[go: up one dir, main page]

CN103124252B - Client application access authentication treating method and apparatus - Google Patents

Client application access authentication treating method and apparatus Download PDF

Info

Publication number
CN103124252B
CN103124252B CN201110367609.9A CN201110367609A CN103124252B CN 103124252 B CN103124252 B CN 103124252B CN 201110367609 A CN201110367609 A CN 201110367609A CN 103124252 B CN103124252 B CN 103124252B
Authority
CN
China
Prior art keywords
client application
specific user
access
authentication processing
business
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201110367609.9A
Other languages
Chinese (zh)
Other versions
CN103124252A (en
Inventor
陈耿华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201110367609.9A priority Critical patent/CN103124252B/en
Priority to PCT/CN2012/084290 priority patent/WO2013071836A1/en
Publication of CN103124252A publication Critical patent/CN103124252A/en
Application granted granted Critical
Publication of CN103124252B publication Critical patent/CN103124252B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)

Abstract

本发明实施例提供一种客户端应用访问鉴权处理方法和装置,以及客户端应用业务处理装置和客户端应用设备,其中方法包括:接收客户端应用设备发送的用于请求特定用户或第三方授权使用客户端应用业务的第一授权请求消息;向所述特定用户的用户设备或第三方设备发送第二授权请求消息,所述第二授权请求消息用于请求所述特定用户或第三方授权使用所述客户端应用业务;接收所述特定用户的用户设备或第三方设备返回的授权结果,根据所述授权结果确定是否允许所述客户端应用设备向所述特定用户提供所述客户端应用业务。本发明的技术方案,能够提高SP利用运营商的电信网络能力为目标用户提供服务的安全性。

Embodiments of the present invention provide a client application access authentication processing method and device, as well as a client application business processing device and a client application device, wherein the method includes: receiving a request for a specific user or a third party sent by the client application device A first authorization request message authorizing the use of client application services; sending a second authorization request message to the user equipment of the specific user or a third-party device, the second authorization request message is used to request the specific user or third-party authorization Use the client application service; receive an authorization result returned by the user equipment of the specific user or a third-party device, and determine whether to allow the client application device to provide the client application to the specific user according to the authorization result business. The technical scheme of the invention can improve the security of the service provided by the SP to the target user by using the operator's telecommunication network capability.

Description

客户端应用访问鉴权处理方法和装置Client application access authentication processing method and device

技术领域 technical field

本发明实施例涉及通信技术领域,尤其涉及一种客户端应用访问鉴权处理方法和装置。The embodiments of the present invention relate to the field of communication technologies, and in particular, to a method and device for processing client application access authentication.

背景技术 Background technique

随着移动互联网时代的到来,互联网和电信网络越来越紧密的融合到一起。在互联网和用户终端上,涌现了越来越多丰富多彩的互联网应用和终端应用,如Web应用、终端Widget应用、原生终端应用等。这些应用通常需要访问运营商的电信网路能力,以实现特定的业务功能特性,例如,某个交通信息查询的Widget应用,需要能够发送承载交通线路图的彩信消息给某个终端手机用户。因此,运营商需要一种安全、开放、可控的手段,允许客户端应用访问运营商的电信网络能力。With the advent of the mobile Internet era, the Internet and telecommunication networks are becoming more and more closely integrated. On the Internet and user terminals, more and more colorful Internet applications and terminal applications have emerged, such as Web applications, terminal Widget applications, and native terminal applications. These applications usually need to access the operator's telecommunications network capabilities to achieve specific service features. For example, a Widget application for traffic information query needs to be able to send MMS messages carrying traffic route maps to a terminal mobile phone user. Therefore, operators need a safe, open, and controllable means to allow client applications to access the operator's telecommunications network capabilities.

现有技术中,运营商电信网络能力的开放,主要是面向可信任的服务提供商(ServiceProvider,以下简称:SP)的业务应用服务器,SP的各种互联网应用和终端应用为用户提供服务,其访问运营商网络能力主要包括如下的流程:SP的业务应用服务器向运营商的网络运营平台发送访问请求,请求调用运营商的电信网络能力,例如可以是SP的web应用服务器请求调用电信网络能力发送彩信形式的手机报。SP的业务应用服务器发送的访问请求中会携带SP的身份标识、密码以及目标用户的手机号码,运营商的网络运营平台在对SP进行鉴权确认后,便会根据SP业务应用服务器的要求,利用电信网络能力向目标用户提供SP要求的服务,并进一步的对向目标用户提供的服务进行计费。In the prior art, the opening of the operator's telecommunications network capabilities is mainly for the service application server of a trusted service provider (Service Provider, hereinafter referred to as: SP), and various Internet applications and terminal applications of the SP provide services for users. Accessing the operator's network capabilities mainly includes the following process: the service application server of the SP sends an access request to the operator's network operation platform, requesting to invoke the operator's telecommunications network capabilities, for example, the web application server of the SP may request to invoke the telecommunications network capabilities and send Mobile newspaper in the form of MMS. The access request sent by the SP's business application server will carry the SP's identity, password, and target user's mobile phone number. After the operator's network operation platform authenticates and confirms the SP, it will, according to the requirements of the SP's business application server, Provide the service required by the SP to the target user by utilizing the capability of the telecommunication network, and further charge for the service provided to the target user.

现有技术中,SP利用运营商的电信网络能力为目标用户提供服务的方案安全性差,容易被SP利用提供一些非法业务。In the prior art, the scheme in which the SP utilizes the operator's telecommunication network capabilities to provide services to target users has poor security and is easily used by the SP to provide some illegal services.

发明内容Contents of the invention

本发明实施例提供一种客户端应用访问鉴权处理方法和装置,以及客户端应用业务处理装置和客户端应用设备,用以提高SP利用运营商的电信网络能力为目标用户提供服务的方案安全性。Embodiments of the present invention provide a client application access authentication processing method and device, as well as a client application business processing device and client application equipment, to improve the security of the solution in which SP uses the operator's telecommunication network capabilities to provide services to target users sex.

本发明实施例提供了一种客户端应用访问鉴权处理方法,包括:An embodiment of the present invention provides a client application access authentication processing method, including:

接收客户端应用设备发送的用于请求特定用户或第三方授权使用客户端应用业务的第一授权请求消息;receiving a first authorization request message sent by the client application device for requesting a specific user or a third party to authorize the use of the client application service;

向所述特定用户的用户设备或第三方设备发送第二授权请求消息,所述第二授权请求消息用于请求所述特定用户或第三方授权使用所述客户端应用业务;Sending a second authorization request message to the user equipment of the specific user or a third-party device, where the second authorization request message is used to request the specific user or a third party to authorize the use of the client application service;

接收所述特定用户的用户设备或第三方设备返回的授权结果,根据所述授权结果确定是否允许所述客户端应用设备向所述特定用户提供所述客户端应用业务。Receive an authorization result returned by the user equipment of the specific user or a third-party device, and determine whether to allow the client application device to provide the client application service to the specific user according to the authorization result.

