[go: up one dir, main page]

CN102638473B - User data authorization method, device and system - Google Patents

User data authorization method, device and system Download PDF

Info

Publication number
CN102638473B
CN102638473B CN201210137848.XA CN201210137848A CN102638473B CN 102638473 B CN102638473 B CN 102638473B CN 201210137848 A CN201210137848 A CN 201210137848A CN 102638473 B CN102638473 B CN 102638473B
Authority
CN
China
Prior art keywords
user
account
sub
server
authorization
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210137848.XA
Other languages
Chinese (zh)
Other versions
CN102638473A (en
Inventor
胡溢洋
杜江杰
王奎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SHENGQU INFORMATION TECHNOLOGY (SHANGHAI) Co Ltd
Original Assignee
SHENGQU INFORMATION TECHNOLOGY (SHANGHAI) Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SHENGQU INFORMATION TECHNOLOGY (SHANGHAI) Co Ltd filed Critical SHENGQU INFORMATION TECHNOLOGY (SHANGHAI) Co Ltd
Priority to CN201210137848.XA priority Critical patent/CN102638473B/en
Publication of CN102638473A publication Critical patent/CN102638473A/en
Application granted granted Critical
Publication of CN102638473B publication Critical patent/CN102638473B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a user data authorization method, a user data authorization device and a user data authorization system. The method comprises the steps that an authorization server receives an authorization request transmitted by a third-party application server, wherein the authorization request comprises a server identifier and a server address; an identity authentication request is transmitted to an authentication gateway to authenticate the identity of a client user by the authentication gateway; an identity authentication response which is fed back by the authentication gateway is received, wherein the identity authentication response comprises an user identifier of the authenticated user; user sub-accounts which are matched with the user identifier are searched from the authorization server and are transmitted to a client for the client user to select an authorized sub-account; the authorized sub-account which is fed back by the client is received, and a corresponding relationship among the server identifier, the user identifier and the authorized sub-account is built and saved; and the user identifier, the authorized sub-account and an access token are transmitted to the third-party application server by using the server address. The third-party partial use authorization by the user is realized, the network service quality is improved and the service experience of the user is improved.

