member list, the resource owner may know the members included in the group, and grant authorization to the group when determining that the members included in the group are all trusted.
Step 308: the authentication server stores the group authorization record and generates an access token;
specifically, the authentication server determines that the identity of the resource owner is legal according to identity authentication information contained in an authentication response returned by the resource owner, and determines that the resource owner agrees to authorize the group according to the authorization permission information, and then stores a group authorization record and generates an access token.
Step 309: the authentication server returns an access token to the client;
step 310-step 311: the client side sends a resource request message carrying the access token to the resource server to obtain the resource information.
Specifically, the user A sends a resource request carrying an access token to the resource server through the client, and after the resource server verifies that the access token is legal, the resource server can return the resource of the user request to the client and display the requested resource to the user A through the client.
Further, fig. 4 is an exemplary signaling diagram of a method for handling a grant according to an embodiment of the present invention. When the user B or C in the group in the embodiment shown in fig. 3 also accesses the resource on the resource server, the authentication server determines the group to which the user B or C belongs and determines that the resource owner has authorized the group, so the authentication server will directly generate the access token and send the generated access token to the client. In particular, the method comprises the following steps of,
steps 401 to 403 are the same as steps 301 to 303, and the related contents refer to the related description of the embodiment described in fig. 3, which is not described herein again.
Step 404: it is determined that the group has an authorization record.
Specifically, the authentication server may query an authorization record of the group stored locally or remotely to obtain the access right, where the authorization record may be in the form of the mapping table described in step 206. When the authentication server determines that the group to which the user belongs has not been authorized to record, it indicates that the user is the first user in the group to apply for accessing the resource, and at this time, the authentication server needs to obtain the authorization permission of the resource owner before issuing the token for the user. In the embodiment illustrated in fig. 3, since the user a in the group has applied for accessing the resource, the group obtains the authorization of the resource owner, and the authentication server maintains the authorization record of the group.
Step 405: generating an access token;
steps 406 to 408 are the same as steps 309 to 311, and the related contents refer to the related description of the embodiment described in fig. 3, which is not repeated herein.
In the embodiment of the invention, the authentication server locally or remotely stores the authorization record of the group obtaining the access authority, when the authorization record has the authorization relationship between the group G and the resource S, the authorization of the group G is indicated by the resource owner, and when the member in the group G applies for the access token of the access resource S, the authentication server directly generates the access token without applying for the authorization of the resource owner again. Based on the authorization method, the resource owner can access the resource by a plurality of users only by one-time authorization, thereby greatly lightening the authorization burden of the resource owner.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
The following describes the apparatus and system provided by the embodiments of the present invention.
Fig. 5 is a schematic structural diagram of an authentication server according to an embodiment of the present invention. As shown in fig. 5, the authorizing device includes a receiving module 502, a determining module 504, and a transmitting module 506.
A receiving module 502, configured to receive an authorization request sent by a first user through a first client, where the authorization request includes a user identifier ID of the first user and an identifier of a resource requested to be accessed.
A determining module 504, configured to determine, according to the user ID of the first user received by the receiving module 502, group information of a group to which the first user belongs; determining that the group has obtained the authorization of the resource owner corresponding to the identifier of the resource according to the stored authorization record;
the determining module 504 is configured to determine, according to the user ID of the first user, group information of a group to which the first user belongs, specifically: sending a group query message containing the user ID of the first user to a group server; receiving a group confirmation message returned by the group server, wherein the group confirmation message comprises group information to which the first user belongs, and the group information comprises a group identifier of a group to which the first user belongs; or, inquiring a locally stored group database, wherein the group database comprises stored group identification and corresponding group member information; and determining the group identification of the group to which the first user belongs according to the user ID of the first user.
In an implementation process, the determining module 504 is specifically configured to implement the method described in step 204 to step 206 in the embodiment described in fig. 2, and related contents may be described with reference to the embodiment described in fig. 2, and are not described again here.