本发明实施例还提供了一种客户端应用访问鉴权处理装置,包括:The embodiment of the present invention also provides a client application access authentication processing device, including:

第一接收模块,用于接收客户端应用设备发送的用于请求特定用户或第三方授权使用客户端应用业务的第一授权请求消息;The first receiving module is configured to receive a first authorization request message sent by the client application device and used to request a specific user or a third party to authorize the use of the client application service;

第一发送模块,用于向所述特定用户的用户设备或第三方设备发送第二授权请求消息,所述第二授权请求消息用于请求所述特定用户或第三方授权使用所述客户端应用业务;A first sending module, configured to send a second authorization request message to the user equipment of the specific user or a third-party device, where the second authorization request message is used to request the specific user or a third party to authorize the use of the client application business;

业务授权模块,用于接收所述特定用户的用户设备或第三方设备返回的授权结果,根据所述授权结果确定是否允许所述客户端应用设备向所述特定用户提供所述客户端应用业务。The service authorization module is configured to receive an authorization result returned by the user equipment of the specific user or a third-party device, and determine whether to allow the client application device to provide the client application service to the specific user according to the authorization result.

本发明实施例还提供了一种客户端应用业务处理装置,包括上述的客户端应用访问鉴权处理装置和电信网络开放网关模块,所述电信网络开放网关模块用于在接收到客户端应用设备发送的携带访问口令的调用请求消息后,向客户端应用访问鉴权处理装置发送请求对所述访问口令进行认证的鉴权认证请求消息,并在认证通过后为客户端应用设备调用电信网络能力。The embodiment of the present invention also provides a client application service processing device, including the above-mentioned client application access authentication processing device and a telecommunications network open gateway module, the telecommunications network open gateway module is used to receive the client application device After sending the invocation request message carrying the access password, send an authentication authentication request message requesting authentication of the access password to the client application access authentication processing device, and invoke the telecommunication network capability for the client application device after the authentication is passed .

本发明实施例还提供了一种客户端应用设备,包括电信网络接入认证处理模块和电信网络服务调用模块,所述电信网络接入认证处理模块用于向电信运营商的网络系统发送用于请求特定用户授权或第三方使用客户端应用业务的第一授权请求消息,在特定用户接受所述客户端应用业务时,获取允许调用电信网络能力,向所述特定用户提供客户端应用业务的访问口令;所述电信网络服务调用模块用于向电信运营商的网络系统发送携带所述访问口令的调用请求消息,所述调用请求消息用于请求调用电信网络能力为所述特定用户提供客户端应用业务。The embodiment of the present invention also provides a client application device, including a telecommunication network access authentication processing module and a telecommunication network service invocation module, and the telecommunication network access authentication processing module is used to send an A first authorization request message requesting a specific user to authorize or a third party to use the client application service, when the specific user accepts the client application service, obtain permission to call the telecommunications network capability, and provide the specific user with access to the client application service password; the telecommunication network service invocation module is used to send an invocation request message carrying the access password to the network system of the telecommunication operator, and the invocation request message is used to request the invocation of the telecommunication network capability to provide the client application for the specific user business.

本发明上述技术方案,其中,SP的客户端应用设备如果要向用户提供客户端应用业务,首先发送第一授权请求消息,然后由设置在电信运营商的网络系统中的客户端应用访问鉴权处理装置处理,其通过向特定用户的用户设备或第三方设备发送第二授权请求消息,询问该特定用户或第三方是否授权使用该客户端应用业务,然后根据特定用户的用户设备或第三方设备返回的授权结果确定是否允许客户端应用设备向所述特定用户提供所述客户端应用业务,进而使得客户端应用设备为特定用户提供的客户端应用业务都是经该特定用户或第三方授权的,提高SP为用户提供客户端应用业务的安全性。In the above technical solution of the present invention, if the client application device of the SP wants to provide the client application service to the user, it first sends the first authorization request message, and then the client application access authentication set in the network system of the telecom operator The processing means processes by sending a second authorization request message to the specific user's user equipment or third-party equipment, asking the specific user or third party whether to authorize the use of the client application service, and then according to the specific user's user equipment or third-party equipment The returned authorization result determines whether the client application device is allowed to provide the client application service to the specific user, so that all the client application services provided by the client application device to the specific user are authorized by the specific user or a third party , improving the security of the client application service provided by the SP to the user.

附图说明 Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work.

图1为本发明客户端应用访问鉴权处理方法实施例一的流程示意图;FIG. 1 is a schematic flowchart of Embodiment 1 of a client application access authentication processing method according to the present invention;

图2为本发明客户端应用访问鉴权处理方法实施例二的流程示意图;FIG. 2 is a schematic flowchart of Embodiment 2 of the client application access authentication processing method of the present invention;

图3为本发明客户端应用访问鉴权处理方法实施例三的流程示意图;FIG. 3 is a schematic flowchart of Embodiment 3 of the client application access authentication processing method of the present invention;

图4为本发明客户端应用访问鉴权处理装置实施例一的结构示意图;FIG. 4 is a schematic structural diagram of Embodiment 1 of an apparatus for processing client application access authentication according to the present invention;

图5为本发明客户端应用访问鉴权处理装置实施例二的结构示意图;FIG. 5 is a schematic structural diagram of Embodiment 2 of an apparatus for processing client application access authentication according to the present invention;

图6为本发明客户端应用业务处理装置实施例的结构示意图;FIG. 6 is a schematic structural diagram of an embodiment of a client application business processing device according to the present invention;

图7为本发明客户端应用设备实施例的结构示意图。FIG. 7 is a schematic structural diagram of an embodiment of a client application device according to the present invention.

具体实施方式 detailed description

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.

针对现有技术中SP利用运营商的电信网络能力为用户提供服务时安全性差的问题,本发明实施例提供了一种解决方案,其是通过在电信运营商的网络系统中增加客户端应用访问鉴权处理装置实现的,图1为本发明客户端应用访问鉴权处理方法实施例一的流程示意图,如图1所示,包括如下的步骤:Aiming at the problem of poor security in the prior art when SP utilizes the operator's telecommunication network capabilities to provide users with services, the embodiment of the present invention provides a solution, which is to increase client application access in the telecommunication operator's network system Realized by the authentication processing device, FIG. 1 is a schematic flowchart of Embodiment 1 of the client application access authentication processing method of the present invention, as shown in FIG. 1 , including the following steps:

步骤101、接收客户端应用设备发送的用于请求特定用户或第三方授权使用客户端应用业务的第一授权请求消息;Step 101. Receive a first authorization request message sent by a client application device for requesting a specific user or a third party to authorize the use of client application services;

步骤102、向所述特定用户的用户设备或第三方设备发送第二授权请求消息,所述第二授权请求消息用于请求所述特定用户或第三方授权使用所述客户端应用业务;Step 102: Send a second authorization request message to the user equipment of the specific user or a third-party device, where the second authorization request message is used to request the specific user or third party to authorize the use of the client application service;

步骤103、接收所述特定用户的用户设备或第三方设备返回的授权结果,根据所述授权结果确定是否允许所述客户端应用设备向所述特定用户提供所述客户端应用业务。Step 103: Receive an authorization result returned by the user equipment of the specific user or a third-party device, and determine whether to allow the client application device to provide the client application service to the specific user according to the authorization result.