Description

A kind of user data authorization method, Apparatus and system
Technical field
The present invention relates to web services technologies field, relate in particular to a kind of user data authorization method, Apparatus and system.
Background technology
Current, network service has comprehensively been applied in people's routine work and life.In the time using network service, the user data that Internet Service Provider preserves according to its inside, for user provides corresponding service.
Taking online game as example, in the time that user enjoys this network service of online game, the user data relating to may comprise: multiple game roles that user basic information (such as address name, age of user, ownership place etc.), user gradation, this user create, the distinctive information of each game role (such as role's grade, the game article of configuration, and other user roles between relation) etc., the above-mentioned user data that Internet Service Provider's game server just can be preserved according to its inside, for user provides game services.
Along with the development of information technology, for the value of the data that farthest excavation Internet Service Provider preserves, each macroreticular service provider releases open platform one after another, and the data opening that itself is stored is gone out, for third party developer.But, because include the higher user data of security requirement in the data that Internet Service Provider opens away, therefore, in the time that third party need to access this part user data, to obtain on the one hand user's use authority, on the other hand also will be by Internet Service Provider's authentication, only have and meet this two aspects requirement simultaneously, the user data that third party's ability access network services provider preserves.
To obtain this requirement of use authority of user for third party, the authorization method being widely adopted at present completes taking user as unit, that is to say, user or third party is carried out to use authority, third party is not carried out to use authority, can not realize user to third-party part use authority.But, generally, under user's a account, tend to include multiple sub-accounts, if only wanting user data corresponding to parton account being had, user carries out use authority to third party, existing technical scheme just cannot meet this demand.
Still taking online game as example, multiple game roles in user data are just equivalent to the multiple sub-account under a user account, if user only wants to the mandate of third party's application server one of them or several game role, in the time adopting the scheme of prior art to carry out use authority, as long as user carries out use authority to third party's application server, what third party's application server obtained so is exactly the use authority of all game roles of user's establishment, this authorization obvious and user is contrary, can not meet user's demand, reduce the service experience of user to online game.
Summary of the invention
Technical problem to be solved by this invention is to provide a kind of user data authorization method, Apparatus and system, to realize the object of the part use authority of user to third party's application server.
For solving the problems of the technologies described above, the embodiment of the present invention provides a kind of user data authorization method, comprising:
Authorization server receives the authorization requests that third party's application server sends, and described authorization requests comprises server identification and server address;
Send ID authentication request to authentication gateway, so that described authentication gateway carries out authentication to client user;
Receive the authentication response that described authentication gateway returns, described authentication response comprises that certification is by user's user ID;
In authorization server, search the sub-account of the user who matches with described user ID, and be sent to client, select to authorize sub-account for client user;
Receive the sub-account of mandate that client is returned, set up and preserve the corresponding relation between the sub-account of described server identification, user ID and mandate;
Utilize described server address by described user ID, the sub-account of described mandate and represent that the access token of access rights is sent to described third party's application server.
Preferably, described authentication gateway carries out authentication to client user, specifically comprises:
Obtain client user's logging status, successfully login if, judges that user passes through user as certification; If unsuccessful login, points out user to carry out username and password checking, and after username and password is verified, judge that user passes through user as certification;
Described certification is converted to user ID by user's user name, and described user ID is added in authentication response and is sent to authorization server.
Preferably, described method also comprises: after the sub-account of mandate of returning in described reception client,
The user data that sub-described mandate account is comprised is sent to client, selects authorized user data for client user; ,
Described foundation is also preserved described corresponding relation and is specifically comprised: after receiving the authorized user data that described client returns, set up and preserve the corresponding relation between described server identification, user ID, the sub-account of mandate and authorized user data;
The described information of utilizing described server address to send to described third party's application server is specially: user ID, authorize sub-account, authorized user data and access token.
Preferably, described method also comprises: before described foundation preserving the corresponding relation between described server identification, user ID, the sub-account of mandate and authorized user data,
Judge whether the sub-account of described mandate is contained in the sub-account of described user, and judge whether described authorized user data are contained in described user data, if judged result is are, continue to carry out the step of setting up and preserving described corresponding relation.
Preferably, described utilize described server address by described user ID, authorize sub-account and access token to be sent to described third party's application server, specifically comprise:
Generate authorization code, and utilize described server address by described user ID, authorize sub-account and authorization code to be sent to described third party's application server;
Receive server identification and authorization code that described third party's application server sends, if described server identification conforms to the server identification in described authorization requests, and described authorization code conforms to the authorization code of described generation, described access token is sent to described third party's application server.
Preferably, described method also comprises:
Receive the access request of described third party's application server transmission of open platform gateway forwards, described access request comprises server identification, access token, user ID, four information of sub-account, and the endorsement method of the digital signature of described four information and the described digital signature employing of generation;
Described access request is carried out to legitimacy authentication, if authentication is passed through, allow all customer data that the sub-account in access request comprises described in described third party's application server access;
Wherein, described legitimacy authentication comprises:
Utilize described endorsement method to carry out digital signature to described four information, and with described access request in the digital signature that comprises compare, if identical, judge that described access request is legal;
Judge whether server identification, user ID and sub-account in described access request meets the corresponding relation between the sub-account of described authorization server, user ID and mandate that described authorization server preserves, if meet, judge that authorization server, user ID and the sub-account in described access request is legal;
Judge that whether described access token sends to the access token of third party's application server to conform to described authorization server, if conformed to, judges that described access token is legal.
Preferably, described method also comprises:
Described access request also comprises user data,,
Digital signature in described access request is specially the digital signature of utilizing server identification, access token, user ID, sub-account and five Information generations of user data;
Described legitimacy authentication specifically comprises:
Utilize described endorsement method to carry out digital signature to described five information, and with described access request in the digital signature that comprises compare, if identical, judge that described access request is legal;
Judge whether server identification, user ID, sub-account and user data in described access request meets the corresponding relation between the sub-account of described authorization server, user ID, mandate and the authorized user data that described authorization server preserves, if meet, judge that authorization server, user ID, sub-account and the user data in described access request is legal;
Judge that whether described access token sends to the access token of third party's application server to conform to described authorization server, if conformed to, judges that described access token is legal.
Preferably, described method also comprises:
Described access request also comprises current time stamp; ,
Described legitimacy authentication also comprises:
Judge that described current time stamp is whether in default time of delay section, if so, judge described current time stab legal.
The embodiment of the present invention also provides a kind of user data authorization device, comprising:
Authorization requests receiving element, the authorization requests sending for receiving third party's application server, described authorization requests comprises server identification and server address;
Authentication request transmitting element, for sending ID authentication request to authentication gateway, so that described authentication gateway carries out authentication to client user;
Authentication response receiving element, the authentication response of returning for receiving described authentication gateway, described authentication response comprises that certification is by user's user ID;
Search unit, for search the sub-account of the user who matches with described user ID in authorization server, and be sent to client, select to authorize sub-account for client user;
Corresponding relation is set up unit, and the sub-account of mandate of returning for receiving client, sets up and preserve the corresponding relation between the sub-account of described server identification, user ID and mandate;
Authorization message transmitting element, for utilizing described server address by described user ID, the sub-account of described mandate and representing that the access token of access rights is sent to described third party's application server.
Preferably, described device also comprises:
User data transmitting element, is sent to client for the user data that sub-described mandate account is comprised, and selects authorized user data for client user;
Described corresponding relation is set up unit, for after receiving the authorized user data that described client returns, sets up and preserve the corresponding relation between described server identification, user ID, the sub-account of mandate and authorized user data;
Described authorization message transmitting element, for utilize described server address by described user ID, authorize sub-account, authorized user data and access token to be sent to described third party's application server.
Preferably, described device also comprises:
Judging unit, be used for judging whether the sub-account of described mandate is contained in the sub-account of described user, and judge whether described authorized user data are contained in described user data, if judged result is are, notify described corresponding relation to set up unit and set up and preserve described corresponding relation.
Preferably, described authorization message transmitting element specifically comprises:
Authorization code generation unit, for generating authorization code;