A sending module 506, configured to generate a first access token, and send the first access token to the first client.
In a specific implementation process, before the receiving module 502 receives an authorization request sent by a first user through a first client, when other group members in a group corresponding to the first user, such as a second user, also request to access the resource, the receiving module 502 is further configured to receive an authorization request sent by the second user through a second client, where the authorization request includes a user ID of the second user and an identifier of the resource requested to be accessed; the determining module 504 is further configured to determine, according to the user ID of the second user received by the receiving module 502, that the second user belongs to the group; determining that the group is not authorized by the resource owner; the sending module 506 is further configured to send an authentication request to the resource owner, where the authentication request includes the group information; the receiving module 502 is further configured to receive an authentication response returned by the resource owner, where the authentication response includes indication that the resource owner agrees to authorize the group; the authentication server further includes a storage module 508, configured to store an authorization record of the access right of the resource corresponding to the identifier of the resource obtained by the group; the sending module is further configured to generate a second access token and send the second access token to the second client. It should be noted that, the first client and the second client may be the same client or different clients, and the present invention is not limited to this. Specifically, when it is determined that the group does not obtain the authorization of the resource owner, the authentication server sends an authentication request to the resource owner to request the resource owner to authorize the group to which the first user belongs. In order to facilitate the resource owner to determine the scope of the authorization object, the group information in the authentication request may further include group member identification in addition to the group name.
When the authentication response message received by the receiving module 502 contains indication information indicating that the owner of the resource does not agree with the authorization for the group, the authorization device rejects the received authorization request, and the authorization process is ended. When the receiving module 502 receives the indication information of granting authorization to the group returned by the resource owner, the saving module 508 saves the authorization record of the group obtaining the resource access right. The form of the mapping table in step 206 may be used in particular implementations.
In the authorization method provided by this embodiment, since the resource owner has authorized the group, and the authentication server stores the authorization records of the group and the resource, when other group members in the group request authorization for the resource, the authentication server does not need to continuously apply for permission to the resource owner, and directly generates the access token according to the corresponding authorization record and returns the access token to the client, thereby effectively reducing the authorization burden of the resource owner.
Fig. 6 is a schematic diagram of another structure of an authentication server according to an embodiment of the present invention, which employs a general-purpose computer system structure, and program codes for executing the scheme of the present invention are stored in a memory and controlled by a processor to execute the program codes. The device for handling grants comprises a bus, a processor (602), a memory (604), and a communication interface (606).
A bus may include a path that transfers information between the various components of a computer.
Processor 602 may be a general purpose Central Processing Unit (CPU), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to control the execution of programs in accordance with the present invention. The memory or memories included in the computer system may be a read-only memory (ROM) or other type of static storage device that may store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that may store information and instructions, or a disk storage device. These memories are connected to the processor via a bus.
The communication interface 606 may use any transceiver or the like to communicate with other devices or communication networks, such as ethernet, Radio Access Network (RAN), Wireless Local Area Network (WLAN), etc.
Memory 604, such as RAM, holds an operating system and programs that implement aspects of the present invention. The operating system is a program for controlling the operation of other programs and managing system resources. Program code for implementing aspects of the present invention is stored in memory and controlled for execution by the processor.
The program stored in the memory 604 is for instructing the processor to perform a method of authorization comprising: receiving an authorization request sent by a first user through a first client, wherein the authorization request comprises a user Identification (ID) of the first user and an identification of a resource requested to be accessed; determining group information of a group to which the first user belongs according to the user ID of the first user; determining that the group has obtained the authorization of the resource owner corresponding to the identifier of the resource according to the stored authorization record; and generating a first access token and sending the first access token to the first client.
It can be understood that a device for processing authorization of this embodiment may be used to implement all functions in the method embodiment shown in fig. 2, and a specific implementation process thereof may refer to the related description of the above method embodiment, which is not described herein again.