本发明上述实施例中,SP的客户端应用设备如果要向该客户端用户提供客户端应用业务,首先发送第一授权请求消息,然后由设置在电信运营商的网络系统中的客户端应用访问鉴权处理装置处理,其通过向特定用户的用户设备或第三方设备发送第二授权请求消息,询问该特定用户或第三方是否授权使用该客户端应用业务,然后根据特定用户的用户设备或第三方设备返回的授权结果确定是否允许客户端应用设备向所述特定用户提供所述客户端应用业务,进而使得客户端应用设备为特定用户提供的客户端应用业务都是经该特定用户或第三方授权的,提高SP为用户提供客户端应用业务的安全性。In the above-mentioned embodiments of the present invention, if the client application device of the SP wants to provide the client application service to the client user, it first sends the first authorization request message, and then is accessed by the client application installed in the network system of the telecom operator. The authentication processing means sends a second authorization request message to the specific user's user equipment or third-party equipment to ask the specific user or third party whether to authorize the use of the client application service, and then according to the specific user's user equipment or third-party equipment The authorization result returned by the third-party device determines whether the client application device is allowed to provide the client application service to the specific user, so that the client application device provides the client application service for the specific user through the specific user or a third party. Authorized, to improve the security of the client application service provided by the SP to the user.

本发明上述实施例中的第二授权请求消息可以是特定用户所持有的用户设备,以由特定用户自身确认是否接受客户端应用业务,也可以是由第三方确认,例如上述的第三方设备可以是特定用户的管理者所持有的设备,由该特定用户的管理者确认特定用户是否接受客户端应用业务,或者是由运营商的服务器作为第三方设备,由运营商确定特定用户是否接受客户端应用业务。The second authorization request message in the above embodiments of the present invention may be a user equipment held by a specific user, so that the specific user himself can confirm whether to accept the client application service, or it can be confirmed by a third party, such as the above-mentioned third-party device It can be a device held by the manager of a specific user, and the manager of the specific user confirms whether the specific user accepts the client application service, or the server of the operator acts as a third-party device, and the operator determines whether the specific user accepts the application service. Client application business.

本发明上述实施例中运营商能够根据特定用户或第三方的意愿确定是否为其提供客户端应用业务,也就是确定是否允许客户端应用设备访问电信网络能力,在客户端应用设备中可以设置相应的电信网络接入认证处理装置执行相应的处理,在具体的实施过程中,可以通过向客户端应用设备分配访问口令的方式,控制客户端应用设备对电信网络的访问,具体的可以包括两种实施方式。In the above embodiments of the present invention, the operator can determine whether to provide client application services for specific users or third parties according to their wishes, that is, to determine whether to allow client application equipment to access telecommunications network capabilities, and corresponding settings can be set in the client application equipment. The telecommunications network access authentication processing device performs corresponding processing. In the specific implementation process, the client application equipment can be controlled to access the telecommunications network by assigning access passwords to the client application equipment. Specifically, it can include two types: implementation.

一种是在客户端应用设备发送的用于请求特定用户授权使用客户端应用业务的第一授权请求消息之前,首先向电信运营商的网络系统中的客户端应用访问鉴权处理装置发送第一口令申请消息,客户端应用访问鉴权处理装置接收到客户端应用设备发送的第一口令申请消息后,向所述客户端应用设备返回为其分配的所述第一访问口令。上述的第一访问口令可以看作是一个临时口令,并未生效,客户端应用设备无法根据该临时口令访问运营商的电信网络能力。只有在特定用户的用户设备或第三方设备返回授权结果,并且所述授权结果为所述特定用户接受所述客户端应用业务时,才可以在本地系统内将上述的第一访问口令的性质改变为正式口令,以授权所述客户端应用设备利用所述第一访问口令访问电信网络能力,向所述特定用户提供所述客户端应用业务。进而客户端应用设备可以利用该第一访问口令执行客户端应用业务,具体的是客户端应用设备向电信运营商的网络系统中的第一业务处理模块发送携带第一访问口令的业务请求消息,上述第一业务处理模块在接收到业务请求消息,并在确认上述第一访问口令可用时,允许客户端应用设备访问电信网络能力,向所述特定用户提供客户端应用业务,具体的可以向电信运营商的网络系统中的客户端应用访问鉴权处理装置确认所述第一访问口令是否可用。One is to first send the first authorization request message to the client application access authentication processing device in the network system of the telecom operator before the client application device sends the first authorization request message for requesting a specific user to authorize the use of the client application service. For a password application message, the client application access authentication processing device returns the first access password assigned to the client application device after receiving the first password application message sent by the client application device. The above-mentioned first access password can be regarded as a temporary password, which has not taken effect, and the client application device cannot access the telecommunications network capabilities of the operator according to the temporary password. Only when the specific user's user equipment or third-party equipment returns an authorization result, and the authorization result is that the specific user accepts the client application service, can the property of the above-mentioned first access password be changed in the local system It is an official password, so as to authorize the client application device to use the first access password to access the capability of the telecommunications network, and provide the client application service to the specific user. Furthermore, the client application device can use the first access password to execute the client application service, specifically, the client application device sends a service request message carrying the first access password to the first service processing module in the network system of the telecom operator, When the above-mentioned first service processing module receives the service request message and confirms that the above-mentioned first access password is available, it allows the client application device to access the capability of the telecommunications network, and provides the client application service to the specific user. The client application access authentication processing device in the operator's network system confirms whether the first access password is available.

另外还有一种实施方式,与上述实施例不同之处在于,运营商的客户端应用访问鉴权处理装置在上述授权结果为所述特定用户接受所述客户端应用业务时,不是改变第一访问口令的性质,而是生成与所述第一访问口令对应的验证码,并将所述验证码发送给所述客户端应用设备,在接收到客户端应用设备发送的携带所述第一访问口令和所述验证码的第二口令申请消息后,向客户端应用设备返回第二访问口令,该第二访问口令为正式口令,以授权所述客户端应用设备利用所述第二访问口令访问电信网络能力,向所述特定用户提供所述客户端应用业务。In addition, there is another embodiment, which is different from the above-mentioned embodiments in that the operator's client application access authentication processing device does not change the first access method when the authorization result is that the specific user accepts the client application service. password, but generate a verification code corresponding to the first access password, and send the verification code to the client application device, and receive the first access password sent by the client application device and the second password application message of the verification code, return a second access password to the client application device, the second access password is an official password, to authorize the client application device to use the second access password to access telecommunications A network capability, providing the client application service to the specific user.

具体的,在使用第二访问口令时,客户端应用设备向电信运营商的网络系统中的第二业务处理模块发送携带第二访问口令的业务请求消息,上述第二业务处理接收业务请求消息,并在确认所述第二访问口令可用时,允许客户端应用设备访问电信网络能力,向所述特定用户提供所述客户端应用业务,具体的可以向电信运营商的网络系统中的客户端应用访问鉴权处理装置确认所述第二访问口令是否可用。Specifically, when using the second access password, the client application device sends a service request message carrying the second access password to the second service processing module in the network system of the telecom operator, and the above-mentioned second service processing receives the service request message, And when it is confirmed that the second access password is available, allow the client application device to access the capability of the telecommunications network, and provide the client application service to the specific user, specifically, the client application service in the network system of the telecommunications operator may be provided. The access authentication processing device confirms whether the second access password is available.