Communication unit, for utilize described server address by described user ID, authorize sub-account and authorization code to be sent to described third party's application server; And receive server identification and the authorization code that described third party's application server sends;
Comparing unit, whether conform to the server identification of described authorization requests for comparing described server identification, and whether described authorization code conforms to the authorization code of described generation, if all conformed to, described access token is sent to described third party's application server.
Preferably, described device also comprises:
Access request receiving element, the access request sending for receiving described third party's application server of open platform gateway forwards, described access request comprises server identification, access token, user ID, four information of sub-account, and the endorsement method of the digital signature of described four information and the described digital signature employing of generation;
Authenticating unit, for described access request is carried out to legitimacy authentication, if authentication is passed through, allows all customer data that the sub-account in access request comprises described in described third party's application server access;
Wherein, described legitimacy authentication comprises:
Utilize described endorsement method to carry out digital signature to described four information, and with described access request in the digital signature that comprises compare, if identical, judge that described access request is legal;
Judge whether server identification, user ID and sub-account in described access request meets the corresponding relation between the sub-account of described authorization server, user ID and mandate that described authorization server preserves, if meet, judge that authorization server, user ID and the sub-account in described access request is legal;
Judge that whether described access token sends to the access token of third party's application server to conform to described authorization server, if conformed to, judges that described access token is legal.
The embodiment of the present invention also provides a kind of user data authoring system, and described system comprises: authorization server, third party's application server, authentication gateway, client,
Described authorization server, the authorization requests sending for receiving described third party's application server, and send ID authentication request to authentication gateway, so that described authentication gateway carries out authentication to client user, described authorization requests comprises server identification and server address;
Described authentication gateway, for client user is carried out to authentication, and sends and comprises that certification is by the authentication response of user's user ID to described authorization server;
Described authorization server, also for receiving described authentication response, and searches the sub-account of the user who matches with described user ID, and is sent to client;
Described client, for receiving the sub-account of described user, and therefrom selects to authorize sub-account to be sent to described authorization server;
Described authorization server, the sub-account of mandate of also returning for receiving client, sets up and preserves the corresponding relation between the sub-account of described server identification, user ID and mandate; And utilize described server address by described user ID, the sub-account of described mandate and represent that the access token of access rights is sent to described third party's application server.
Preferably, described authentication gateway specifically comprises:
Logging status acquiring unit, for obtaining client user's logging status, successfully login if, judges that user passes through user as certification; If unsuccessful login, points out user to carry out username and password checking, and after username and password is verified, judge that user passes through user as certification;
Converting unit, for described certification is converted to user ID by user's user name, and adds described user ID in authentication response to and is sent to authorization server.
Preferably, described authorization server, also be sent to client for the user data that sub-described mandate account is comprised, and after receiving the authorized user data that described client returns, set up and preserve the corresponding relation between described server identification, user ID, the sub-account of mandate and authorized user data; And utilize described server address by described user ID, authorize sub-account, authorized user data and access token to be sent to described third party's application server.
Preferably, described authorization server, also for judging whether the sub-account of described mandate is contained in the sub-account of described user, and judges whether described authorized user data are contained in described user data, to continue to carry out the step of setting up and preserving described corresponding relation if judged result is.
Preferably, described system also comprises open platform gateway;
Described open platform gateway, the access request sending for receiving described third party's application server, and be forwarded to described authorization server, described access request comprises server identification, access token, user ID, four information of sub-account, and the endorsement method of the digital signature of described four information and the described digital signature employing of generation;
Described authorization server, for described access request is carried out to legitimacy authentication, if authentication is passed through, allows all customer data that the sub-account in access request comprises described in described third party's application server access;
Wherein, described legitimacy authentication comprises:
Utilize described endorsement method to carry out digital signature to described four information, and with described access request in the digital signature that comprises compare, if identical, judge that described access request is legal;
Judge whether server identification, user ID and sub-account in described access request meets the corresponding relation between the sub-account of described authorization server, user ID and mandate that described authorization server preserves, if meet, judge that authorization server, user ID and the sub-account in described access request is legal;
Judge that whether described access token sends to the access token of third party's application server to conform to described authorization server, if conformed to, judges that described access token is legal.
Preferably, in the described access request that described authorization server receives, also comprise user data, and digital signature in described access request is specially the digital signature of utilizing server identification, access token, user ID, sub-account and five Information generations of user data;
, described authorization server carries out legitimacy authentication and specifically comprises:
Utilize described endorsement method to carry out digital signature to described five information, and with described access request in the digital signature that comprises compare, if identical, judge that described access request is legal;
Judge whether server identification, user ID, sub-account and user data in described access request meets the corresponding relation between the sub-account of described authorization server, user ID, mandate and the authorized user data that described authorization server preserves, if meet, judge that authorization server, user ID, sub-account and the user data in described access request is legal;
Judge that whether described access token sends to the access token of third party's application server to conform to described authorization server, if conformed to, judges that described access token is legal.
Preferably, in the described access request that described authorization server receives, also comprise current time stamp;
, described authorization server carries out legitimacy authentication and also comprises:
Judge that described current time stamp is whether in default time of delay section, if so, judge described current time stab legal.
The user data authorization method of the embodiment of the present invention, Apparatus and system, in authorization server, preserve the multiple sub-account information under a user account, thereby in the time that guiding user carries out use authority to third party's application server, can be by searching the multiple sub-account information matching with user ID, therefrom select parton account as the mode of authorizing sub-account by user, realize the part use authority of user to third party's application server, improve the service quality of network service, improved user's service experience.
Brief description of the drawings
In order to be illustrated more clearly in the embodiment of the present application or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, the accompanying drawing the following describes is only some embodiment that record in the application, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the schematic flow sheet of the inventive method embodiment 1;
Fig. 2 is the schematic flow sheet of the inventive method embodiment 2;
Fig. 3 is the schematic flow sheet of the inventive method embodiment 3;
Fig. 4 is the schematic flow sheet of the inventive method embodiment 4;
Fig. 5 is the schematic flow sheet of the inventive method embodiment 5;
Fig. 6 is the schematic flow sheet of the inventive method embodiment 6;
Fig. 7 is the structural representation of apparatus of the present invention embodiment 1;
Fig. 8 is the structural representation of authorization message transmitting element 706 in apparatus of the present invention embodiment 1;
Fig. 9 is the structural representation of apparatus of the present invention embodiment 2;
Figure 10 is the structural representation of apparatus of the present invention embodiment 3;
Figure 11 is the structural representation of apparatus of the present invention embodiment 4;
Figure 12 is the structural representation of system embodiment 1 of the present invention;
Figure 13 is the structural representation of authentication gateway 113 in system embodiment 1 of the present invention;
Figure 14 is the structural representation of system embodiment 2 of the present invention.
Embodiment
In order to make those skilled in the art person understand better the present invention program, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiment.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
User data authorization method of the present invention, Apparatus and system are intended to realize user to third-party part use authority this purpose, understand for convenient, and paper is applied environment of the present invention once.
Original network service only relates to two sides, the one, as user's user, the one, as the service provider of service provider, user saves the data in service provider's server, and send request to server when needed, provide corresponding network service by service provider for user.For example, user A has created a user account on the game server of game services provider magnificence, and (for example preserve the user data relevant to user A on this game server, the user basic information of filling in when registration, the user data such as the role of the user gradation that produces in game process, game article, establishment), so in the time that user A wants to enjoy this network service of online game, only need with game server between sets up and communicates by letter, game server just can provide game services for user A according to the user data of preservation.
Along with the development of information technology, open platform arises at the historic moment, service provider by the data opening of its preservation to third party (can be company can be also individual), at this new network service mode, user just can enjoy the network service that third party provides by service provider's platform, for example, user A can the stars that provide of playing are provided more be become the network service that game is supplemented with money by the magnificence open platform of playing; Also can equip inquiry service etc. by the magnificence AION role that open platform enjoys Sina microblogging and provide that plays.
For this new network service mode, if user wants to enjoy by open platform the service that third party provides, so just must can obtain its user data as prerequisite from service provider taking third party, otherwise third party just cannot, for user provides service, depend on that user is to third-party use authority and can third party get user data.In prior art, user can only do himself as a wholely, taking user as unit, third party is carried out to use authority, but can not realize part use authority, and the present invention has proposed the user data authorization method that a kind of authorized granularity is little under this demand.