Fig. 7 is a schematic structural diagram of a system for processing authorization according to an embodiment of the present invention. As shown in fig. 6, the system includes a first client 702 and an authentication server 704.
A first client 702, configured to send an authorization request to an authentication server, where the authorization request includes a user identifier ID of a first user and an identifier of a resource requested to be accessed;
an authentication server 704, configured to receive an authorization request sent by a first user through a first client, where the authorization request includes a user identifier ID of the first user and an identifier of a resource requested to be accessed; determining group information of a group to which the first user belongs according to the user ID of the first user; determining that the group has obtained the authorization of the resource owner corresponding to the identifier of the resource according to the stored authorization record; and generating a first access token and sending the first access token to the first client.
Optionally, the system further includes: a second client 706, configured to send an authorization request to an authentication server, where the authorization request includes a user identifier ID of a second user and an identifier of the resource;
the authentication server 704 is further configured to receive an authorization request sent by a second user through a second client, where the authorization request includes a user ID of the second user and an identifier of the resource; determining that the second user belongs to the group according to the user ID of the second user; determining that the group is not authorized by the resource owner; sending an authentication request to the resource owner, the authentication request including the group information; receiving an authentication response returned by the resource owner, wherein the authentication response comprises indication information that the resource owner agrees to authorize the group; storing an authorization record of the access authority of the resource corresponding to the identifier of the resource obtained by the group; and generating a second access token and sending the second access token to the second client.
It should be noted that the first client 702 and the second client 706 may be the same client or different clients, which is not limited in the present invention.
For a more detailed description of the authentication server 704, please refer to the description of the authentication server shown in fig. 5, and the related contents are not described herein again.
Because the information interaction, execution process, and other contents between the modules in the above-mentioned device and system are based on the same concept as the method embodiment of the present invention, specific contents may refer to the description in the method embodiment of the present invention, and are not described herein again.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-only Memory (ROM), a Random Access Memory (RAM), or the like.
The principles and embodiments of the present invention have been described herein using specific examples, which are presented solely to aid in the understanding of the methods and concepts of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (12)
1. An authorization method, comprising:
receiving an authorization request sent by a first user through a first client, wherein the authorization request comprises a user Identification (ID) of the first user and an identification of a resource requested to be accessed;
determining group information of a group to which the first user belongs according to the user ID of the first user;
determining that the group has obtained the authorization of the resource owner corresponding to the identifier of the resource according to the stored authorization record;
and generating a first access token and sending the first access token to the first client.
2. The method according to claim 1, wherein the determining group information of the group to which the first user belongs according to the user ID of the first user specifically comprises:
sending a group query message containing the user ID of the first user to a group server;
and receiving a group confirmation message returned by the group server, wherein the group confirmation message comprises group information to which the first user belongs, and the group information comprises a group identifier of a group to which the first user belongs.
3. The method according to claim 1, wherein the determining group information of the group to which the first user belongs according to the user ID of the first user specifically comprises:
inquiring a locally stored group database, wherein the group database comprises stored group identification and corresponding group member information;
and determining the group identification of the group to which the first user belongs according to the user ID of the first user.
4. The method of any of claims 1-3, wherein prior to said receiving the authorization request sent by the first user through the first client, the method further comprises:
receiving an authorization request sent by a second user through a second client, wherein the authorization request comprises a user ID of the second user and an identifier of the resource;
determining that the second user belongs to the group according to the user ID of the second user;
determining that the group is not authorized by the resource owner;
sending an authentication request to the resource owner, the authentication request including the group information;
receiving an authentication response returned by the resource owner, wherein the authentication response comprises indication information that the resource owner agrees to authorize the group;
storing an authorization record of the access authority of the resource corresponding to the identifier of the resource obtained by the group;
and generating a second access token and sending the second access token to the second client.