本发明上述实施例中,在接收到所述特定用户的用户设备或第三方设备返回的授权结果,并确认所述授权结果为所述特定用户接受所述客户端应用业务后,还可以进一步对所述特定用户进行身份认证,并在认证通过后向客户端应用设备返回授权结果,具体的,针对上述使用第二访问口令的实施例,可以是先生成与第一访问口令对应的验证码,再将所述验证码携带在授权结果中发送给所述客户端应用设备。In the above embodiments of the present invention, after receiving the authorization result returned by the user equipment of the specific user or a third-party device, and confirming that the authorization result is that the specific user accepts the client application service, further The specific user performs identity authentication, and returns an authorization result to the client application device after the authentication is passed. Specifically, for the above-mentioned embodiment of using the second access password, it may first generate a verification code corresponding to the first access password, Then carry the verification code in the authorization result and send it to the client application device.

图2为本发明客户端应用访问鉴权处理方法实施例二的流程示意图,如图2所示,包括如下的步骤:FIG. 2 is a schematic flow diagram of Embodiment 2 of the client application access authentication processing method of the present invention, as shown in FIG. 2 , including the following steps:

步骤201、客户端应用设备的电信网络接入认证处理装置在访问运营商电信网络能力之前,先到电信运营商的网络系统中的客户端应用访问鉴权处理装置申请临时口令,即发送第一口令申请消息,本发明实施例中的客户端应用设备,按照终端类型划分,可以分为移动终端客户端,例如手机、PDA,或者是计算机客户端等;按照客户端应用开发语言,可以分为Widge应用客户端、JAVA应用客户端、Brew应用客户端、Web客户端等。其中的电信网络接入认证处理装置为客户端应用设备内部设置的,专用于向电信网络进行认证的功能模块;Step 201, before the telecommunication network access authentication processing device of the client application equipment accesses the operator's telecommunication network capabilities, first apply for a temporary password from the client application access authentication processing device in the network system of the telecommunication operator, that is, send the first Password request message, the client application equipment in the embodiment of the present invention, can be divided into mobile terminal client according to terminal type, such as mobile phone, PDA, or computer client etc.; According to client application development language, can be divided into Widge application client, JAVA application client, Brew application client, Web client, etc. The telecommunication network access authentication processing device is a function module set inside the client application equipment and dedicated to authentication to the telecommunication network;

步骤202、运营商网络系统的客户端应用访问鉴权处理装置在对客户端应用设备进行认证通过后,向电信网络接入认证处理装置返回为其分配的第一访问口令,该第一访问口令为一临时口令,并未生效,也就是客户端应用设备不能够直接使用该第一访问口令访问电信网络;Step 202: After the client application access authentication processing device of the operator's network system passes the authentication on the client application device, it returns the first access password assigned to it to the telecommunications network access authentication processing device, and the first access password is It is a temporary password that has not taken effect, that is, the client application device cannot directly use the first access password to access the telecommunications network;

步骤203、电信网络接入认证处理装置向客户端应用访问鉴权处理装置发送第一授权请求消息,请求特定用户或第三方授权使用客户端应用业务;Step 203, the telecommunications network access authentication processing device sends a first authorization request message to the client application access authentication processing device, requesting a specific user or third party to authorize the use of client application services;

步骤204、客户端应用访问鉴权处理装置向特定用户的用户设备或第三方设备发送第二授权请求消息,该第二授权请求消息用于请求所述特定用户授权使用所述客户端应用业务;具体的,该请求方式可以按照Web方式、无线应用协议(WirelessApplicationProtocol,以下简称:WAP)方式、非结构化补充数据业务(UnstructuredSupplementaryServiceData,以下简称:USSD)方式、互动式语音应答(InteractiveVoiceResponse,以下简称:IVR)或短消息方式向与所述特定用户的用户设备发送第二授权请求消息。可选的,该第二授权请求消息可以包括客户端应用业务对应的电信网络能力信息、使用所述电信网络能力的资费信息和授权使用所述客户端应用业务的期限类型,例如授权单次使用上述客户端应用业务、授权多次使用上述客户端应用业务、授权在一设定期限前使用上述客户端应用业务或授权在一设定时间范围内使用上述客户端应用业务;Step 204, the client application access authentication processing device sends a second authorization request message to the user equipment of a specific user or a third-party device, and the second authorization request message is used to request the specific user to authorize the use of the client application service; Specifically, the request method may be in accordance with a Web method, a Wireless Application Protocol (Wireless Application Protocol, hereinafter referred to as: WAP) method, an Unstructured Supplementary Service Data (hereinafter referred to as: USSD) method, or an Interactive Voice Response (InteractiveVoiceResponse, hereinafter referred to as: IVR) or a short message to send a second authorization request message to the user equipment of the specific user. Optionally, the second authorization request message may include the telecommunication network capability information corresponding to the client application service, the tariff information for using the telecommunication network capability, and the period type for authorizing the use of the client application service, for example, authorizing a single use The above-mentioned client application services, authorization to use the above-mentioned client application services multiple times, authorization to use the above-mentioned client application services before a set period, or authorization to use the above-mentioned client application services within a set time range;

步骤205、特定用户或第三方进行授权操作,向客户端应用访问鉴权处理装置返回授权结果,对于不同的请求方式,用户可以用不同方式提交身份认证信息并进行授权,例如对于Web或WAP页面,用户可以在Web或WAP页面上提交个人用户名和密码,并在页面上确认同意使用客户端应用业务;对于短消息的请求方式,用户可以通过确认回复短消息的方式,向电信运营商的网络系统中的客户端应用访问鉴权处理装置返回授权结果;Step 205, a specific user or a third party performs an authorization operation, and returns an authorization result to the client application access authentication processing device. For different request methods, the user can submit identity authentication information and authorize in different ways, for example, for Web or WAP pages , the user can submit personal user name and password on the Web or WAP page, and confirm on the page that he agrees to use the client application service; for the short message request method, the user can send a message to the telecom operator's network by confirming and replying to the short message. The client application access authentication processing device in the system returns an authorization result;

步骤206、客户端应用访问鉴权处理装置识别特定用户的用户设备或第三方设备返回的授权结果,并在特定用户接受上述客户端应用业务时,对特定用户进行身份认证;Step 206, the client application access authentication processing device identifies the authorization result returned by the specific user's user equipment or third-party equipment, and performs identity authentication on the specific user when the specific user accepts the above-mentioned client application service;

步骤207、在对特定用户的身份认证通过后,客户端应用访问鉴权处理装置向电信网络接入认证处理装置返回授权结果,同时将步骤202中返回的第一访问口令的性质修改为正式口令,以使得客户端应用设备可以访问电信网络为特定用户提供服务;Step 207: After passing the identity authentication of the specific user, the client application access authentication processing device returns the authorization result to the telecommunications network access authentication processing device, and at the same time modifies the nature of the first access password returned in step 202 to an official password , so that the client application device can access the telecommunications network to provide services for specific users;

步骤208、客户端应用设备利用第一访问口令发起调用请求消息,具体的,可以是客户端应用设备的电信网络服务调用模块向电信运营商的网络系统中的电信网络开放网关模块发送调用请求消息,调用电信网络能力,访问运营商的电信网络;Step 208, the client application device uses the first access password to initiate an invocation request message, specifically, the telecommunication network service invocation module of the client application device may send an invocation request message to the telecommunication network open gateway module in the network system of the telecommunication operator , call the telecommunications network capability and access the operator's telecommunications network;