Embodiment mono-
Referring to Fig. 1, show the flow chart of a kind of user data authorization method embodiment 1 of the present invention, can comprise the following steps:
Step 101, authorization server receives the authorization requests that third party's application server sends, and described authorization requests comprises server identification and server address.
If user A has registered a user account on the platform of game services provider, under this user account, create three sub-accounts simultaneously, be respectively game role A 1, A 2and A 3(game role can be presented as game identifier, Game Zone mark, game group mark and the game role mark that each role has), these data have just been stored in game services business's platform so.In addition, if two third party B have been given in game services business's platform opening 1and B 2, that is to say third party B 1and B 2on platform, completed registration, platform is also preserved B so 1and B 2log-on message (for example third-party server identification ID 1, communication for the information such as key).
If user A wants with sub-account A 1identity login third party B 1, enjoy B 1the network service providing, so B 1receiving A 1logging request after, can go open platform to obtain sub-account A 1corresponding user data, B like this 1could provide corresponding network service for user A.If user A is to third party B 1carry out sub-account A 1use authority, open platform will be to B so 1access request carry out authentication, and after judgement request is legal, by B 1the A of request 1user data return to B 1, and then by B 1for user provides services on the Internet.But, if user A is not to B 1carry out sub-account A 1use authority or open platform to B 1authentication do not pass through, open platform will be pointed out third party B so 1guide user A to carry out sub-account A to it 1use authority.
The authorization requests that this step authorization server receives the transmission of third party's application server is that third party guides user to carry out the setting up procedure of use authority.Wherein, in authorization requests, comprise server identification ID 1object be the third party that carries out this authorization requests for authorization server is known be who (in addition, authorization server can also be according to ID 1judge whether this third party registered at open platform, because the third party who only registered at open platform just has authority request user to carry out use authority to it), the object that comprises server address is in order to complete after use authority user, the third party that authorization server can send to authorization message request to authorize accurately.
It should be noted that, so-called " guiding " is that webpage is redirected, and namely forwards a diverse network request again fixed direction to other position by various methods.Guiding in this step refers to that the page that is shown to user A is from third party B 1login interface jump to prompting user to B 1carry out the process at the interface of the mandate website of use authority.
Step 102, sends ID authentication request to authentication gateway, so that described authentication gateway carries out authentication to client user.
Step 103, receives the authentication response that described authentication gateway returns, and described authentication response comprises that certification is by user's user ID.
Authorization server receives after third-party authorization requests, does not directly point out user A to third party B 1carry out use authority, but to first guide user A to carry out authentication (guiding herein refers to the page that is shown to A from authorizing the interface of website to jump to the interface of authentication) to authentication gateway, this is because if user is not carried out authentication and just cannot be known user's identity information, and then also just cannot know the sub-account information that this user has, cause Authorized operation to be obstructed.
The mode that authentication gateway carries out authentication to user can be presented as:
First, obtain the logging status of user A, successfully login if, judges that user passes through user as certification; If unsuccessful login, points out user A to carry out username and password checking, and after username and password is verified, judge that user passes through user as certification.
Need to illustrate for user's logging status herein, the user who is generally directed to authentication gateway through authorization server is the user of unsuccessful login, but also may (interconnect because of interconnecting between network, refer between different telecommunication networks and set up effectively and connect, make can communicate by letter between the user of heterogeneous networks, or the user of a network can use the service of another network) situation causes user's logging status for successfully login.
Secondly, described certification is converted to user ID by user's user name, and described user ID is added in authentication response and is sent to authorization server.
The user name of successful login user is converted to user ID ID 2object be the fail safe in order to ensure user data, directly user's privacy information (for example user name) is not revealed to third party.
Step 104 is searched the sub-account of the user who matches with described user ID, and is sent to client in authorization server, selects to authorize sub-account for client user.
Authorization server extracts user ID ID from authentication response 2, and in this authorization server, search the sub-account of the user who matches with this mark, for example find the sub-account matching with the mark of user A and comprise A 1, A 2and A 3, these three sub-accounts are sent to client, show to user, therefrom select to want to third party B for user 2the sub-account of authorizing, for example user has selected sub-account A 1.
Step 105, receives the sub-account of mandate that client is returned, and sets up and preserve the corresponding relation between the sub-account of described server identification, user ID and mandate.
After authorization server is pushed to the whole sub-account of user A user and checks, just wait for the feedback information that receives user, and the sub-account that user is selected licenses to B as this 1the sub-account of mandate, then set up server identification ID 1, user ID ID 2with the sub-account A of mandate 1between corresponding relation.Like this, which user authorization server has just known has licensed to by which sub-account of its subordinate for which third party, so that in the time that third party sends access request, authorization server can carry out legitimacy authentication to access request.
Step 106, utilizes described server address by described user ID, the sub-account of described mandate and represents that the access token of access rights is sent to described third party's application server.
Authorization server has just been known the authorization conditions between third party, user and sub-account after execution step 105, if and completing user is to third-party use authority, also need to allow third party also know it and obtained the use authority of which sub-account of which user, therefore authorization server also needs according to the server address in step 101 authorization requests user ID, authorizes sub-account and represent that the access token of access rights is sent to third party.So far, just completed user to third-party part use authority process.
According to above-mentioned example, just realize user A to third party B by carrying out step of the present invention 1authorize sub-account A 1rights of using (be in fact to third party B 1authorize its antithetical phrase account A 1the access rights of corresponding user data) this purpose.
As a kind of implementation of step 106, can be embodied as:
First, generate authorization code, and utilize described server address by described user ID, authorize sub-account and authorization code to be sent to described third party's application server.
Secondly, receive server identification and authorization code that described third party's application server sends, if described server identification conforms to the server identification in described authorization requests, and described authorization code conforms to the authorization code of described generation, described access token is sent to described third party's application server.
Authorization server can be directly by user ID, authorize sub-account and access token to send to third party's application server, but, for the safety and reliability that ensures to communicate by letter between authorization server and third party's application server, authorization server generates one group of random number as authorization code, and by user ID, authorize sub-account and authorization code to send to third party's application server; Third party's application server is receiving after above-mentioned authorization message, and authorization code and the server identification of self are fed back to authorization server, exchanges access token for this.
Embodiment bis-
On the basis of embodiment 1, the present invention also further refinement, to third-party authorized granularity, carries out use authority taking user data corresponding to sub-account as unit to third party.Referring to Fig. 2, show the flow chart of a kind of user data authorization method embodiment 2 of the present invention, can comprise the following steps:
Step 201, authorization server receives the authorization requests that third party's application server sends, and described authorization requests comprises server identification and server address.
Step 202, sends ID authentication request to authentication gateway, so that described authentication gateway carries out authentication to client user.
Step 203, receives the authentication response that described authentication gateway returns, and described authentication response comprises that certification is by user's user ID.
Step 204 is searched the sub-account of the user who matches with described user ID, and is sent to client in authorization server, selects to authorize sub-account for client user.
Step 201 ~ step 204 is identical with step 101 ~ step 104, repeats no more herein.
Step 205, receives the sub-account of mandate that client is returned, and the user data that sub-described mandate account is comprised is sent to client, selects authorized user data for client user.
Different from embodiment 1, the further refinement of the present embodiment to third party authorize granularity, after authorization server receives the sub-account of mandate of user's selection, also further remove to obtain the user data that this sub-account comprises, for example, the pet name of sub-account, grade, head portrait, good friend, dynamic etc., then these user data that sub-account comprised push to client, being shown to user checks, so that user can therefrom select which user data of wanting to authorize to third party sub-account, select its wish by sub-account A by user A 1which user data license to third party B 1, for example user has selected A 1" head portrait " user data.
Step 206, receives the authorized user data that described client is returned, and sets up and preserve the corresponding relation between described server identification, user ID, the sub-account of mandate and authorized user data.
Through after step 205, what in this step, authorization server was known is exactly which user data of which sub-account of its subordinate has been licensed to which third party by which user, therefore the corresponding relation that, authorization server need to be set up is exactly the corresponding relation between server identification, user ID, the sub-account of mandate and authorized user data.
According to above-mentioned example, that authorization server is now set up and preserved is server identification ID 1, user ID ID 2, authorize sub-account A 1and corresponding relation between authorized user data " head portrait ".
Step 207, utilize described server address by described user ID, authorize sub-account, authorized user data and access token to be sent to described third party's application server.
Embodiment tri-
In order to improve mandate reliability, prevent that user's the act of authorization is maliciously tampered, referring to Fig. 3, show the flow chart of a kind of user data authorization method embodiment 3 of the present invention, can comprise the following steps:
Step 301, authorization server receives the authorization requests that third party's application server sends, and described authorization requests comprises server identification and server address.
Step 302, sends ID authentication request to authentication gateway, so that described authentication gateway carries out authentication to client user.
Step 303, receives the authentication response that described authentication gateway returns, and described authentication response comprises that certification is by user's user ID.
Step 304 is searched the sub-account of the user who matches with described user ID, and is sent to client in authorization server, selects to authorize sub-account for client user.
Step 301 ~ step 304 is identical with step 101 ~ step 104, repeats no more herein.
Step 305, receives the sub-account of mandate that client is returned, and judges whether the sub-account of described mandate is contained in the sub-account of described user.
Step 306, in the time that the sub-account of described mandate is contained in the sub-account of described user, sets up and preserves the corresponding relation between the sub-account of described server identification, user ID and mandate.
Authorization server is before setting up and preserve described corresponding relation, first judge the legitimacy of its sub-account of mandate receiving, judge that whether authorize sub-account is one or more in the multiple sub-account of user underling, if, judge that the sub-account of mandate receiving is legal, and then set up described corresponding relation.If through authorization server judges, (the sub-account of mandate for example, receiving is A in the sub-account of discovery user underling, not have the sub-account of the mandate receiving 4, user A subordinate's sub-account A 1, A 2and A 3all cannot match), the sub-account of mandate that user selects so may be maliciously tampered, and now judged that the sub-account of mandate receiving is illegal, no longer continued to set up described corresponding relation, simultaneously also can be to user's alarm.
Step 307, utilizes described server address by described user ID, the sub-account of described mandate and represents that the access token of access rights is sent to described third party's application server.
Step 307 is identical with step 106, also repeats no more herein.
Embodiment tetra-
Similarly, in order to improve mandate reliability, prevent that user's the act of authorization is maliciously tampered, referring to Fig. 4, show the flow chart of a kind of user data authorization method embodiment 4 of the present invention, can comprise the following steps:
Step 401, authorization server receives the authorization requests that third party's application server sends, and described authorization requests comprises server identification and server address.
Step 402, sends ID authentication request to authentication gateway, so that described authentication gateway carries out authentication to client user.
Step 403, receives the authentication response that described authentication gateway returns, and described authentication response comprises that certification is by user's user ID.
Step 404 is searched the sub-account of the user who matches with described user ID, and is sent to client in authorization server, selects to authorize sub-account for client user.
Step 405, receives the sub-account of mandate that client is returned, and the user data that sub-described mandate account is comprised is sent to client, selects authorized user data for client user.
Step 401 ~ step 405 is identical with step 201 ~ step 205, repeats no more herein.
It should be noted that, after step 405 receives the sub-account of mandate that client returns, also can utilize the sub-account of user underling to judge the legitimacy of the sub-account of mandate receiving, ensure the mandate reliability of sub-account.
Step 406, receives the authorized user data that described client is returned, and judges whether described authorized user data are contained in described user data.
Step 407, in the time that described authorized user packet is contained in described user data, sets up and preserves the corresponding relation between described server identification, user ID, the sub-account of mandate and authorized user data.
Authorization server is before setting up and preserve described corresponding relation, first judge the legitimacy of its authorized user data that receive, judge that whether authorized user data are to authorize one or more in multiple user data that sub-account comprises, if, judge that the authorized user data that receive are legal, and then set up described corresponding relation.If through authorization server judges, in the user data of finding to authorize sub-account to comprise, there is not authorized user data (for example, the sub-account A of user A receiving 1the user data comprising is grade, head portrait, good friend, dynamic, and the authorized user data that authorization server receives are " pet name ", so sub-account A 1the all customer data comprising all cannot match), the authorized user data that user selects may be maliciously tampered, and now judged that the authorized user data that receive are illegal, no longer continued to set up described corresponding relation, simultaneously also can be to user's alarm.
Process step 406 and step 407 just can ensure the mandate reliability of user data.
Step 408, utilize described server address by described user ID, authorize sub-account, authorized user data and access token to be sent to described third party's application server.
Embodiment five
Referring to Fig. 5, show the flow chart of a kind of user data authorization method embodiment 5 of the present invention, at the embodiment 3 shown in the embodiment 1 shown in Fig. 1 and Fig. 3 by user ID, authorize after sub-account and access token be sent to third party's application server, described method can also comprise the process of the access request of authentication third party application server transmission, is embodied as following steps:
Step 501, receive the access request of described third party's application server transmission of open platform gateway forwards, described access request comprises server identification, access token, user ID, four information of sub-account, and the endorsement method of the digital signature of described four information and the described digital signature employing of generation.
Step 502, carries out legitimacy authentication to described access request, if authentication is passed through, allows all customer data that the sub-account in access request comprises described in described third party's application server access;
Wherein, described legitimacy authentication comprises:
(1) utilize described endorsement method to carry out digital signature to described four information, and with described access request in the digital signature that comprises compare, if identical, judge that described access request is legal;
(2) judge whether server identification, user ID and sub-account in described access request meets the corresponding relation between the sub-account of described authorization server, user ID and mandate that described authorization server preserves, if meet, judge that authorization server, user ID and the sub-account in described access request is legal;
(3) judge that whether described access token sends to the access token of third party's application server to conform to described authorization server, if conformed to, judges that described access token is legal.
If access request, authorization server, user ID, sub-account and access token are all legal, judge that authentication passes through.
Embodiment six
Referring to Fig. 6, show the flow chart of a kind of user data authorization method embodiment 6 of the present invention, at the embodiment 4 shown in the embodiment 2 shown in Fig. 2 and Fig. 4 by user ID, authorize after sub-account, authorized user data and access token be sent to third party's application server, described method can also comprise the process of the access request of authentication third party application server transmission, is embodied as following steps:
Step 601, receive the access request of described third party's application server transmission of open platform gateway forwards, described access request comprises that (user data is the content of this request access of third party for server identification, access token, user ID, sub-account, user data, can be presented as access program interface API Name) five information, and the digital signature of described five information and generate the endorsement method that described digital signature adopts.
Step 602, carries out legitimacy authentication to described access request, if authentication is passed through, allows all customer data that the sub-account in access request comprises described in described third party's application server access;
Wherein, described legitimacy authentication specifically comprises:
(1) utilize described endorsement method to carry out digital signature to described five information, and with described access request in the digital signature that comprises compare, if identical, judge that described access request is legal;
(2) judge whether server identification, user ID, sub-account and user data in described access request meets the corresponding relation between the sub-account of described authorization server, user ID, mandate and the authorized user data that described authorization server preserves, if meet, judge that authorization server, user ID, sub-account and the user data in described access request is legal;
(3) judge that whether described access token sends to the access token of third party's application server to conform to described authorization server, if conformed to, judges that described access token is legal.
If access request, authorization server, user ID, sub-account, user data and access token are all legal, judge that authentication passes through.
Embodiment seven
In order to prevent Replay Attack, on the basis of the embodiment 6 shown in the embodiment 5 shown in Fig. 5 and Fig. 6, the present invention's access request that also authentication third party application server sends in accordance with the following methods, particularly, also comprises current time stamp in described access request; Described legitimacy authentication also comprises: judge that described current time stamp is whether in default time of delay section, if so, judge described current time stab legal.
If access request, authorization server, user ID, sub-account, user data, access token and current time stamp are all legal, judge that authentication passes through.
Embodiment eight
Referring to Fig. 7, show the structured flowchart of a kind of user data authorization device embodiment 1 of the present invention, described device comprises:
Authorization requests receiving element 701, the authorization requests sending for receiving third party's application server, described authorization requests comprises server identification and server address;
Authentication request transmitting element 702, for sending ID authentication request to authentication gateway, so that described authentication gateway carries out authentication to client user;
Authentication response receiving element 703, the authentication response of returning for receiving described authentication gateway, described authentication response comprises that certification is by user's user ID;
Search unit 704, for search the sub-account of the user who matches with described user ID in authorization server, and be sent to client, select to authorize sub-account for client user;
Corresponding relation is set up unit 705, and the sub-account of mandate of returning for receiving client, sets up and preserve the corresponding relation between the sub-account of described server identification, user ID and mandate;
Authorization message transmitting element 706, for utilizing described server address by described user ID, the sub-account of described mandate and representing that the access token of access rights is sent to described third party's application server.
Further, as shown in Figure 8, described authorization message transmitting element specifically can comprise:
Authorization code generation unit 7061, for generating authorization code;
Communication unit 7062, for utilize described server address by described user ID, authorize sub-account and authorization code to be sent to described third party's application server; And receive server identification and the authorization code that described third party's application server sends;
Comparing unit 7063, whether conform to the server identification of described authorization requests for comparing described server identification, and whether described authorization code conforms to the authorization code of described generation, if all conformed to, described access token is sent to described third party's application server.