5. The method of any of claims 1-4, wherein prior to said determining group information for a group to which the first user belongs based on a user ID of the first user, the method further comprises:
determining that the resource owner is not authorized for the first user.
6. An authentication server for authorizing a user to access a resource through a client, comprising:
the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving an authorization request sent by a first user through a first client, and the authorization request comprises a user Identification (ID) of the first user and an identification of a resource requested to be accessed;
the determining module is used for determining the group information of the group to which the first user belongs according to the user ID of the first user received by the receiving module; determining that the group has obtained the authorization of the resource owner corresponding to the identifier of the resource according to the stored authorization record;
and the sending module is used for generating a first access token and sending the first access token to the first client.
7. The authentication server according to claim 6, wherein the determining module is configured to determine, according to the user ID of the first user, group information of a group to which the first user belongs, specifically:
sending a group query message containing the user ID of the first user to a group server;
and receiving a group confirmation message returned by the group server, wherein the group confirmation message comprises group information to which the first user belongs, and the group information comprises a group identifier of a group to which the first user belongs.
8. The authentication server according to claim 6, wherein the determining module is configured to determine, according to the user ID of the first user, group information of a group to which the first user belongs, specifically:
inquiring a locally stored group database, wherein the group database comprises stored group identification and corresponding group member information;
and determining the group identification of the group to which the first user belongs according to the user ID of the first user.
9. The authentication server according to any one of claims 6-8, wherein the authentication server further comprises:
the receiving module is further configured to receive an authorization request sent by a second user through a second client, where the authorization request includes a user ID of the second user and an identifier of the resource;
the determining module is further configured to determine, according to the user ID of the second user received by the receiving module, that the second user belongs to the group; determining that the group is not authorized by the resource owner;
the sending module is further configured to send an authentication request to the resource owner, where the authentication request includes the group information;
the receiving module is further configured to receive an authentication response returned by the resource owner, where the authentication response includes indication information that the resource owner agrees to authorize the group;
the storage module is used for storing an authorization record of the access authority of the resource corresponding to the identifier of the resource obtained by the group;
the sending module is further configured to generate a second access token, and send the second access token to the second client.
10. The authentication server according to any of claims 6-9, wherein before the determining module is configured to determine group information of a group to which the first user belongs based on the user ID of the first user, the determining module is further configured to determine that the resource owner does not authorize the first user.
11. A system for handling authorization, comprising:
the first client is used for sending an authorization request to the authentication server, wherein the authorization request comprises a user Identification (ID) of a first user and an identification of a resource which is requested to be accessed;
the authentication server is used for receiving an authorization request sent by a first user through a first client, wherein the authorization request comprises a user Identification (ID) of the first user and an identification of a resource requested to be accessed; determining group information of a group to which the first user belongs according to the user ID of the first user; determining that the group has obtained the authorization of the resource owner corresponding to the identifier of the resource according to the stored authorization record; and generating a first access token and sending the first access token to the first client.
12. The system of claim 11, wherein the system further comprises:
the second client is used for sending an authorization request to the authentication server, wherein the authorization request comprises a user Identification (ID) of a second user and the identification of the resource;
the authentication server is further configured to receive an authorization request sent by a second user through a second client, where the authorization request includes a user ID of the second user and an identifier of the resource; determining that the second user belongs to the group according to the user ID of the second user; determining that the group is not authorized by the resource owner; sending an authentication request to the resource owner, the authentication request including the group information; receiving an authentication response returned by the resource owner, wherein the authentication response comprises indication information that the resource owner agrees to authorize the group; storing an authorization record of the access authority of the resource corresponding to the identifier of the resource obtained by the group; and generating a second access token and sending the second access token to the second client.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510333657.4A CN106330813A (en) | 2015-06-16 | 2015-06-16 | Method, device and system for processing authorization |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510333657.4A CN106330813A (en) | 2015-06-16 | 2015-06-16 | Method, device and system for processing authorization |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106330813A true CN106330813A (en) | 2017-01-11 |
Family
ID=57732341
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510333657.4A Pending CN106330813A (en) | 2015-06-16 | 2015-06-16 | Method, device and system for processing authorization |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106330813A (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107911352A (en) * | 2017-11-06 | 2018-04-13 | 湖南红手指信息技术有限公司 | A kind of authorization method of cloud mobile phone |
| WO2018129699A1 (en) * | 2017-01-13 | 2018-07-19 | Qualcomm Incorporated | Logical channel prioritization and mapping to different numerologies |
| CN109150815A (en) * | 2017-06-28 | 2019-01-04 | 阿里巴巴集团控股有限公司 | Method for processing resource, device and machine readable media |
| CN110197075A (en) * | 2018-04-11 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Resource access method, calculates equipment and storage medium at device |
| CN110222495A (en) * | 2019-06-10 | 2019-09-10 | 苏州随身玩信息技术有限公司 | Identity-based identification carries out the method for explanation triggering, explanation purview certification method |
| CN110430202A (en) * | 2019-08-09 | 2019-11-08 | 百度在线网络技术(北京)有限公司 | Authentication method and device |
| CN110710178A (en) * | 2017-06-01 | 2020-01-17 | 诺基亚通信公司 | User Authentication in Wireless Access Network |
| WO2020042791A1 (en) * | 2018-08-31 | 2020-03-05 | 阿里巴巴集团控股有限公司 | Method and device for acquiring and feeding back user resource, and electronic apparatus |
| CN111784263A (en) * | 2020-07-28 | 2020-10-16 | 支付宝(杭州)信息技术有限公司 | Authorization processing method and device, logistics object processing method and device |
| CN111931230A (en) * | 2020-07-14 | 2020-11-13 | 北京金山云网络技术有限公司 | Data authorization method and device, storage medium and electronic device |
| CN112688910A (en) * | 2019-10-17 | 2021-04-20 | 富士通株式会社 | Communication program, authorization apparatus, and communication system |
| CN115277273A (en) * | 2022-07-25 | 2022-11-01 | 维沃移动通信有限公司 | Resource sharing method and resource sharing device |
| CN115396217A (en) * | 2022-08-29 | 2022-11-25 | 北京达佳互联信息技术有限公司 | Application authorization method, device, equipment, storage medium and computer program product |
| WO2025194321A1 (en) * | 2024-03-18 | 2025-09-25 | 北京小米移动软件有限公司 | Communication method, first entity, second entity, communication system, and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101771677A (en) * | 2008-12-31 | 2010-07-07 | 华为技术有限公司 | Method for providing resource for access user, server and system thereof |
| CN102405630A (en) * | 2009-04-20 | 2012-04-04 | 交互数字专利控股公司 | A system of multiple domains and domain ownership |
| CN103716326A (en) * | 2013-12-31 | 2014-04-09 | 华为技术有限公司 | Resource access method and URG |
-
2015
- 2015-06-16 CN CN201510333657.4A patent/CN106330813A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101771677A (en) * | 2008-12-31 | 2010-07-07 | 华为技术有限公司 | Method for providing resource for access user, server and system thereof |
| CN102405630A (en) * | 2009-04-20 | 2012-04-04 | 交互数字专利控股公司 | A system of multiple domains and domain ownership |
| CN103716326A (en) * | 2013-12-31 | 2014-04-09 | 华为技术有限公司 | Resource access method and URG |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11696331B2 (en) | 2017-01-13 | 2023-07-04 | Qualcomm Incorporated | Logical channel prioritization and mapping to different numerologies |
| WO2018129699A1 (en) * | 2017-01-13 | 2018-07-19 | Qualcomm Incorporated | Logical channel prioritization and mapping to different numerologies |
| CN110710178A (en) * | 2017-06-01 | 2020-01-17 | 诺基亚通信公司 | User Authentication in Wireless Access Network |
| CN110710178B (en) * | 2017-06-01 | 2021-07-06 | 诺基亚通信公司 | User Authentication in Wireless Access Network |
| CN109150815A (en) * | 2017-06-28 | 2019-01-04 | 阿里巴巴集团控股有限公司 | Method for processing resource, device and machine readable media |
| CN107911352A (en) * | 2017-11-06 | 2018-04-13 | 湖南红手指信息技术有限公司 | A kind of authorization method of cloud mobile phone |
| CN110197075A (en) * | 2018-04-11 | 2019-09-03 | 腾讯科技(深圳)有限公司 | Resource access method, calculates equipment and storage medium at device |
| WO2020042791A1 (en) * | 2018-08-31 | 2020-03-05 | 阿里巴巴集团控股有限公司 | Method and device for acquiring and feeding back user resource, and electronic apparatus |
| CN110222495A (en) * | 2019-06-10 | 2019-09-10 | 苏州随身玩信息技术有限公司 | Identity-based identification carries out the method for explanation triggering, explanation purview certification method |
| CN110430202A (en) * | 2019-08-09 | 2019-11-08 | 百度在线网络技术(北京)有限公司 | Authentication method and device |
| CN112688910A (en) * | 2019-10-17 | 2021-04-20 | 富士通株式会社 | Communication program, authorization apparatus, and communication system |
| CN111931230A (en) * | 2020-07-14 | 2020-11-13 | 北京金山云网络技术有限公司 | Data authorization method and device, storage medium and electronic device |
| CN111784263A (en) * | 2020-07-28 | 2020-10-16 | 支付宝(杭州)信息技术有限公司 | Authorization processing method and device, logistics object processing method and device |
| CN111784263B (en) * | 2020-07-28 | 2024-05-24 | 支付宝(杭州)信息技术有限公司 | Authorization processing method and device, logistics object processing method and device |
| CN115277273A (en) * | 2022-07-25 | 2022-11-01 | 维沃移动通信有限公司 | Resource sharing method and resource sharing device |
| CN115277273B (en) * | 2022-07-25 | 2024-03-22 | 维沃移动通信有限公司 | Resource sharing method and resource sharing device |
| CN115396217A (en) * | 2022-08-29 | 2022-11-25 | 北京达佳互联信息技术有限公司 | Application authorization method, device, equipment, storage medium and computer program product |
| WO2025194321A1 (en) * | 2024-03-18 | 2025-09-25 | 北京小米移动软件有限公司 | Communication method, first entity, second entity, communication system, and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106330813A (en) | Method, device and system for processing authorization | |
| CN111556006B (en) | Third-party application system login method, device, terminal and SSO service platform | |
| US9860234B2 (en) | Bundled authorization requests | |
| CN105763514B (en) | A kind of method, apparatus and system of processing authorization | |
| US9038138B2 (en) | Device token protocol for authorization and persistent authentication shared across applications | |
| EP2963884B1 (en) | Bidirectional authorization system, client and method | |
| US9374356B2 (en) | Mobile oauth service | |
| US20130007867A1 (en) | Network Identity for Software-as-a-Service Authentication | |
| WO2017019670A1 (en) | Token scope reduction | |
| WO2018145605A1 (en) | Authentication method and server, and access control device | |
| WO2018219056A1 (en) | Authentication method, device, system and storage medium | |
| WO2015042349A1 (en) | Multiple resource servers with single, flexible, pluggable oauth server and oauth-protected restful oauth consent management service, and mobile application single sign on oauth service | |
| KR101824562B1 (en) | Gateway and method for authentication | |
| US9237156B2 (en) | Systems and methods for administrating access in an on-demand computing environment | |
| US20250337750A1 (en) | Platform access request management | |
| CN106302475B (en) | Family's Internet service authorization method and server | |
| CN105656856A (en) | Resource management method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20170111 |
|
| WD01 | Invention patent application deemed withdrawn after publication |