步骤209、电信网络开放网关模块在接收到上述的调用请求消息后,获取调用请求消息中携带的第一访问口令,并向客户端应用访问鉴权处理装置发送鉴权认证请求消息,进一步的,对于第一访问口令,是在接收到特定用户的授权结果后,将其性质转变为正式口令的,每一个该第一访问口令都是与特定用户对应的,因此,该第一访问口令仅允许向特定用户提供服务,在步骤208中的调用请求消息中,还可以进一步的携带用户标识,例如用户使用手机的SIM卡号,本步骤中会进一步对该用户标识进行认证,以确定其是否与第一访问口令对应,以防止客户端应用设备利用第一访问口令为其他用户提供服务;Step 209: After receiving the above-mentioned invocation request message, the telecommunications network open gateway module obtains the first access password carried in the invocation request message, and sends an authentication authentication request message to the client application access authentication processing device, further, For the first access password, after receiving the authorization result of the specific user, its nature is transformed into an official password. Each of the first access passwords corresponds to a specific user. Therefore, the first access password only allows To provide a service to a specific user, in the call request message in step 208, the user identification can also be further carried, such as the SIM card number of the mobile phone used by the user. In this step, the user identification will be further authenticated to determine whether it is compatible with the first Corresponding to an access password, so as to prevent the client application device from using the first access password to provide services for other users;

步骤210、客户端应用访问鉴权处理装置对用户标识和第一访问口令的合法性、有效期进行认证;Step 210, the client application access authentication processing device authenticates the legitimacy and validity period of the user ID and the first access password;

步骤211、客户端应用访问鉴权处理装置向电信网络开放网关模块返回鉴权认证结果;Step 211, the client application access authentication processing device returns the authentication result to the telecommunications network open gateway module;

步骤212、电信网络开放网关模块在认证通过后,调用电信网络能力,并将调用结果返回给客户端应用设备,为特定用户提供服务。Step 212: After passing the authentication, the telecommunications network open gateway module invokes the telecommunications network capability, and returns the calling result to the client application device to provide services for specific users.

本发明上述实施例中,其中步骤206中在特定用户接受客户端应用业务后,对特定用户的用户身份进行了身份认证,在实际应用中,该步骤为可选步骤,可以不执行上述的身份认证过程,或者也可以是在上述步骤204中向特定用户的用户设备或第三方设备发送第二授权请求消息之前进行身份认证,并在身份认证通过后,再执行向特定用户的用户设备或第三方设备发送第二授权请求消息的步骤。本发明上述实施例中,其中的客户端应用访问鉴权处理装置可以设置在在运营商网络系统的各网关设备中,其具体的设置位置不影响本发明技术方案的实施。本实施例中在调用电信网络能力,为特定用户提供客户端应用业务之前,首先向特定用户或第三方去请求授权,在得到授权后再提供客户端应用业务,能够提高SP为用户提供业务的安全性。In the above-mentioned embodiments of the present invention, in step 206, after the specific user accepts the client application service, the user identity of the specific user is authenticated. In practical applications, this step is an optional step, and the above identity The authentication process, or it may also be to perform identity authentication before sending the second authorization request message to the user equipment of the specific user or the third-party equipment in the above step 204, and after the identity authentication is passed, perform the authentication to the user equipment of the specific user or the third-party equipment. A step in which the third-party device sends the second authorization request message. In the above embodiments of the present invention, the client application access authentication processing device can be set in each gateway device of the operator's network system, and its specific setting location does not affect the implementation of the technical solution of the present invention. In this embodiment, before invoking the telecommunications network capability and providing client application services for specific users, first request authorization from the specific user or a third party, and then provide client application services after obtaining authorization, which can improve the SP's ability to provide services for users. safety.

上述图2所示的实施例是对应只分配第一访问口令的实施方案,图3为本发明客户端应用访问鉴权处理方法实施例三的流程示意图,该实施例中客户端应用访问鉴权处理装置会进一步分配第二访问口令作为正式口令,如图3所示,包括如下的步骤:The above-mentioned embodiment shown in FIG. 2 corresponds to an implementation scheme in which only the first access password is assigned. FIG. 3 is a schematic flowchart of Embodiment 3 of the client application access authentication processing method of the present invention. In this embodiment, the client application access authentication The processing device will further assign the second access password as the official password, as shown in Figure 3, including the following steps:

步骤301~步骤306与上述实施例中的步骤201~步骤206完成基本相同的功能。Steps 301 to 306 perform basically the same functions as steps 201 to 206 in the above embodiment.

步骤307、在对特定用户的身份认证通过后,生成与所述第一访问口令对应的验证码;Step 307, after passing the identity authentication of the specific user, generating a verification code corresponding to the first access password;

步骤308、向电信网络接入认证处理装置返回授权结果,该授权结果中携带上述验证码;Step 308, returning an authorization result to the telecommunication network access authentication processing device, the authorization result carrying the above-mentioned verification code;

步骤309、电信网络接入认证处理装置向运营商的客户端应用访问鉴权处理装置发送携带所述第一访问口令和所述验证码的第二口令申请消息;Step 309, the telecommunications network access authentication processing device sends a second password application message carrying the first access password and the verification code to the operator's client application access authentication processing device;

步骤310、客户端应用访问鉴权处理装置分配第二访问口令,该第二访问口令为正式口令,用于授权所述客户端应用设备利用该第二访问口令访问电信网络能力,并向上述特定用户提供所述客户端应用业务;Step 310, the client application access authentication processing device assigns a second access password, the second access password is an official password, and is used to authorize the client application device to use the second access password to access the telecommunications network capabilities, and to the above-mentioned specific The user provides the client application service;

步骤311、客户端应用访问鉴权处理装置向电信网络接入认证处理装置返回第二访问口令;Step 311, the client application access authentication processing device returns the second access password to the telecommunications network access authentication processing device;

步骤312~步骤316同上述实施例的步骤208~步骤212完成基本相同的功能,区别仅在于电信网络接入认证处理装置利用第二访问口令发起调用请求消息。Steps 312 to 316 perform basically the same functions as steps 208 to 212 in the above embodiment, the only difference being that the device for processing the telecommunications network access authentication uses the second access password to initiate a call request message.

本实施例中,通过分别为客户端应用设备分配第一访问口令和第二访问口令,最后由客户端应用设备依据第二访问口令调用电能网络能力,为特定用户提供客户端应用业务,能够提高SP为用户提供客户单应用业务的安全性。In this embodiment, by assigning the first access password and the second access password to the client application device respectively, and finally the client application device invokes the power network capability according to the second access password to provide client application services for specific users, which can improve SP provides users with the security of customer single application services.

本发明实施例还提供了一种客户端应用访问鉴权处理装置,图4为本发明客户端应用访问鉴权处理装置实施例一的结构示意图,如图4所示,该客户端应用访问鉴权处理装置40包括第一接收模块11、第一发送模块12和业务授权模块13,其中第一接收模块11用于接收客户端应用设备发送的用于请求特定用户或第三方授权使用客户端应用业务的第一授权请求消息;第一发送模块12用于向所述特定用户的用户设备或第三方设备发送第二授权请求消息,所述第二授权请求消息用于请求所述特定用户或第三方授权使用所述客户端应用业务;业务授权模块13用于接收所述特定用户的用户设备或第三方设备返回的授权结果,根据所述授权结果确定是否允许所述客户端应用设备向所述特定用户提供所述客户端应用业务。The embodiment of the present invention also provides a client application access authentication processing device. FIG. 4 is a schematic structural diagram of Embodiment 1 of the client application access authentication processing device of the present invention. As shown in FIG. 4, the client application access authentication The right processing device 40 includes a first receiving module 11, a first sending module 12, and a service authorization module 13, wherein the first receiving module 11 is used to receive a request from a client application device for requesting a specific user or a third party to authorize the use of the client application. A first authorization request message for a service; the first sending module 12 is configured to send a second authorization request message to the user equipment of the specific user or a third-party device, and the second authorization request message is used to request the specific user or the third party device The three parties authorize the use of the client application service; the service authorization module 13 is used to receive the authorization result returned by the user equipment of the specific user or the third party equipment, and determine whether to allow the client application device to send the application service to the client according to the authorization result. A specific user provides the client application service.