Embodiment nine
Referring to Fig. 9, show the structured flowchart of a kind of user data authorization device embodiment 2 of the present invention, described device also comprises:
User data transmitting element 707, is sent to client for the user data that sub-described mandate account is comprised, and selects authorized user data for client user;
Described corresponding relation is set up unit 705, for after receiving the authorized user data that described client returns, sets up and preserve the corresponding relation between described server identification, user ID, the sub-account of mandate and authorized user data;
Described authorization message transmitting element 706, for utilize described server address by described user ID, authorize sub-account, authorized user data and access token to be sent to described third party's application server.
Embodiment ten
Referring to Figure 10, show the structured flowchart of a kind of user data authorization device embodiment 3 of the present invention, described device also comprises:
Judging unit 708, be used for judging whether the sub-account of described mandate is contained in the sub-account of described user, and judge whether described authorized user data are contained in described user data, if judged result is are, notify described corresponding relation to set up unit and set up and preserve described corresponding relation.
Embodiment 11
Referring to Figure 11, show the structured flowchart of a kind of user data authorization device embodiment 4 of the present invention, described device also comprises:
Access request receiving element 709, the access request sending for receiving described third party's application server of open platform gateway forwards, described access request comprises server identification, access token, user ID, four information of sub-account, and the endorsement method of the digital signature of described four information and the described digital signature employing of generation;
Authenticating unit 710, for described access request is carried out to legitimacy authentication, if authentication is passed through, allows all customer data that the sub-account in access request comprises described in described third party's application server access;
Wherein, described legitimacy authentication comprises:
Utilize described endorsement method to carry out digital signature to described four information, and with described access request in the digital signature that comprises compare, if identical, judge that described access request is legal;
Judge whether server identification, user ID and sub-account in described access request meets the corresponding relation between the sub-account of described authorization server, user ID and mandate that described authorization server preserves, if meet, judge that authorization server, user ID and the sub-account in described access request is legal;
Judge that whether described access token sends to the access token of third party's application server to conform to described authorization server, if conformed to, judges that described access token is legal.
Embodiment 12
Referring to Figure 12, show the structured flowchart of a kind of user data authoring system embodiment 1 of the present invention, described system comprises: authorization server 111, third party's application server 112, authentication gateway 113, client 114, wherein,
Described authorization server, the authorization requests sending for receiving described third party's application server, and send ID authentication request to authentication gateway, so that described authentication gateway carries out authentication to client user, described authorization requests comprises server identification and server address;
Described authentication gateway, for client user is carried out to authentication, and sends and comprises that certification is by the authentication response of user's user ID to described authorization server;
Described authorization server, also for receiving described authentication response, and searches the sub-account of the user who matches with described user ID, and is sent to client;
Described client, for receiving the sub-account of described user, and therefrom selects to authorize sub-account to be sent to described authorization server;
Described authorization server, the sub-account of mandate of also returning for receiving client, sets up and preserves the corresponding relation between the sub-account of described server identification, user ID and mandate; And utilize described server address by described user ID, the sub-account of described mandate and represent that the access token of access rights is sent to described third party's application server.
Authorization server, third party's application server, authentication gateway and client in user data authoring system of the present invention cooperatively interacts and just realized the object of user of the present invention to third party's part use authority.Referring to Figure 13, show the structured flowchart of authentication gateway, specifically comprise:
Logging status acquiring unit 1131, for obtaining client user's logging status, successfully login if, judges that user passes through user as certification; If unsuccessful login, points out user to carry out username and password checking, and after username and password is verified, judge that user passes through user as certification;
Converting unit 1132, for described certification is converted to user ID by user's user name, and adds described user ID in authentication response to and is sent to authorization server.
Further, the granularity that the present invention also can refinement user authorizes third party, realizing the user data that comprises taking sub-account authorizes as unit, now, described authorization server, also be sent to client for the user data that sub-described mandate account is comprised, and after receiving the authorized user data that described client returns, set up and preserve the corresponding relation between described server identification, user ID, the sub-account of mandate and authorized user data; And utilize described server address by described user ID, authorize sub-account, authorized user data and access token to be sent to described third party's application server.
Further, in order to improve mandate reliability, the act of authorization that prevents user is maliciously tampered, described authorization server, also for judging whether the sub-account of described mandate is contained in the sub-account of described user, and judge whether described authorized user data are contained in described user data, if judged result is are, continue to carry out the step of setting up and preserving described corresponding relation.
Embodiment 13
Referring to Figure 14, show the structured flowchart of a kind of user data authoring system embodiment 2 of the present invention, described system also comprises open platform gateway 115;
Described open platform gateway, the access request sending for receiving described third party's application server, and be forwarded to described authorization server, described access request comprises server identification, access token, user ID, four information of sub-account, and the endorsement method of the digital signature of described four information and the described digital signature employing of generation;
Described authorization server, for described access request is carried out to legitimacy authentication, if authentication is passed through, allows all customer data that the sub-account in access request comprises described in described third party's application server access;
Wherein, described legitimacy authentication comprises:
Utilize described endorsement method to carry out digital signature to described four information, and with described access request in the digital signature that comprises compare, if identical, judge that described access request is legal;
Judge whether server identification, user ID and sub-account in described access request meets the corresponding relation between the sub-account of described authorization server, user ID and mandate that described authorization server preserves, if meet, judge that authorization server, user ID and the sub-account in described access request is legal;
Judge that whether described access token sends to the access token of third party's application server to conform to described authorization server, if conformed to, judges that described access token is legal.
Further, if the user data that user comprises taking sub-account carries out use authority to third party as unit, so in the time of authentication third party access request legitimacy, in the described access request that described authorization server receives, also comprise user data, and digital signature in described access request is specially the digital signature of utilizing server identification, access token, user ID, sub-account and five Information generations of user data; ,
Described authorization server carries out legitimacy authentication and specifically comprises:
Utilize described endorsement method to carry out digital signature to described five information, and with described access request in the digital signature that comprises compare, if identical, judge that described access request is legal;
Judge whether server identification, user ID, sub-account and user data in described access request meets the corresponding relation between the sub-account of described authorization server, user ID, mandate and the authorized user data that described authorization server preserves, if meet, judge that authorization server, user ID, sub-account and the user data in described access request is legal;
Judge that whether described access token sends to the access token of third party's application server to conform to described authorization server, if conformed to, judges that described access token is legal.
Further, in order to prevent Replay Attack, in the time of authentication third party access request legitimacy, in the described access request that described authorization server receives, also comprise current time stamp so; ,
Described authorization server carries out legitimacy authentication and also comprises:
Judge that described current time stamp is whether in default time of delay section, if so, judge described current time stab legal.
The present invention can describe in the general context of computer executable instructions, for example program module.Usually, program module comprises and carries out particular task or realize routine, program, object, assembly, data structure of particular abstract data type etc.Also can in distributed computing environment (DCE), put into practice the present invention, in these distributed computing environment (DCE), be executed the task by the teleprocessing equipment being connected by communication network.In distributed computing environment (DCE), program module can be arranged in the local and remote computer-readable storage medium including memory device.
It should be noted that, in this article, relational terms such as the first and second grades is only used for an entity or operation to separate with another entity or operating space, and not necessarily requires or imply and between these entities or operation, have the relation of any this reality or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thereby the process, method, article or the equipment that make to comprise a series of key elements not only comprise those key elements, but also comprise other key elements of clearly not listing, or be also included as the intrinsic key element of this process, method, article or equipment.The in the situation that of more restrictions not, the key element being limited by statement " comprising ... ", and be not precluded within process, method, article or the equipment that comprises described key element and also have other identical element.
For device embodiment, because it corresponds essentially to embodiment of the method, so relevant part is referring to the part explanation of embodiment of the method.Device embodiment described above is only schematic, the wherein said unit as separating component explanation can or can not be also physically to separate, the parts that show as unit can be or can not be also physical locations, can be positioned at a place, or also can be distributed in multiple network element.Can select according to the actual needs some or all of module wherein to realize the object of the present embodiment scheme.Those of ordinary skill in the art, in the situation that not paying creative work, are appreciated that and implement.
The above is only the specific embodiment of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.

Claims (20)

1. a user data authorization method, is characterized in that, comprising:
Authorization server receives the authorization requests that third party's application server sends, and described authorization requests comprises server identification and server address;
Send ID authentication request to authentication gateway, so that described authentication gateway carries out authentication to client user;
Receive the authentication response that described authentication gateway returns, described authentication response comprises that certification is by user's user ID, and described user ID is obtained by the user name conversion authenticating by user;
In authorization server, search the sub-account of the user who matches with described user ID, and be sent to client, select to authorize sub-account for client user;
Receive the sub-account of mandate that client is returned, set up and preserve the corresponding relation between the sub-account of described server identification, user ID and mandate;
Utilize described server address by described user ID, the sub-account of described mandate and represent that the access token of access rights is sent to described third party's application server.
2. method according to claim 1, is characterized in that, described authentication gateway carries out authentication to client user, specifically comprises:
Obtain client user's logging status, successfully login if, judges that user passes through user as certification; If unsuccessful login, points out user to carry out username and password checking, and after username and password is verified, judge that user passes through user as certification;
Described certification is converted to user ID by user's user name, and described user ID is added in authentication response and is sent to authorization server.
3. method according to claim 1, is characterized in that, described method also comprises: after the sub-account of mandate of returning in described reception client,
The user data that sub-described mandate account is comprised is sent to client, selects authorized user data for client user; ,
Described foundation is also preserved described corresponding relation and is specifically comprised: after receiving the authorized user data that described client returns, set up and preserve the corresponding relation between described server identification, user ID, the sub-account of mandate and authorized user data;
The described information of utilizing described server address to send to described third party's application server is specially: user ID, authorize sub-account, authorized user data and access token.
4. method according to claim 3, is characterized in that, described method also comprises: before described foundation preserving the corresponding relation between described server identification, user ID, the sub-account of mandate and authorized user data,
Judge whether the sub-account of described mandate is contained in the sub-account of described user, and judge whether described authorized user data are contained in described user data, if judged result is are, continue to carry out the step of setting up and preserving described corresponding relation.
5. method according to claim 1, is characterized in that, described utilize described server address by described user ID, authorize sub-account and access token to be sent to described third party's application server, specifically comprise:
Generate authorization code, and utilize described server address by described user ID, authorize sub-account and authorization code to be sent to described third party's application server;
Receive server identification and authorization code that described third party's application server sends, if described server identification conforms to the server identification in described authorization requests, and described authorization code conforms to the authorization code of described generation, described access token is sent to described third party's application server.
6. according to the method described in claim 1-5 any one, it is characterized in that, described method also comprises:
Receive the access request of described third party's application server transmission of open platform gateway forwards, described access request comprises server identification, access token, user ID, four information of sub-account, and the endorsement method of the digital signature of described four information and the described digital signature employing of generation;
Described access request is carried out to legitimacy authentication, if authentication is passed through, allow all customer data that the sub-account in access request comprises described in described third party's application server access;
Wherein, described legitimacy authentication comprises:
Utilize described endorsement method to carry out digital signature to described four information, and with described access request in the digital signature that comprises compare, if identical, judge that described access request is legal;
Judge whether server identification, user ID and sub-account in described access request meets the corresponding relation between the sub-account of described authorization server, user ID and mandate that described authorization server preserves, if meet, judge that authorization server, user ID and the sub-account in described access request is legal;
Judge that whether described access token sends to the access token of third party's application server to conform to described authorization server, if conformed to, judges that described access token is legal.
7. method according to claim 6, is characterized in that, described method also comprises:
Described access request also comprises user data,,
Digital signature in described access request is specially the digital signature of utilizing server identification, access token, user ID, sub-account and five Information generations of user data;
Described legitimacy authentication specifically comprises:
Utilize described endorsement method to carry out digital signature to described five information, and with described access request in the digital signature that comprises compare, if identical, judge that described access request is legal;
Judge whether server identification, user ID, sub-account and user data in described access request meets the corresponding relation between the sub-account of described authorization server, user ID, mandate and the authorized user data that described authorization server preserves, if meet, judge that authorization server, user ID, sub-account and the user data in described access request is legal;
Judge that whether described access token sends to the access token of third party's application server to conform to described authorization server, if conformed to, judges that described access token is legal.
8. method according to claim 6, is characterized in that, described method also comprises:
Described access request also comprises current time stamp; ,
Described legitimacy authentication also comprises:
Judge that described current time stamp is whether in default time of delay section, if so, judge described current time stab legal.
9. a user data authorization device, is characterized in that, comprising:
Authorization requests receiving element, the authorization requests sending for receiving third party's application server, described authorization requests comprises server identification and server address;
Authentication request transmitting element, for sending ID authentication request to authentication gateway, so that described authentication gateway carries out authentication to client user;
Authentication response receiving element, the authentication response of returning for receiving described authentication gateway, described authentication response comprises that certification is by user's user ID, described user ID is obtained by the user name conversion authenticating by user;
Search unit, for search the sub-account of the user who matches with described user ID in authorization server, and be sent to client, select to authorize sub-account for client user;
Corresponding relation is set up unit, and the sub-account of mandate of returning for receiving client, sets up and preserve the corresponding relation between the sub-account of described server identification, user ID and mandate;
Authorization message transmitting element, for utilizing described server address by described user ID, the sub-account of described mandate and representing that the access token of access rights is sent to described third party's application server.
10. device according to claim 9, is characterized in that, described device also comprises:
User data transmitting element, is sent to client for the user data that sub-described mandate account is comprised, and selects authorized user data for client user;
Described corresponding relation is set up unit, for after receiving the authorized user data that described client returns, sets up and preserve the corresponding relation between described server identification, user ID, the sub-account of mandate and authorized user data;
Described authorization message transmitting element, for utilize described server address by described user ID, authorize sub-account, authorized user data and access token to be sent to described third party's application server.
11. devices according to claim 10, is characterized in that, described device also comprises:
Judging unit, be used for judging whether the sub-account of described mandate is contained in the sub-account of described user, and judge whether described authorized user data are contained in described user data, if judged result is are, notify described corresponding relation to set up unit and set up and preserve described corresponding relation.
12. devices according to claim 9, is characterized in that, described authorization message transmitting element specifically comprises:
Authorization code generation unit, for generating authorization code;
Communication unit, for utilize described server address by described user ID, authorize sub-account and authorization code to be sent to described third party's application server; And receive server identification and the authorization code that described third party's application server sends;
Comparing unit, whether conform to the server identification of described authorization requests for comparing described server identification, and whether described authorization code conforms to the authorization code of described generation, if all conformed to, described access token is sent to described third party's application server.
13. according to the device described in claim 9-12 any one, it is characterized in that, described device also comprises:
Access request receiving element, the access request sending for receiving described third party's application server of open platform gateway forwards, described access request comprises server identification, access token, user ID, four information of sub-account, and the endorsement method of the digital signature of described four information and the described digital signature employing of generation;
Authenticating unit, for described access request is carried out to legitimacy authentication, if authentication is passed through, allows all customer data that the sub-account in access request comprises described in described third party's application server access;
Wherein, described legitimacy authentication comprises:
Utilize described endorsement method to carry out digital signature to described four information, and with described access request in the digital signature that comprises compare, if identical, judge that described access request is legal;
Judge whether server identification, user ID and sub-account in described access request meets the corresponding relation between the sub-account of described authorization server, user ID and mandate that described authorization server preserves, if meet, judge that authorization server, user ID and the sub-account in described access request is legal;
Judge that whether described access token sends to the access token of third party's application server to conform to described authorization server, if conformed to, judges that described access token is legal.
14. 1 kinds of user data authoring systems, is characterized in that, described system comprises: authorization server, third party's application server, authentication gateway, client,
Described authorization server, the authorization requests sending for receiving described third party's application server, and send ID authentication request to authentication gateway, so that described authentication gateway carries out authentication to client user, described authorization requests comprises server identification and server address;
Described authentication gateway, for client user is carried out to authentication, and sends and comprises that certification is by the authentication response of user's user ID to described authorization server, and described user ID is obtained by the user name conversion authenticating by user;
Described authorization server, also for receiving described authentication response, and searches the sub-account of the user who matches with described user ID, and is sent to client;
Described client, for receiving the sub-account of described user, and therefrom selects to authorize sub-account to be sent to described authorization server;
Described authorization server, the sub-account of mandate of also returning for receiving client, sets up and preserves the corresponding relation between the sub-account of described server identification, user ID and mandate; And utilize described server address by described user ID, the sub-account of described mandate and represent that the access token of access rights is sent to described third party's application server.
15. systems according to claim 14, is characterized in that, described authentication gateway specifically comprises:
Logging status acquiring unit, for obtaining client user's logging status, successfully login if, judges that user passes through user as certification; If unsuccessful login, points out user to carry out username and password checking, and after username and password is verified, judge that user passes through user as certification;
Converting unit, for described certification is converted to user ID by user's user name, and adds described user ID in authentication response to and is sent to authorization server.
16. systems according to claim 14, is characterized in that,
Described authorization server, also be sent to client for the user data that sub-described mandate account is comprised, and after receiving the authorized user data that described client returns, set up and preserve the corresponding relation between described server identification, user ID, the sub-account of mandate and authorized user data; And utilize described server address by described user ID, authorize sub-account, authorized user data and access token to be sent to described third party's application server.
17. systems according to claim 16, is characterized in that,
Described authorization server, also for judging whether the sub-account of described mandate is contained in the sub-account of described user, and judge whether described authorized user data are contained in described user data, if judged result is are, continue to carry out the step of setting up and preserving described corresponding relation.
18. according to the system described in claim 14-17 any one, it is characterized in that, described system also comprises open platform gateway;
Described open platform gateway, the access request sending for receiving described third party's application server, and be forwarded to described authorization server, described access request comprises server identification, access token, user ID, four information of sub-account, and the endorsement method of the digital signature of described four information and the described digital signature employing of generation;
Described authorization server, for described access request is carried out to legitimacy authentication, if authentication is passed through, allows all customer data that the sub-account in access request comprises described in described third party's application server access;
Wherein, described legitimacy authentication comprises:
Utilize described endorsement method to carry out digital signature to described four information, and with described access request in the digital signature that comprises compare, if identical, judge that described access request is legal;
Judge whether server identification, user ID and sub-account in described access request meets the corresponding relation between the sub-account of described authorization server, user ID and mandate that described authorization server preserves, if meet, judge that authorization server, user ID and the sub-account in described access request is legal;
Judge that whether described access token sends to the access token of third party's application server to conform to described authorization server, if conformed to, judges that described access token is legal.
19. systems according to claim 18, is characterized in that,
In the described access request that described authorization server receives, also comprise user data, and digital signature in described access request is specially the digital signature of utilizing server identification, access token, user ID, sub-account and five Information generations of user data;
, described authorization server carries out legitimacy authentication and specifically comprises:
Utilize described endorsement method to carry out digital signature to described five information, and with described access request in the digital signature that comprises compare, if identical, judge that described access request is legal;
Judge whether server identification, user ID, sub-account and user data in described access request meets the corresponding relation between the sub-account of described authorization server, user ID, mandate and the authorized user data that described authorization server preserves, if meet, judge that authorization server, user ID, sub-account and the user data in described access request is legal;
Judge that whether described access token sends to the access token of third party's application server to conform to described authorization server, if conformed to, judges that described access token is legal.
20. systems according to claim 18, is characterized in that,
In the described access request that described authorization server receives, also comprise current time stamp;
, described authorization server carries out legitimacy authentication and also comprises:
Judge that described current time stamp is whether in default time of delay section, if so, judge described current time stab legal.
CN201210137848.XA 2012-05-04 2012-05-04 User data authorization method, device and system Active CN102638473B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210137848.XA CN102638473B (en) 2012-05-04 2012-05-04 User data authorization method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210137848.XA CN102638473B (en) 2012-05-04 2012-05-04 User data authorization method, device and system