本发明实施例中,由设置在电信运营商的网络系统中的客户端应用访问鉴权处理装置接收第一授权请求消息后,向特定用户的用户设备或第三方设备发送第二授权请求消息,询问该特定用户或第三方是否授权使用该客户端应用业务,然后根据特定用户的用户设备或第三方设备返回的授权结果确定是否允许客户端应用设备向所述特定用户提供所述客户端应用业务,进而使得客户端应用设备为特定用户提供的客户单应用业务都是经该特定用户授权的,提高SP为用户提供业务的安全性。In the embodiment of the present invention, after receiving the first authorization request message, the client application access authentication processing device set in the network system of the telecom operator sends the second authorization request message to the user equipment of a specific user or a third-party equipment, Ask the specific user or third party whether to authorize the use of the client application service, and then determine whether the client application device is allowed to provide the client application service to the specific user according to the authorization result returned by the user equipment of the specific user or the third party device , so that all customer single application services provided by the client application device for a specific user are authorized by the specific user, thereby improving the security of the service provided by the SP to the user.

在上述的方法实施例中已经介绍了,可以通过口令的方式控制客户端应用设备访问电信网络为特定用户提供服务,具体的可以包括仅分配一次访问口令和分配两次访问口令的情形,分别对应图2和图3所示的方法实施例。It has been introduced in the above-mentioned method embodiments that the client application device can be controlled to access the telecommunications network to provide services for specific users through passwords. Specifically, it can include the situation of assigning only one access password and assigning two access passwords, corresponding to Embodiments of the method shown in FIGS. 2 and 3 .

针对上述图2所示的实施例,对于只需分配第一访问口令的情形,可以如图5所示,客户端应用访问鉴权处理装置50进一步包括第一口令分配模块14,该第一口令分配模块14用于在接收客户端应用设备发送的用于请求特定用户或第三方授权使用客户端应用业务的第一授权请求消息之前,接收客户端应用设备发送的第一口令申请消息,并向所述客户端应用设备返回为其分配的所述第一访问口令;而上述的业务授权模块13具体用于在所述授权结果为所述特定用户接受所述客户端应用业务时,授权所述客户端应用设备利用所述第一访问口令访问电信网络能力,向所述特定用户提供所述客户端应用业务。For the embodiment shown in FIG. 2 above, for the situation where only the first access password needs to be assigned, as shown in FIG. 5, the client application access authentication processing device 50 further includes a first password assignment module 14, and the first password The distribution module 14 is configured to receive the first password request message sent by the client application device before receiving the first authorization request message sent by the client application device for requesting a specific user or a third party to authorize the use of the client application service, and send the The client application device returns the first access password assigned to it; and the above-mentioned service authorization module 13 is specifically configured to authorize the specific user when the authorization result is that the specific user accepts the client application service. The client application device uses the first access password to access the capability of the telecommunications network, and provides the client application service to the specific user.

针对上述图3所示的实施例,需要分配第一访问口令和第二访问口令的情形,也包括上述的第一口令分配模块14,为客户端应用设备分配第一访问口令,而其中的业务授权模块13具体用于在授权结果为所述特定用户接受所述客户端应用业务时,生成与所述第一访问口令对应的验证码,并将所述验证码发送给所述客户端应用设备,并在接收到客户端应用设备发送的携带所述第一访问口令和所述验证码的第二口令申请消息后,向客户端应用设备返回第二访问口令,以授权所述客户端应用设备利用所述第二访问口令访问电信网络能力,向所述特定用户提供所述客户端应用业务。For the above-mentioned embodiment shown in FIG. 3 , the situation where the first access password and the second access password need to be assigned also includes the above-mentioned first password assignment module 14, which assigns the first access password to the client application device, and the business therein The authorization module 13 is specifically configured to generate a verification code corresponding to the first access password when the authorization result is that the specific user accepts the client application service, and send the verification code to the client application device , and after receiving the second password request message carrying the first access password and the verification code sent by the client application device, return the second access password to the client application device to authorize the client application device The client application service is provided to the specific user by using the second access password to access a telecommunications network capability.

另外,本发明实施例中还可以进一步的对特定用户的身份进行认证,即在客户端应用访问鉴权处理装置中设置用户身份认证模块15,该用户身份认证模块15用于在接收到所述特定用户的用户设备或第三方设备返回的授权结果后,且所述授权结果为所述特定用户接受所述客户端应用业务时,对所述特定用户进行身份认证,并在认证通过后向客户端应用设备返回授权结果,若生成了与所述第一访问口令对应的验证码,并将所述验证码携带在所述授权结果中发送给所述客户端应用设备。In addition, in the embodiment of the present invention, the identity of a specific user can be further authenticated, that is, a user identity authentication module 15 is set in the client application access authentication processing device, and the user identity authentication module 15 is used for receiving the described After the authorization result returned by the specific user's user equipment or third-party equipment, and the authorization result is that the specific user accepts the client application service, the specific user is authenticated, and after the authentication is passed, the client The terminal application device returns an authorization result, and if a verification code corresponding to the first access password is generated, the verification code is included in the authorization result and sent to the client application device.

进一步的,本发明实施例还提供了一种客户端应用业务处理装置,图6为本发明客户端应用业务处理装置实施例的结构示意图,如图6所示,客户端应用业务处理装置60包括客户端应用访问鉴权处理装置21和电信网络开放网关模块22,其中客户端应用访问鉴权处理装置21可以采用上述任一实施例提供的客户端应用访问鉴权处理装置,而电信网络开放网关模块22用于在接收到客户端应用设备发送的携带访问口令的调用请求消息后,向客户端应用访问鉴权处理装置发送请求对所述访问口令进行认证的鉴权认证请求消息,并在认证通过后为客户端应用设备调用电信网络能力。Further, the embodiment of the present invention also provides a client application service processing device. FIG. 6 is a schematic structural diagram of an embodiment of the client application service processing device of the present invention. As shown in FIG. 6 , the client application service processing device 60 includes The client application access authentication processing device 21 and the telecom network open gateway module 22, wherein the client application access authentication processing device 21 can adopt the client application access authentication processing device provided in any of the above-mentioned embodiments, and the telecom network open gateway module 22 Module 22 is configured to, after receiving the invocation request message carrying the access password sent by the client application device, send an authentication request message requesting authentication of the access password to the client application access authentication processing device, and After passing, call the telecom network capability for the client application equipment.

本发明实施例还提供了一种客户端应用设备,图7为本发明客户端应用设备实施例的结构示意图,如图7所示,客户端应用设备70包括电信网络接入认证处理模块31和电信网络服务调用模块32,所述电信网络接入认证处理模块31用于向电信运营商的网络系统发送用于请求特定用户授权使用客户端应用业务的第一授权请求消息,在特定用户接受所述客户端应用业务时,获取允许调用电信网络能力,向所述特定用户提供客户端应用业务的访问口令;电信网络服务调用模块32用于向电信运营商的网络系统发送携带所述访问口令的调用请求消息,所述调用请求消息用于请求调用电信网络能力为所述特定用户提供客户端应用业务。The embodiment of the present invention also provides a client application device. FIG. 7 is a schematic structural diagram of an embodiment of the client application device of the present invention. As shown in FIG. 7, the client application device 70 includes a telecommunication network access authentication processing module 31 and The telecommunication network service calling module 32, the telecommunication network access authentication processing module 31 is used to send a first authorization request message for requesting a specific user to authorize the use of the client application service to the network system of the telecommunication operator, and after the specific user accepts the When using the client application service, obtain the access password that allows calling the telecommunications network capability, and provide the specific user with the access password of the client application service; the telecommunication network service calling module 32 is used to send the access password carrying the access password to the network system of the telecom operator An invocation request message, where the invocation request message is used to request invocation of a telecommunications network capability to provide client application services for the specific user.

本发明上述实施例提供的客户端应用访问鉴权处理方法、装置,以及客户端应用业务处理装置、客户端应用设备,其中在调用电信网络能力为用户提供客户端应用业务前,首先向特定用户使用的用户设备或第三方设备发送授权请求消息,以请求授权该特定用户使用上述的客户端应用业务,在用户接受上述客户端应用业务后,再授权所述客户端应用设备访问电信网络能力,向所述特定用户提供所述客户端应用业务,通过上述技术方案,能够提高SP为用户提供客户端应用业务的安全性。另外,运营商也可以是在获得用户同意的情况下为其提供服务,并根据服务进行计费,能够有效防止第三方应用运营商的电信网络能力进行计费欺诈。The client application access authentication processing method and device provided by the above embodiments of the present invention, as well as the client application service processing device and the client application device, wherein before invoking the capability of the telecommunications network to provide the client application service for the user, firstly, to the specific user The used user equipment or third-party equipment sends an authorization request message to request authorization of the specific user to use the above-mentioned client application service, and after the user accepts the above-mentioned client application service, authorize the client application device to access the telecommunications network capability, Providing the client application service to the specific user, through the above technical solution, can improve the security of the SP providing the client application service to the user. In addition, the operator can also provide the service with the consent of the user, and charge according to the service, which can effectively prevent the third party from using the operator's telecommunications network capabilities to conduct billing fraud.

本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the steps for realizing the above-mentioned method embodiments can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium. When the program is executed, the It includes the steps of the above method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other various media that can store program codes.

最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be Modifications are made to the technical solutions described in the foregoing embodiments, or equivalent replacements are made to some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the various embodiments of the present invention.

Claims (11)

1. a client application access authentication processing method, it is characterised in that including:
Client application access authentication processing means receives the first authorization request message being used for asking specific user or third party to license client application business that client application equipment sends;
Described client application access authentication processing means sends the second authorization request message to subscriber equipment or the third party device of described specific user, and described second authorization request message is used for asking described specific user or third party to license described client application business;
Described client application access authentication processing means receives subscriber equipment or the Authorization result of third party device return of described specific user, determines whether that described client application equipment provides described client application business to described specific user according to described Authorization result;
Wherein, described client application access authentication processing means also includes before receiving the first authorization request message being used for asking specific user or third party to license client application business that client application equipment sends:
Described client application access authentication processing means receives the first password solicitation message that client application equipment sends, and is returned as the first access password of its distribution to described client application equipment;
According to Authorization result, described client application access authentication processing means determines whether that described client application equipment provides described client application business to include to described specific user:
Described Authorization result be described specific user accept described client application business time, described in client application equipment utilization described in client application access authentication processing means mandate, the first access password accesses telecommunication network capability, provides described client application business to described specific user;Or, described Authorization result be described specific user accept described client application business time, generate the identifying code corresponding with described first access password, and described identifying code is sent to described client application equipment, and after receiving the second password solicitation message carrying described first access password and described identifying code that client application equipment sends, the second access password is returned to client application equipment, to authorize the second access password described in described client application equipment utilization to access telecommunication network capability, described client application business is provided to described specific user.
Client application access authentication processing method the most according to claim 1, it is characterized in that, receive the subscriber equipment of described specific user or the Authorization result of third party device return in described client application access authentication processing means after, and described Authorization result is described specific user when accepting described client application business, described method also includes:
Described client application access authentication processing means carries out authentication to described specific user, and returns Authorization result to client application equipment after certification is passed through.
Client application access authentication processing method the most according to claim 1, it is characterized in that, if according to Authorization result, described client application access authentication processing means determines whether that described client application equipment provides described client application business to include to described specific user: described Authorization result be described specific user accept described client application business time, described in client application equipment utilization described in client application access authentication processing means mandate, the first access password accesses telecommunication network capability, described client application business is provided to described specific user, described method also includes:
Described client application access authentication processing means receives the call request message carrying the first access password that client application equipment sends, and when confirming that described first access password can use, allow client application equipment calls telecommunication network capability, provide described client application business to described specific user.
nullClient application access authentication processing method the most according to claim 1,It is characterized in that,If according to Authorization result, described client application access authentication processing means determines whether that described client application equipment provides described client application business to include to described specific user: described Authorization result be described specific user accept described client application business time,Generate the identifying code corresponding with described first access password,And described identifying code is sent to described client application equipment,And after receiving the second password solicitation message carrying described first access password and described identifying code that client application equipment sends,The second access password is returned to client application equipment,To authorize the second access password described in described client application equipment utilization to access telecommunication network capability,Described client application business is provided to described specific user,Described method also includes:
Described client application access authentication processing means receives the business request information carrying the second access password that client application equipment sends, and when confirming that described second access password can use, allow client application equipment to access telecommunication network capability, provide described client application business to described specific user.
Client application access authentication processing method the most according to claim 1, it is characterised in that described client application access authentication processing means sends the second authorization request message include to subscriber equipment or the third party device of specific user:
Described client application access authentication processing means sends the second authorization request message according to Web mode, WAP mode, unstructured supplementary data traffic mode, interactive voice answering or short message way to the subscriber equipment or third party device with described specific user.
Client application access authentication processing method the most according to claim 1, it is characterized in that, described second authorization request message includes telecommunication network capability information corresponding to described client application business, uses the tariff information of described network capabilities and license the time limit type of described client application business.
Client application access authentication processing method the most according to claim 6, it is characterised in that described in license the time limit type of described client application business and include:
Mandate is intended for single use described client application business, mandate is used for multiple times described client application business, mandate uses described client application business or mandate to use described client application business in one sets time range before one sets the time limit.
8. a client application access authentication processing means, it is characterised in that including:
First receiver module, for receive client application equipment send for asking specific user or third party to license the first authorization request message of client application business;
First sending module, for sending the second authorization request message to subscriber equipment or the third party device of described specific user, described second authorization request message is used for asking described specific user or third party to license described client application business;
Service authorization module, the Authorization result that the subscriber equipment or third party device for receiving described specific user returns, determine whether that described client application equipment provides described client application business to described specific user according to described Authorization result;
First password distribution module, for receive that client application equipment sends before ask the first authorization request message that specific user or third party license client application business, receive the first password solicitation message that client application equipment sends, and be returned as the first access password of its distribution to described client application equipment;
Described service authorization module specifically for described Authorization result be described specific user accept described client application business time, authorize the first access password described in described client application equipment utilization to access telecommunication network capability, provide described client application business to described specific user;Or, described Authorization result be described specific user accept described client application business time, generate the identifying code corresponding with described first access password, and described identifying code is sent to described client application equipment, and after receiving the second password solicitation message carrying described first access password and described identifying code that client application equipment sends, the second access password is returned to client application equipment, to authorize the second access password described in described client application equipment utilization to access telecommunication network capability, described client application business is provided to described specific user.
Client application access authentication processing means the most according to claim 8, it is characterised in that also include:
Authenticating user identification module, after the Authorization result returned at the subscriber equipment or third party device that receive described specific user, and described Authorization result is that described specific user is when accepting described client application business, described specific user is carried out authentication, and return Authorization result to client application equipment after certification is passed through, if generating the identifying code corresponding with described first access password, and described identifying code is carried in described Authorization result, it is sent to described client application equipment.
10. a client application business processing device, it is characterized in that, including the open gateway module of the client application access authentication processing means described in claim 8 or 9 and communication network, the open gateway module of described communication network is for after receiving the call request message carrying access password that client application equipment sends, to client application access authentication processing means send request described access password is authenticated authentication request message, and in certification by rear for client application equipment calls telecommunication network capability.
11. 1 kinds of client application equipment, it is characterized in that, including communication network access authentication processing module and telecommunication network services calling module, described communication network access authentication processing module for sending the first authorization request message for asking specific user or third party to license client application business to the network system of telecom operators, when specific user accepts described client application business, acquisition allows to call telecommunication network capability, provides the access password of client application business to described specific user;Described telecommunication network services calling module carries the call request message of described access password to the network system of telecom operators for sending, and described call request message provides client application business for request call telecommunication network capability for described specific user.
CN201110367609.9A 2011-11-18 2011-11-18 Client application access authentication treating method and apparatus Expired - Fee Related CN103124252B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201110367609.9A CN103124252B (en) 2011-11-18 2011-11-18 Client application access authentication treating method and apparatus
PCT/CN2012/084290 WO2013071836A1 (en) 2011-11-18 2012-11-08 Method and apparatus for processing client application access authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110367609.9A CN103124252B (en) 2011-11-18 2011-11-18 Client application access authentication treating method and apparatus

Publications (2)

Publication Number Publication Date
CN103124252A CN103124252A (en) 2013-05-29
CN103124252B true CN103124252B (en) 2016-08-03

Family

ID=48428977

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110367609.9A Expired - Fee Related CN103124252B (en) 2011-11-18 2011-11-18 Client application access authentication treating method and apparatus

Country Status (2)

Country Link
CN (1) CN103124252B (en)
WO (1) WO2013071836A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104468487B (en) * 2013-09-23 2018-10-19 华为技术有限公司 Communication authentication method and device, terminal device
CN103532982A (en) * 2013-11-04 2014-01-22 祝贺 Wearable device based authorization method, device and system
CN104703162B (en) * 2014-12-27 2018-11-30 华为技术有限公司 A kind of method, apparatus and system by application access third party's resource
CN104715188B (en) * 2015-03-27 2019-10-01 百度在线网络技术(北京)有限公司 A kind of application implementation method and device based on binding terminal
CN107566322A (en) * 2016-06-30 2018-01-09 惠州华阳通用电子有限公司 A kind of onboard system multi-user access method and device
CN114064303A (en) * 2020-07-31 2022-02-18 华为技术有限公司 Remote service invocation method, device, system, storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1466308A (en) * 2002-06-15 2004-01-07 华为技术有限公司 A Method for Realizing Content Billing
CN101083528A (en) * 2007-06-08 2007-12-05 中兴通讯股份有限公司南京分公司 Dynamic host configuring protocol based security access method and system
CN101282505A (en) * 2007-04-04 2008-10-08 中国电信股份有限公司 Method for managing service of telecommunication system
CN102004987A (en) * 2010-10-21 2011-04-06 中国移动通信集团北京有限公司 Method, device and system for realizing application service
CN102202300A (en) * 2011-06-14 2011-09-28 上海众人网络安全技术有限公司 System and method for dynamic password authentication based on dual channels

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110276645A1 (en) * 2009-01-16 2011-11-10 Telefonktiebolaget L M Erecsson Method of and message service gateway for controlling delivery of a message service to an end user

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1466308A (en) * 2002-06-15 2004-01-07 华为技术有限公司 A Method for Realizing Content Billing
CN101282505A (en) * 2007-04-04 2008-10-08 中国电信股份有限公司 Method for managing service of telecommunication system
CN101083528A (en) * 2007-06-08 2007-12-05 中兴通讯股份有限公司南京分公司 Dynamic host configuring protocol based security access method and system
CN102004987A (en) * 2010-10-21 2011-04-06 中国移动通信集团北京有限公司 Method, device and system for realizing application service
CN102202300A (en) * 2011-06-14 2011-09-28 上海众人网络安全技术有限公司 System and method for dynamic password authentication based on dual channels

Also Published As

Publication number Publication date
CN103124252A (en) 2013-05-29
WO2013071836A1 (en) 2013-05-23

Similar Documents

Publication Publication Date Title
CN111131242B (en) Authority control method, device and system
CN102724647B (en) Method and system for access capability authorization
JP5231433B2 (en) System and method for authenticating remote server access
CN102710640B (en) Authorization requesting method, device and system
US8584231B2 (en) Service opening method and system, and service opening server
CN101729514B (en) Method, device and system for implementing service call
CN104158824B (en) Genuine cyber identification authentication method and system
CN103124252B (en) Client application access authentication treating method and apparatus
CN103249045A (en) Identification method, device and system
RU2676896C2 (en) Method and system related to authentication of users for accessing data networks
TWI632798B (en) Server, mobile terminal, and network real-name authentication system and method
CN102811228A (en) Network service login method, device and system
KR20100038990A (en) Apparatus and method of secrity authenticate in network authenticate system
EP2732594B1 (en) System and method for alternative distribution of a pin code
CN108632325A (en) A kind of call method and device of application
EP2721856B1 (en) SYSTEMS AND METHODS OF INTEGRATING OpenID WITH A TELECOMMUNICATIONS NETWORK
CN104113511A (en) IMS network access method, system, and correlative device
WO2009090428A1 (en) Mobile approval system and method
KR100623293B1 (en) Mobile terminal subscriber authentication method using callback message
CN114629672B (en) Method, system and storage medium for improving security of voice call based on token verification
CN114697036B (en) Telephone number access method and communication intermediary system
KR20170140751A (en) System and Method for Confirm Transaction by using Dual Channel
CN115883185A (en) Open bank three-party signing system and method
CN118821158A (en) Access control method and system for page unit
CN104703160A (en) Electronic certificate processing method and equipment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20200213

Address after: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee after: HUAWEI TECHNOLOGIES Co.,Ltd.

Address before: Kokusai Hotel No. 11 Nanjing Avenue in the flora of 210012 cities in Jiangsu Province

Patentee before: HUAWEI SOFTWARE TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20160803

CF01 Termination of patent right due to non-payment of annual fee