Publications (2)

Publication Number Publication Date
CN102638473A CN102638473A (en) 2012-08-15
CN102638473B true CN102638473B (en) 2014-12-10

Family

ID=46622716

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210137848.XA Active CN102638473B (en) 2012-05-04 2012-05-04 User data authorization method, device and system

Country Status (1)

Country Link
CN (1) CN102638473B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11218314B2 (en) 2017-09-28 2022-01-04 Huawei Technologies Co., Ltd. Network function service invocation method, apparatus, and system
US12093419B2 (en) 2018-09-03 2024-09-17 VeChain Global Technology, S.AR.L Methods and devices for managing user identity authentication data

Families Citing this family (44)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103020505B (en) * 2012-12-03 2016-02-03 鹤山世达光电科技有限公司 Based on information management system and the approaches to IM of finger print identifying
CN107070945B (en) * 2013-06-19 2021-06-22 华为技术有限公司 Identity login method and equipment
CN104253686B (en) * 2013-06-25 2017-12-29 华为技术有限公司 Method, equipment and the system that account logs in
CN103490898B (en) * 2013-09-22 2017-01-18 新浪网技术(中国)有限公司 E-mail collection authorization method, device and system
CN104869102B (en) * 2014-02-24 2019-04-02 腾讯科技(北京)有限公司 Authorization method, device and system based on xAuth agreement
CN103888451B (en) * 2014-03-10 2017-09-26 百度在线网络技术(北京)有限公司 Authorization method, the apparatus and system of certification
CN105306498B (en) * 2014-06-12 2019-04-16 中国电信股份有限公司 Method, system and the cloud platform of user's access third-party application
CN105516069B (en) * 2014-09-28 2020-10-09 腾讯科技(深圳)有限公司 Data processing method, device and system
CN105488366B (en) * 2014-10-13 2019-12-10 阿里巴巴集团控股有限公司 Data authority control method and system
CN104320265B (en) * 2014-11-21 2017-10-24 北京奇虎科技有限公司 Authentication method and authentication device for software platform
CN105704108B (en) * 2014-11-28 2019-02-12 中国电信股份有限公司 Method, capability open platform and system for security authentication
CN104468635B (en) * 2014-12-31 2018-01-26 广州东海网络科技有限公司 The user right step-up authentication method and system of the network platform
CN104702415B (en) * 2015-03-31 2018-12-14 北京奇艺世纪科技有限公司 account authority control method and device
DE102015209116A1 (en) * 2015-05-19 2016-11-24 Robert Bosch Gmbh Method and update gateway for updating an embedded controller
FR3039954A1 (en) * 2015-08-05 2017-02-10 Orange METHOD AND DEVICE FOR IDENTIFYING VISIT AND HOME AUTHENTICATION SERVERS
CN105187417B (en) * 2015-08-25 2018-10-02 北京京东尚科信息技术有限公司 Authority acquiring method and apparatus
CN106603462B (en) * 2015-10-13 2020-09-04 腾讯科技(深圳)有限公司 API calling method, device and system
US9800580B2 (en) * 2015-11-16 2017-10-24 Mastercard International Incorporated Systems and methods for authenticating an online user using a secure authorization server
CN105391725A (en) * 2015-11-27 2016-03-09 深圳市摩艾客科技股份有限公司 Real person 3D data reading module and data transmission method thereof
JP6677496B2 (en) * 2015-12-08 2020-04-08 キヤノン株式会社 Authentication federation system and authentication federation method, authorization server, application server and program
CN106936779A (en) * 2015-12-29 2017-07-07 北京网御星云信息技术有限公司 A kind of data connecting method, system and device
CN107273189A (en) * 2016-04-06 2017-10-20 泰康之家(北京)投资有限公司 A kind of method for managing subapplication and application carry platform
CN107276963B (en) * 2016-04-06 2021-09-03 泰康之家(北京)投资有限公司 Method and device for updating authority
CN107545431A (en) * 2016-06-27 2018-01-05 李明 Transaction authorisation method and system and method for commerce and system
CN107124433B (en) * 2017-07-04 2019-08-06 中国联合网络通信集团有限公司 Internet of things system, access method of Internet of things device, access authorization method and device
CN109511115B (en) 2017-09-14 2020-09-29 华为技术有限公司 An authorization method and network element
CN109587364A (en) * 2017-09-29 2019-04-05 中国移动通信集团公司 Handle method, server and the equipment of data on flows red packet
CN107590662B (en) * 2017-11-03 2021-01-15 中国银行股份有限公司 Authentication method for calling online bank system, authentication server and system
CN107885985A (en) * 2017-11-23 2018-04-06 维沃移动通信有限公司 A kind of application program account sharing method and terminal
CN110224971B (en) * 2018-03-02 2022-05-27 阿里巴巴集团控股有限公司 Method, authorization server, system, device and storage medium for authorizing login
CN108920366B (en) * 2018-06-28 2020-09-29 腾讯科技(深圳)有限公司 Sub-application debugging method, device and system
CN109150864B (en) * 2018-08-03 2021-07-20 中国联合网络通信集团有限公司 Anti-cheating method and device based on secondary authentication
CN109033774B (en) * 2018-08-31 2020-08-07 阿里巴巴集团控股有限公司 Method and device for acquiring and feeding back user resources and electronic equipment
CN109472547A (en) * 2018-10-16 2019-03-15 平安万家医疗投资管理有限责任公司 An itinerary management method, an itinerary management device and a server
CN109347729A (en) * 2018-12-06 2019-02-15 维沃移动通信有限公司 A communication method and terminal
CN110245474B (en) * 2019-04-19 2023-07-14 创新先进技术有限公司 Processing method and system for public account
CN110334153B (en) * 2019-06-28 2020-09-01 阿里巴巴集团控股有限公司 Authorization method, system, device and equipment in block chain type account book
CN111031332B (en) * 2019-11-26 2021-09-10 北京达佳互联信息技术有限公司 Data interaction method, device, server and storage medium
CN111259363B (en) * 2020-01-19 2022-10-28 数字广东网络建设有限公司 Service access information processing method, system, device, equipment and storage medium
CN114820016A (en) * 2021-01-29 2022-07-29 腾讯科技(深圳)有限公司 A data processing method, server and computer-readable storage medium
CN113746857B (en) * 2021-09-09 2023-04-18 深圳市腾讯网域计算机网络有限公司 Login method, device, equipment and computer readable storage medium
CN116107270A (en) * 2021-11-11 2023-05-12 上海宝信软件股份有限公司 Unified Authorization Method and System in Multi-Base Industrial Scenario of Headquarters
CN114448720B (en) * 2022-03-09 2024-07-16 北京京东振世信息技术有限公司 Account registration method and device
CN114793179B (en) * 2022-05-09 2024-07-02 北京明略昭辉科技有限公司 Method and system for tenant access, server and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1459068A (en) * 2000-08-17 2003-11-26 丹尼尔·A·克恩 automatic payment system
CN101562621A (en) * 2009-05-25 2009-10-21 阿里巴巴集团控股有限公司 User authorization method and system and device thereof

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1459068A (en) * 2000-08-17 2003-11-26 丹尼尔·A·克恩 automatic payment system
CN101562621A (en) * 2009-05-25 2009-10-21 阿里巴巴集团控股有限公司 User authorization method and system and device thereof

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11218314B2 (en) 2017-09-28 2022-01-04 Huawei Technologies Co., Ltd. Network function service invocation method, apparatus, and system
US11956361B2 (en) 2017-09-28 2024-04-09 Huawei Technologies Co., Ltd. Network function service invocation method, apparatus, and system
US12093419B2 (en) 2018-09-03 2024-09-17 VeChain Global Technology, S.AR.L Methods and devices for managing user identity authentication data

Also Published As

Publication number Publication date
CN102638473A (en) 2012-08-15

Similar Documents

Publication Publication Date Title
CN102638473B (en) User data authorization method, device and system
KR101195651B1 (en) System and method for authenticating remote server access
CN101075875B (en) Method and system for realizing monopoint login between gate and system
CN102821085B (en) Third party authorizes login method, open platform and system
CN101183932B (en) Security identification system of wireless application service and login and entry method thereof
CN105187431B (en) Login method, server, client and the communication system of third-party application
CN104917727B (en) A kind of method, system and device of account's authentication
CN103581184B (en) The method and system of mobile terminal accessing corporate intranet server
US20210168611A1 (en) Method for securely sharing a url
US20080301444A1 (en) Apparatus and Method for Providing Personal Information Sharing Service Using Signed Callback Url Message
CN101087193A (en) New method for using the mobile number bond with account for identity identification
CN105554098A (en) Device configuration method, server and system
CN102868702B (en) System login device and system login method
JP2009519515A (en) Method, system, and apparatus for protecting a service account
JP4960738B2 (en) Authentication system, authentication method, and authentication program
US9332432B2 (en) Methods and system for device authentication
JP2014504069A (en) Method, apparatus, and system for verifying a communication session
CN101883106A (en) Network access authentication method and server based on digital certificate
CN104125230B (en) A kind of short message certification service system and authentication method
CN103200150A (en) Identity authentication method and system
CN105429979A (en) Cross-platform user certificating method and intelligent router, Internet surfing system
JP2007058469A (en) Authentication system, authentication server, authentication method, and authentication program
KR101133167B1 (en) Method and apparatus for user verifing process with enhanced security
EP3123758B1 (en) User equipment proximity requests authentication
CN108574657A (en) Method, apparatus, system and the computing device and server of access server

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant