CN113132402A

CN113132402A - Single sign-on method and system

Info

Publication number: CN113132402A
Application number: CN202110461827.2A
Authority: CN
Inventors: 徐辉; 胡良俊
Original assignee: Secworld Information Technology Beijing Co Ltd; Qax Technology Group Inc
Current assignee: Secworld Information Technology Beijing Co Ltd; Qax Technology Group Inc
Priority date: 2021-04-27
Filing date: 2021-04-27
Publication date: 2021-07-16
Anticipated expiration: 2041-04-27
Also published as: CN113132402B

Abstract

An embodiment of the present invention provides a single sign-on method, which is applied to a terminal device. The terminal device has a built-in authentication client program and multiple application programs, and the multiple application programs include a browser and an application client program; the The single sign-on method includes: performing the following operations through the authentication client program: intercepting an access request sent by a user through a target application, where the target application is any one of the multiple applications; according to the access request Obtaining an application token from an authentication server; and forwarding the access request and the application token to a target server to log in or deny login to the target server. In the embodiment of the present invention, the authentication client program and the authentication server are used to manage the identity authentication of the C/S application and the B/S application, which solves the problem that the C/S application and the B/S application cannot share the identity authentication information and cannot realize a single point Login problem.

Description

Single sign-on method and system

Technical Field

The present invention relates to the field of computer security technologies, and in particular, to a single sign-on method, an apparatus, a computer device, a computer-readable storage medium, and a single sign-on system.

Background

With the continuous development of communication technology, the internet has been incorporated into the aspects of life. Users need to access many different application systems each day, each requiring the user to follow certain security policies, such as requiring entry of a user account and password. As the number of systems accessed by users increases, users often need to remember multiple passwords in order to gain access to different application systems. To facilitate remembering, users typically simplify passwords or use the same password in multiple systems, or log passwords, all of which greatly reduce the security of system logins. Single sign-on (SS 0) technology has evolved. Single sign-on refers to that in a plurality of application systems, a user only needs to log on once to access all mutually trusted application systems.

However, the existing single sign-on technology is applied to a Web application system of a B/S (Browser/Server) architecture, which is limited to implement single sign-on identity authentication between a plurality of Web applications, and lacks a single sign-on technology capable of supporting both a C/S (Client/Server) application and a B/S application.

Disclosure of Invention

The invention aims to provide a single sign-on method, a single sign-on system, a computer device and a computer readable storage medium, which are used for solving the following problems: the existing single sign-on identity authentication cannot support C/S application and B/S application at the same time.

One aspect of the embodiments of the present invention provides a single sign-on method, which is applied to a terminal device, where the terminal device has an authentication client and multiple application programs, and the multiple application programs include a browser and an application client; the single sign-on method comprises the following steps:

performing, by the authentication client program:

intercepting an access request sent by a user through a target application program, wherein the target application program is any one of the plurality of application programs;

acquiring an application token from an authentication server according to the access request, wherein the application token is used for indicating that the user passes identity authentication and has access right; and

forwarding the access request and the application token to a target server to cause the target server to: and verifying the application token and executing a response aiming at the access request according to a verification result, wherein the response comprises the login approval or the login rejection.

Optionally, the request information includes a unique identification code associated with the terminal device; the obtaining of the application token from the authentication server according to the access request includes:

sending the request information to the authentication server to cause the authentication server to: retrieving a user authentication session associated with the unique identification code, and if the user authentication session is retrieved, determining that the user has passed identity authentication and issued the application token, and returning the application token to the authentication client program; the user authentication session is used for maintaining authentication information and identity information of the user.

sending the request information to the authentication server to cause the authentication server to: retrieving a user authentication session associated with the unique identification code, and if the user authentication session is not retrieved, determining that the user fails the identity authentication and returning an unauthenticated message to the authentication client program, wherein the unauthenticated message is used for indicating that the user fails the identity authentication, and the user authentication session is used for maintaining authentication information and identity information of the user;

receiving the unauthenticated message, and displaying a login authentication interface based on the unauthenticated message;

receiving input identity authentication information through the login authentication interface, and sending the identity authentication information to the authentication server so that the authentication server: verifying the user according to the identity authentication information, creating the user authentication session under the condition that the user authentication is successful, and returning an authentication success message to the authentication client program, wherein the authentication success message is used for indicating that the user passes the identity authentication; and

receiving the authentication success message, and reapplying the application token to an authentication server to enable the authentication server to: and under the condition that the user authentication session is established, judging that the user passes identity authentication and responds to the reapplication to issue the application token, and returning the application token to the authentication client program.

Optionally, the method further includes executing, by the authentication client program, a user offline operation:

receiving an exit operation for the user; and

in response to the logout operation, logging out the user and sending a user logout notification to the authentication server to cause the authentication server to: logging off the user authentication session, clearing the application token and sending a user offline notification to the target server to enable the target server to offline the user.

Optionally, the method further includes executing, by the target application program, a user offline operation:

receiving an exit operation for the user; and

responding to the quit operation, generating a notification message for indicating that the user is offline, and sending the notification message to the target server so as to enable the target server to perform at least one of the following operations: and off-line the user, informing the authentication server to log off or update the user authentication session, and clearing the application token.

One aspect of the embodiments of the present invention further provides a single sign-on apparatus, which is applied to a terminal device, where the terminal device is internally provided with an authentication client program and a plurality of application programs, and the plurality of application programs include a browser and an application client program; the single sign-on apparatus includes:

an authentication login module, configured to perform the following operations by the authentication client:

One aspect of the embodiments of the present invention further provides a single sign-on method, which is used in an authentication server; the method comprises the following steps:

receiving request information which is sent by terminal equipment through an authentication client program and used for requesting an application token; the authentication client is arranged in the terminal equipment and used for intercepting an access request of a user in the terminal equipment and applying for the application token based on the access request, and the application token is used for indicating that the user passes identity authentication and has access right;

judging whether the user passes identity authentication according to the request information, and determining whether to issue the application token according to a judgment result; and

and if the user passes the identity authentication, issuing the application token, and returning the application token to the authentication client program, so that the authentication client program forwards the access request and the application token to a target server, and the target server executes login according to the access request and the application token.

Optionally, the request information includes a unique identification code associated with the terminal device; the judging whether the user passes the identity authentication according to the request information and determining whether to issue the application token according to the judging result comprises the following steps:

retrieving a user authentication session associated with the unique identification code, and if the user authentication session is retrieved, determining that the user has passed identity authentication and determining to issue the application token, the application token being bound to the user authentication session, the user authentication session being used to maintain authentication information and identity information of the user.

retrieving a user authentication session associated with the unique identification code, and if the user authentication session is not retrieved, judging that the user does not pass identity authentication and returning an unauthenticated message to the authentication client program so that the authentication client program submits identity authentication information according to the unauthenticated message; the unauthenticated message is used for indicating that the user fails to pass identity authentication, and the user authentication session is used for maintaining authentication information and identity information of the user;

receiving the identity authentication information submitted by the authentication client program;

verifying the user according to the identity authentication information;

if the user verification is successful, establishing the user authentication session and returning an authentication success message to the authentication client program, so that the authentication client program applies for the application token to the authentication server again based on the authentication success message; the authentication success message is used for indicating that the user passes identity authentication; and

in response to a reapplication of the authentication client program: in a case where the user authentication session has been created, determining that the user has been authenticated and determining to issue the application token, the application token being bound to the user authentication session.

Optionally, the method further includes:

receiving a user logout notification provided by the authentication client program; and

in response to the user logout notification: logging off the user authentication session, clearing the application token, and sending a user offline notification to the target server to enable the target server to offline the user.

Optionally, the method further includes:

receiving a user offline notification provided by the target server; and

in response to the user logoff notification: logging off or updating the user authentication session, and clearing the application token.

Optionally, the user authentication session is associated with one or more application server programs in the target server, and the deregistering or updating the user authentication session includes:

if the user authentication session is associated with an application server program in the target server, the user authentication session is cancelled; or

And if the user authentication session is associated with a plurality of application server programs in the target server, and the user offline notification is obtained based on offline operation of the target application server program in the plurality of application server programs on the user, updating the user authentication session to delete the associated information of the target server application in the user authentication session.

One aspect of the embodiments of the present invention further provides a single sign-on apparatus, configured to be used in an authentication server; the device comprises:

the receiving module is used for receiving request information which is sent by the terminal equipment through the authentication client program and is used for requesting the application token; the authentication client is arranged in the terminal equipment and used for intercepting an access request of a user in the terminal equipment and applying for the application token based on the access request, and the application token is used for indicating that the user passes identity authentication and has access right;

the determining module is used for judging whether the user passes the identity authentication according to the request information and determining whether the application token is issued according to a judgment result; and

and the issuing module is used for issuing the application token and returning the application token to the authentication client program if the user passes the identity authentication so that the authentication client program can forward the access request and the application token to a target server and the target server can log in according to the access request and the application token.

An aspect of the embodiments of the present invention further provides a computer device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the single sign-on method as described above when executing the computer program.

An aspect of the embodiments of the present invention further provides a computer-readable storage medium, including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the steps of the single sign-on method as described above when executing the computer program.

One aspect of the embodiments of the present invention further provides a single sign-on system, where the system includes a terminal device, an authentication server, and a target server; the terminal equipment is internally provided with an authentication client program and a plurality of application programs; wherein:

the terminal device is used for executing the following operations through the authentication client program: intercepting an access request sent by a user through a target application program, wherein the target application program is any one of a plurality of application programs, and the plurality of application programs comprise a browser and an application client program; sending request information for applying an application token to the authentication server, wherein the application token is used for indicating that the user passes identity authentication and has access right;

the authentication server is used for issuing the application token according to the request information and returning the application token to the authentication client program;

the terminal device is further configured to forward the access request and the application token to the target server through an authentication client program;

the target server is used for receiving the access request and the application token forwarded by the authentication client program and executing a response aiming at the access request based on the application token, wherein the response comprises the login approval or the login rejection.

Optionally, the request information includes a unique identification code associated with the terminal device;

the authentication server is further configured to: retrieving a user authentication session associated with the unique identification code, and if the user authentication session is retrieved, determining that the user has passed identity authentication and issued the application token, binding the application token and the user authentication session, and returning the application token to the authentication client program; the user authentication session is used for maintaining authentication information and identity information of the user.

the authentication server is further configured to: retrieving a user authentication session associated with the unique identification code, and if the user authentication session is not retrieved, determining that the user does not pass identity authentication and returning an unauthenticated message to the authentication client program; the unauthenticated message is used for indicating that the user fails to pass identity authentication, and the user authentication session is used for maintaining authentication information and identity information of the user;

the terminal device is further configured to, by the authentication client program: receiving the unauthenticated message, and displaying a login authentication interface based on the unauthenticated message; receiving input identity authentication information through the login authentication interface, and sending the identity authentication information to the authentication server;

the authentication server is further configured to: verifying the user according to the identity authentication information; if the user verification is successful, establishing the user authentication session and returning an authentication success message to the authentication client program; the authentication success message is used for indicating that the user passes identity authentication;

the terminal device is further configured to, by the authentication client program: applying for the application token again to an authentication server based on the authentication success message;

the authentication server is further configured to, in response to a reapplication of the authentication client: and under the condition that the user authentication session is established, judging that the user passes identity authentication and determines to issue the application token, binding the application token and the user authentication session, and returning the application token to the authentication client program.

Optionally, the terminal device is further configured to, by the authentication client: receiving a logout operation aiming at the user, logging out the user based on the logout operation and sending a user logout notice to the target server;

the authentication server is further configured to respond to the user logout notification and perform at least one of the following operations: logging off the user authentication session, clearing the application token, and sending a user offline notification to the target server to enable the target server to offline the user.

Optionally, the terminal device is further configured to, through the target application: receiving a quitting operation aiming at the user, responding to the quitting operation, generating a notification message for indicating that the user is offline, and sending the notification message to the target server;

the target server is further configured to: the user is offline based on the notification message, and a user offline notification is sent to the authentication server;

the authentication server, in response to the user logoff notification: logging off or updating the user authentication session, and clearing the application token.

The single sign-on method, the single sign-on device, the computer equipment, the computer readable storage medium and the single sign-on system manage the identity authentication of the browser under the C/S architecture and the application client program under the B/S architecture through the authentication client program, realize the authentication information transmission and mutual trust between the applications of two different architectures of the C/S architecture and the B/S architecture, and solve the problems that the C/S application and the B/S application cannot share the identity authentication information and cannot realize the single sign-on.

Drawings

FIG. 1 schematically shows a system architecture diagram of a single sign-on system according to a first embodiment of the invention;

FIG. 2 is a login process in the case of user authentication failure;

FIG. 3 is a login process in the case where a user has been authenticated;

FIG. 4 is a flow chart of a user going offline through an authenticated client program;

FIG. 5 is a flow of a user going offline through a target application;

FIG. 6 schematically shows a flow chart of a single sign-on method according to a second embodiment of the invention;

FIG. 7 schematically illustrates a flow chart of a single sign-on method according to a third embodiment of the invention;

FIG. 8 schematically illustrates a block diagram of a single sign-on apparatus according to a fourth embodiment of the invention;

FIG. 9 schematically illustrates a block diagram of a single sign-on apparatus, according to an embodiment of the invention; and

fig. 10 schematically shows a hardware architecture diagram of a computer device suitable for implementing the single sign-on method according to a sixth embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

It should be noted that the descriptions relating to "first", "second", etc. in the embodiments of the present invention are only for descriptive purposes and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In addition, technical solutions between various embodiments may be combined with each other, but must be realized by a person skilled in the art, and when the technical solutions are contradictory or cannot be realized, such a combination should not be considered to exist, and is not within the protection scope of the present invention.

In the description of the present invention, it should be understood that the numerical references before the steps do not identify the order of performing the steps, but merely serve to facilitate the description of the present invention and to distinguish each step, and thus should not be construed as limiting the present invention.

Regarding the single sign-on technique, the present inventors have learned that:

the existing single sign-on technology is applied to a Web application system of a B/S (Browser/Server) architecture, is limited to implement single sign-on identity authentication between a plurality of Web applications, and cannot support the single sign-on technology of different technical architectures, such as a C/S (Client/Server) application and a B/S application, at the same time.

Various embodiments are provided below, which can be used to address the single sign-on deficiencies described above.

The following are explanations of terms involved in the present invention:

and the B/S application is a web application of the B/S. A user may access a web page through a browser in his terminal to accomplish various operations. The B/S application comprises a B/S application page running on a browser of the terminal equipment and a B/S application server program running on a server (background). The user can access the B/S application server program through the B/S application page.

The C/S application is an application of a C/S architecture. The user can complete various operations through an interface provided by a client in the terminal. The B/S application comprises a C/S application client program running on the terminal equipment and a C/S application server program running on a server (background). The user can access the C/S application server program through the C/S application client program.

The invention aims to provide a scheme for simultaneously supporting identity authentication of a C/S application and a B/S application to realize single sign-on, and can solve the problems that the C/S application and the B/S application cannot share identity authentication information and cannot realize single sign-on. The principle is as follows:

and installing an authentication client program on the terminal equipment, intercepting application access requests (including B/S and C/S applications) of a user each time through the authentication client program, and performing identity authentication, application token application and the like on an authentication server. And if the authentication client program obtains the application token issued by the authentication server, forwarding the application token and the application access request to a target server. And the target server verifies the authentication server based on the application token, and if the verification is passed, user identity information is obtained, so that the online process of the user is completed. And if the authentication client program does not obtain the application token issued by the authentication server, the application access request is prevented.

FIG. 1 schematically shows a system architecture diagram of a single sign-on system according to an embodiment of the invention.

In an exemplary embodiment, as shown in fig. 1, the terminal device 2 may be communicatively connected to an authentication server 4 and a target server 6. The target server 6 may be a B/S application server or a C/S application server.

The terminal device 2 is provided with an application client 2B and an authentication client 2C of a browser 2A, C/S architecture in a B/S architecture. The terminal device 2 may be any type of terminal device, such as: mobile devices, tablet devices, laptop computers, virtual reality headsets, gaming devices, set-top boxes, readers, vehicle terminals, smart televisions, and the like.

The authentication client program 2C, which is a client component program of the authentication service, is used to interact with the authentication server 4 through an authentication interface. The authentication client program 2C continuously operates as a background daemon process of the terminal device 2 and interacts with the authentication server 4 on the one hand, and provides a user interface to perform login authentication interaction with a user on the other hand, and the functions are as follows: (1) flow interception: intercepting an access request (including B/S, C/S application) of a user to ensure that the access request of an application token can be sent out only after identity authentication is carried out; otherwise, the access request is refused to pass, and the access is forbidden. (2) User authentication: if the user is not authenticated, a user authentication interface interacting with the user is provided, an account and a password input by the user are received through the user authentication interface, and the account and the password are submitted to the authentication server 4, so that the user identity authentication is performed through the authentication server 4. (3) Applying for an application token: the application token is applied to the authentication server 4 so that the authentication server 4 returns the application token in case it is determined that the user is authenticated. The application token represents a token that has the right to access an application (either a C/S application or a B/S application in the target server 6). (3) And (3) logging out the user: the user actively performs logout and logout operation through the authentication client program 2C, and the authentication client program 2C informs the authentication server 4 that the user logs out and logout. (4) And (3) traffic forwarding: the access request and the application-derived application token are forwarded to the target server 6 together so that the access request reaches the target server 6.

And the authentication server 4 provides an identity authentication service to realize the core business logic of user identity authentication. The authentication server 4 maintains and maintains identity authentication information of each user. After the user passes identity authentication through one application program, the authentication server 4 records and maintains the identity authentication session information of the user so that when the user accesses the authentication server through other application programs, other application programs can acquire corresponding identity authentication information, and therefore the user can authenticate that other application programs can share the identity authentication information once, and single sign-on is achieved. The authentication server 4 mainly provides an external call restful (representational State transfer) and a WebService interface, and can provide a Web management page for convenient management. The authentication server 4 may provide the following functions: (1) and (3) user identity authentication: and authenticating the account and the password submitted by the user to finish the verification of the user identity. (2) Creating and maintaining a user authentication session: and establishing and maintaining a user authentication session for the user who passes the identity authentication, and associating the user authentication session with the application token, so that the user authentication information and the user access application condition are maintained through the user authentication session in the user access process. (3) Issuing an application token: an application token is issued for application access by the authenticated user. Wherein the user authentication session comprises: account number, ID of the authentication session, validity period of the authentication session, session time, state and associated application token ID; the identity information includes: basic information such as account number, name, mailbox, telephone, state and the like; the application token information includes: application token ID, state, application identification, application address, validity period, associated authentication session ID, authentication signature information for the token, etc.

The authentication server 4 provides the following service interfaces: (1) a user authentication interface: receiving an account and a password submitted by the authentication client program 2C, and completing user identity authentication; (2) application token application interface: receiving an application token application submitted by the authentication client program 2C, and issuing an application token for application access of an authenticated user; (3) application token validation interface: and the receiving target server 6 sends an application token verification message, and if the verification is successful, the user identity information is returned. (4) User logout interface: and receiving an authentication client program, submitting a user logout notification by the application server, and performing user offline.

The target server 6 may include a B/S server and a C/S server. The B/S server is internally provided with a B/S application server program, the C/S server is internally provided with the B/S application server program, and the B/S application server program are used for responding to an access request sent by the terminal device 2 and returning response data, such as page data, to the terminal device 2.

The authentication server 4 and the target server 2 may be a rack server, a blade server, a tower server or a rack server (including an independent server or a server cluster composed of a plurality of servers), and the like.

Example one

With continued reference to fig. 1, a single sign-on system is provided below. The single sign-on system includes: terminal device 2, authentication server 4, target server 6. Target server 6 may include a B/S server and/or a C/S server. The authentication server 4 incorporates therein an authentication client program 2C, a plurality of application programs, and the like.

The terminal device 2 is configured to perform the following operations by authenticating a client program: intercepting an access request sent by a user through a target application program, wherein the target application program is any one of a plurality of application programs, and the plurality of application programs comprise a browser 2A and an application client program 2B; and sending request information for applying for an application token to the authentication server, wherein the application token is used for indicating that the user passes identity authentication and has access right.

The authentication server 4 is configured to issue the application token according to the request information, and return the application token to the authentication client program 2C.

The terminal device 2 is further configured to forward the access request and the application token to the target server 6 through an authentication client program 2C;

the target server 6 is configured to receive the access request and the application token forwarded by the authentication client 2C, and execute a response to the access request based on the application token, where the response includes an approval or a rejection of login.

The single sign-on system provided by the embodiment of the invention has the following technical advantages: the identity authentication of a browser under a C/S framework and an application client program under a B/S framework is managed through the authentication client program 2C and the authentication server 6, so that the authentication information transmission and mutual trust between the applications of the C/S framework and the B/S framework are realized, and the problems that the C/S application and the B/S application cannot share the identity authentication information and cannot realize single sign-on are solved.

(1) The user accesses the target server 6 for the first time through the browser 2A, the authentication client program 2C uniformly interfaces the authentication server 6, and the authentication server 6 creates a user authentication session and issues an application token for the user.

(2) The user accesses the target server 6 again through the application client program 2B, and the authentication client program 2C also connects the authentication server 6 in a unified manner, and sends request information for applying for an application token to the authentication server 6. The authentication server 6 can detect the previously created user authentication session of the user according to the request information, issue an application token for the access, and realize single sign-on without letting the user input user authentication information again or the like.

In addition, the invention can also provide other alternatives to optimize the technical effect of single sign-on, which are specifically as follows:

as an example, the request information comprises a unique identification code associated with the terminal device. The authentication server 4 is further configured to: retrieving a user authentication session associated with the unique identification code, and if the user authentication session is retrieved, determining that the user has passed identity authentication and issued the application token, binding the application token and the user authentication session, and returning the application token to the authentication client program; the user authentication session is used for maintaining authentication information and identity information of the user. In the present embodiment, the authentication information of the user in the authentication server 6 is retrieved by the unique identification code, and it is determined whether or not the application token is issued, so that it is possible to efficiently determine whether or not the application can log in to the target server 6.

As an example, the request information comprises a unique identification code associated with the terminal device. The authentication server 4 is further configured to: retrieving a user authentication session associated with the unique identification code, and if the user authentication session is not retrieved, determining that the user does not pass identity authentication and returning an unauthenticated message to the authentication client program; the unauthenticated message is used for indicating that the user fails to pass identity authentication, and the user authentication session is used for maintaining authentication information and identity information of the user. The terminal device 2 is further configured to, by the authentication client program: receiving the unauthenticated message, and displaying a login authentication interface based on the unauthenticated message; and receiving input identity authentication information through the login authentication interface, and sending the identity authentication information to the authentication server. The authentication server 4 is further configured to: verifying the user according to the identity authentication information; if the user verification is successful, establishing the user authentication session and returning an authentication success message to the authentication client program; the authentication success message is used for indicating that the user passes identity authentication. The terminal device 2 is further configured to, by the authentication client program: and applying for the application token again to an authentication server based on the authentication success message. The authentication server 4 is further configured to: in response to a reapplication of the authentication client program: and under the condition that the user authentication session is established, judging that the user passes identity authentication and determines to issue the application token, binding the application token and the user authentication session, and returning the application token to the authentication client program. In this embodiment, the authentication information of the user in the authentication server 6 is retrieved through the unique identification code, and in the case that the user is determined to be authenticated, a user authentication session is created in the authentication server 6, which can be used as a basis for the user to pass identity authentication and login, and can also be used as a login basis for subsequent applications under other architectures, thereby improving the identity authentication efficiency and the login efficiency of each application under different architectures.

As an example: the terminal device 2 is further configured to, by the authentication client program 2C: and receiving a logout operation aiming at the user, logging out the user based on the logout operation and sending a user logout notice to the target server. The authentication server 4 is further configured to, in response to the user logout notification, perform at least one of the following operations: logging off the user authentication session, clearing the application token, and sending a user offline notification to the target server to enable the target server to offline the user. The embodiment provides a user offline scheme, which can efficiently and safely realize user offline.

As an example: the terminal device 2 is further configured to, by the target application: receiving a quit operation aiming at the user, responding to the quit operation, generating a notification message for indicating that the user is offline, and sending the notification message to the target server 6. The target server 6 is further configured to: and based on the notification message, the user is off line, and a user off line notification is sent to the authentication server 4. The authentication server 4, in response to the user offline notification: logging off or updating the user authentication session, and clearing the application token. The embodiment provides another user offline scheme, and the user offline can be efficiently and safely realized.

As an example: the user authentication session is associated with one or more application server programs in the target server, and the deregistering or updating the user authentication session includes: if the user authentication session is associated with an application server program in the target server, the user authentication session is cancelled; or if the user authentication session is associated with a plurality of application server programs in the target server, and the user offline notification is obtained based on offline operation of the target application server program in the plurality of application server programs on the user, updating the user authentication session to delete the associated information of the target server application in the user authentication session. In this embodiment, authentication and login between one or more application programs in the terminal device 2 and one or more application server programs in the target server 6 can be maintained through one user authentication session, and login and maintenance efficiency is improved.

In order to make the invention easier to understand, several specific examples are provided below.

Case 1: as shown in the figure2, the user logs in the target server through the target application program under the condition of not authenticating.

S200: the terminal device 2 initiates an access request through a built-in target application program.

The target application program can be a browser 2A under a B/S architecture or an application client program 2B under a C/S architecture.

S201: the terminal device 2 intercepts the access request through a built-in authentication client program 2C to check whether the user is authenticated.

S202: the authentication client program 2C sends request information for applying for an application token to the authentication server 4 through the authentication interaction interface.

S203: the authentication server 4 receives the request information and judges whether the user passes the identity authentication according to the request information.

The request information carries a Unique Identifier, such as an IMEI (International Mobile Subscriber identity Number) of the terminal Device 2, an UDID (Unique Device Identifier), a MAC (Media Access Control Address), and the like.

For example, the authentication server 4 retrieves whether a user authentication session associated with the unique identification code is included therein, and determines that the user has been authenticated if the user authentication session is retrieved, otherwise, the user has not been authenticated.

S204: if the authentication server 4 determines that the user does not pass the identity authentication, an unauthenticated message is returned to the authentication client program 2C.

S205: and the authentication client program 4 displays a login authentication interface on the terminal equipment 2 according to the unauthenticated message.

The login authentication interface comprises an account input interface, a password input interface and the like, and can also comprise a verification code input interface.

S206: the authentication client program 4 receives the input account and password through the authentication interface.

S207: the authentication client program 4 sends the account and the password to the authentication server 4, and the account and the password are used for identity verification.

S208: the authentication server 4 verifies the account and the password submitted by the authentication client program 2C.

If the verification is passed, the process proceeds to step S209.

And if the verification fails, returning error prompt information.

S209: the authentication server 4 creates a user authentication session for the user for maintaining authentication and identity information for the user.

The user authentication session may include: the authentication method comprises the steps of a user account, an Identification (ID) of the authentication session, an authentication session validity period, authentication session time, an authentication session state and an application token ID associated with the user authentication session. Wherein said user authentication session is further associated with or comprises a unique identification code of said terminal device 2.

Identity information, which may include: and basic information such as user account, name, mailbox, telephone, state and the like.

The application token information may include: an application token ID, a state, an application identification, an application address, an application token validity period, an authentication session ID associated with the application token, signature information for authenticating the application token, and the like.

S210: after the user authentication session is created, the authentication server 4 returns an authentication success message to the authentication client program 2C.

S211: after receiving the authentication success message, the authentication client program 2C applies for the application token from the authentication server 4 again.

S212: the authentication server 4 receives a reapplication of the application token by the authentication client program 2C, and in response to the reapplication: it is determined whether the user has been authenticated,

s213: issuing the application token under the condition that the user is determined to pass identity authentication, and establishing an association relationship between the application token and the user authentication session.

Establishing an association relationship: for example, an application token ID of the application token is added to the user authentication session.

S214: the authentication server 4 returns the application token to the authentication client program 2C.

S215: and the authentication client program end 2B receives the application token and forwards the access request carrying the application token to the target server 6. The access request carrying the application token, the application token and the intercepted access request.

S216: and the target server 6 receives and analyzes the access request carrying the application token to obtain the application token.

S217: the target server 6 sends the application token to the authentication server 4 to verify the application token.

S218: the authentication server 4 performs a verification operation of the application token. If the verification is successful, step (19) is entered, otherwise, an error message is returned to the target server 6. The error information is used for indicating that the audio token fails to verify. Wherein the verifying operation may include: verifying the token signature, validity period, etc. of the application token.

S219: the authentication server 4 retrieves a user authentication session associated with the application token, and if the user authentication session is retrieved, acquires user identity information associated with the user authentication session based on the user authentication session. Step (20) is entered.

S220: the authentication server 4 returns the user identity information to the target server 6.

S221: and the target server 6 finishes the online of the user according to the user identity information and guides the user to enter an application interface.

Case 2: as shown in fig. 3, the user logs in to the target server through the target application in the authenticated situation. "authenticated" means that the authentication server 4 creates a user authentication session with the user, and the user authentication session is in a valid state.

S300: the terminal device 2 initiates an access request through a built-in target application 2A.

S301: the terminal device 2 intercepts the access request through a built-in authentication client program 2C to check whether the user is authenticated.

S302: the authentication client program 2C sends request information for applying for an application token to the authentication server 4 through the authentication interaction interface.

S303: the authentication server 4 receives the request information, and in response to the application information: and judging whether the user authentication session associated with the unique identification code is included in the search request message or not according to the unique identification code in the request message.

S304: and if the user authentication session associated with the unique identification code is retrieved, judging that the user passes identity authentication and issues the application token, and establishing an association relationship between the application token and the user authentication session.

S305: the authentication server 4 returns the application token to the authentication client program 2C.

S306, the authentication client 2B receives the application token, and forwards the access request carrying the application token to the target server 6. The access request carrying the application token, the application token and the intercepted access request.

S307: and the target server 6 receives and analyzes the access request carrying the application token to obtain the application token.

S308: the target server 6 sends the application token to the authentication server 4 to verify the application token.

S309: the authentication server 4 performs a verification operation on the application token. If the verification is successful, the step S310 is entered, otherwise, an error message is returned to the target server 6. The error information is used for indicating that the application token fails to verify. Wherein the verifying operation may include: verifying the token signature, validity period, etc. of the application token.

S310: the authentication server 4 retrieves a user authentication session associated with the application token, and if the user authentication session is retrieved, acquires user identity information associated with the user authentication session based on the user authentication session.

S311: the authentication server 4 returns the user identity information to the target server 6.

S312: and the target server 6 finishes the online of the user according to the user identity information and guides the user to enter an application interface.

Case 3: as shown in fig. 4, the user logs off the line in the

target application

2A or 2B.

The terminal device 2 receives an exit instruction operated by the user on the GUI interface of the target application. The exit instruction comprises an instruction of exiting or closing a button triggered on the GUI interface or an instruction of exiting or closing a link.

The terminal device 2 sends the exit instruction to the target server 6.

S400: and the target server 6 logs out the user according to the quit instruction.

S401: the target server 6 clears the on-line information of the user in the target server 6 to implement the off-line of the user.

S402: the target server 6 sends a logoff notification of the user to the authentication server 4.

S403: the authentication server 6 receives the offline notification of the target server 6, and in response to the offline notification: retrieving a user authentication session for the user and clearing an application token issued to the user; and determining whether to maintain the user authentication session. The authentication server 6 determines whether the user authentication session is a plurality of application server programs, and proceeds to step S404; if not, the process proceeds to step S405.

S404: the user authentication session is associated with a plurality of application server programs. And if one application server program executes user offline, deleting the associated information of the application server program from the user authentication session, and continuously maintaining the associated information of other applications. The association information may be an identification of the application server program in the user authentication session.

S405: the user authentication session is associated with only one application server program. And if the application server program executes the user offline, logging off the user authentication session.

S406: the authentication server 6 sends a notification message indicating that the user has gone offline to the authentication client program 2C.

S407: the authentication client program 2C executes the user offline.

Case 4: as shown in fig. 5, the user logs off the line in the authentication client program 2C.

The authentication client program 2C receives an exit instruction input by the user.

The exit instruction comprises an instruction of exiting or closing a button triggered on the GUI interface or an instruction of exiting or closing a link.

S500: in response to the exit instruction, the authentication client program 2C logs out the user.

S501: a logout notification message indicating "user logout" is transmitted to the authentication server.

S502: in response to the logout notification message, the authentication server 4 logs out the user authentication session associated with the user.

S503: the authentication server 4 clears the application token issued for the user.

S504: a user offline notification is broadcast to the various applications in the target server 4.

S505: and the target server 6 logs off the user according to the user offline notification.

S506: and clearing the online information of the user to implement offline of the user.

Example two

In the present embodiment, the terminal device 2 is taken as an execution subject for description, and reference may be made to embodiment one for technical details and effects. The terminal device 2 has built in an authentication client program and a plurality of application programs including a browser and an application client program.

Fig. 6 schematically shows a flowchart of a single sign-on method according to a second embodiment of the invention.

As shown in fig. 6, the single sign-on method may include performing steps S600 to S604 by the authentication client program 2C, wherein:

step S600, an access request sent by a user through a target application program is intercepted, where the target application program is any one of the plurality of application programs.

Step S602, obtaining an application token from an authentication server according to the access request, wherein the application token is used for indicating that the user passes identity authentication and has access right.

Step S604, forwarding the access request and the application token to a target server, so that the target server: and verifying the application token and executing a response aiming at the access request according to a verification result, wherein the response comprises the login approval or the login rejection.

As an example, the obtaining an application token from an authentication server according to the access request includes:

generating request information for applying for the application token in response to the access request, the request information including a unique identification code associated with the terminal device;

As an example, the method further comprises the following steps of executing user offline operation through the authentication client program:

receiving an exit operation for the user; and

As an example, the method further comprises the step of executing user offline operation by the target application program:

receiving an exit operation for the user; and

responding to the quit operation, generating a notification message for indicating that the user is offline, and sending the notification message to the target server so as to enable the target server to perform at least one of the following operations: and off-line the user, and informing the authentication server to log off or update the user authentication session and clear the application token.

EXAMPLE III

The authentication server 4 is taken as the execution subject in the present embodiment, and the technical details and effects can be referred to in the first embodiment.

Fig. 7 schematically shows a flowchart of a single sign-on method according to a third embodiment of the present invention. It should be noted that the single sign-on method provided in the third embodiment will be exemplarily described below with the authentication server 4 as an execution subject.

As shown in fig. 7, the single sign-on method may include steps S700 to S704, in which:

step S700, receiving request information which is sent by the terminal equipment through the authentication client program and is used for requesting an application token; the authentication client is arranged in the terminal equipment and used for intercepting an access request of a user in the terminal equipment and applying for the application token based on the access request, and the application token is used for indicating that the user passes identity authentication and has access right;

step S702, judging whether the user passes the identity authentication according to the request information, and determining whether to issue the application token according to the judgment result; and

step S704, if the user has passed the identity authentication, issuing the application token, and returning the application token to the authentication client program, so that the authentication client program forwards the access request and the application token to a target server, so that the target server performs login according to the access request and the application token.

As an example, the request information comprises a unique identification code associated with the terminal device; the judging whether the user passes the identity authentication according to the request information and determining whether to issue the application token according to the judging result comprises the following steps:

verifying the user according to the identity authentication information;

As an example, it further includes:

receiving a user offline notification provided by the target server; and

As an example, the user authentication session is associated with one or more application server programs in the target server, and the deregistering or updating the user authentication session includes:

Example four

Fig. 8 schematically illustrates a block diagram of a single sign-on apparatus according to a fourth embodiment of the invention, the single sign-on system being partitioned into program modules, one or more of which are stored in a storage medium and executed by a processor to implement the embodiments of the invention. The program modules referred to in the embodiments of the present invention refer to a series of computer program instruction segments that can perform specific functions, and the following description will specifically describe the functions of the program modules in the embodiments. The single sign-on apparatus 800 is used in the terminal device 2, and the terminal device 2 has an authentication client and a plurality of applications, including a browser and an application client, built therein.

As shown in fig. 8, the single sign-on device 800 may include an authentication sign-on module 810. Wherein:

an authentication login module 810, configured to perform the following operations by the authentication client:

Optionally, the authentication login module 810 is further configured to:

Optionally, the authentication login module 810 is further configured to

Optionally, the apparatus 800 further includes a logoff module, configured to perform, by the authentication client, a user logoff operation:

receiving an exit operation for the user; and

Optionally, the apparatus 800 further includes a logoff module, configured to perform, by the target application program, a user logoff operation:

receiving an exit operation for the user; and

EXAMPLE five

Fig. 9 schematically illustrates a block diagram of a single sign-on apparatus according to a fifth embodiment of the invention, the single sign-on system being partitioned into program modules, one or more of which are stored in a storage medium and executed by a processor to implement the embodiments of the invention. The program modules referred to in the embodiments of the present invention refer to a series of computer program instruction segments that can perform specific functions, and the following description will specifically describe the functions of the program modules in the embodiments. The single sign-on apparatus 900 is used in the authentication server 6, and the plurality of application programs include a browser and an application client program.

As shown in fig. 9, the single sign-on apparatus 900 may include a receiving module 910, a determining module 920, and an issuing module 930. Wherein:

a receiving module 910, configured to receive request information, which is sent by a terminal device through an authentication client program and is used for requesting an application token; the authentication client is arranged in the terminal equipment and used for intercepting an access request of a user in the terminal equipment and applying for the application token based on the access request, and the application token is used for indicating that the user passes identity authentication and has access right;

a determining module 920, configured to determine whether the user passes identity authentication according to the request information, and determine whether to issue the application token according to a determination result; and

an issuing module 930, configured to issue the application token if the user has been authenticated, and return the application token to the authentication client program, so that the authentication client program forwards the access request and the application token to a target server, so that the target server performs login according to the access request and the application token.

Optionally, the request information includes a unique identification code associated with the terminal device; the determining module 920 is further configured to:

verifying the user according to the identity authentication information;

Optionally, the system further comprises a offline module, configured to:

receiving a user offline notification provided by the target server; and

Optionally, the user authentication session is associated with one or more application server programs in the target server, and the offline module is further configured to:

EXAMPLE six

Fig. 10 schematically shows a hardware architecture diagram of a computer device 10000 suitable for implementing a single sign-on method according to a sixth embodiment of the present invention. The computer device 1000 may function as any one of the terminal device 2, the authentication server 4, and the target server 6. In this embodiment, the computer device 10000 is a device capable of automatically performing numerical calculation and/or information processing according to a preset or stored instruction. For example, the server may be a smart phone, a tablet computer, a notebook computer, a desktop computer, a rack server, a blade server, a tower server or a rack server (including an independent server or a server cluster composed of a plurality of servers), a gateway, and the like. As shown in fig. 10, computer device 10000 includes at least, but is not limited to: the memory 10010, processor 10020, and network interface 10030 may be communicatively linked to each other via a system bus. Wherein:

the memory 10010 includes at least one type of computer-readable storage medium including a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, and the like. In some embodiments, the storage 10010 may be an internal storage module of the computer device 10000, such as a hard disk or a memory of the computer device 10000. In other embodiments, the memory 10010 may also be an external storage device of the computer device 10000, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), or the like, provided on the computer device 10000. Of course, the memory 10010 may also include both internal and external memory modules of the computer device 10000. In this embodiment, the memory 10010 is generally configured to store an operating system and various application software installed on the computer device 10000, such as program codes of a single sign-on method. In addition, the memory 10010 may also be used to temporarily store various types of data that have been output or are to be output.

Processor 10020, in some embodiments, can be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data Processing chip. The processor 10020 is generally configured to control overall operations of the computer device 10000, such as performing control and processing related to data interaction or communication with the computer device 10000. In this embodiment, the processor 10020 is configured to execute program codes stored in the memory 10010 or process data.

Network interface 10030 may comprise a wireless network interface or a wired network interface, and network interface 10030 is generally used to establish a communication link between computer device 10000 and other computer devices. For example, the network interface 10030 is used to connect the computer device 10000 to an external terminal through a network, establish a data transmission channel and a communication link between the computer device 10000 and the external terminal, and the like. The network may be a wireless or wired network such as an Intranet (Intranet), the Internet (Internet), a Global System of Mobile communication (GSM), Wideband Code Division Multiple Access (WCDMA), a 4G network, a 5G network, Bluetooth (Bluetooth), or Wi-Fi.

It should be noted that fig. 10 only illustrates a computer device having the components 10010 and 10030, but it is to be understood that not all illustrated components are required and that more or less components may be implemented instead.

In this embodiment, the single sign-on method stored in the memory 10010 can be further divided into one or more program modules and executed by a processor (in this embodiment, the processor 10020) to implement the embodiment of the present invention.

EXAMPLE seven

The present invention also provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the single sign-on method of an embodiment.

In this embodiment, the computer-readable storage medium includes a flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, and the like. In some embodiments, the computer readable storage medium may be an internal storage unit of the computer device, such as a hard disk or a memory of the computer device. In other embodiments, the computer readable storage medium may be an external storage device of the computer device, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like provided on the computer device. Of course, the computer-readable storage medium may also include both internal and external storage devices of the computer device. In this embodiment, the computer-readable storage medium is generally used for storing an operating system and various types of application software installed in the computer device, for example, the program code of the single sign-on method in the embodiment, and the like. Further, the computer-readable storage medium may also be used to temporarily store various types of data that have been output or are to be output.

It will be apparent to those skilled in the art that the modules or steps of the embodiments of the invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, embodiments of the invention are not limited to any specific combination of hardware and software.

The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims

1. A single sign-on method, applied to a terminal device, wherein the terminal device has a built-in authentication client program and multiple application programs, and the multiple application programs include a browser and an application client program; the Methods include:

Do the following through the authentication client program:

intercepting an access request sent by a user through a target application, where the target application is any one of the multiple applications;

Obtain an application token from the authentication server according to the access request, where the application token is used to indicate that the user has been authenticated and has access rights; and

forwarding the access request and the application token to the target server, so that the target server: verifies the application token and executes a response to the access request according to the verification result, the response including login approval or denial Log in.

2. The single sign-on method according to claim 1, wherein the obtaining an application token from an authentication server according to the access request comprises:

In response to the access request, generating request information for applying for the application token, where the request information includes a unique identification code associated with the terminal device;

Sending the request information to the authentication server, so that the authentication server: retrieves the user authentication session associated with the unique identification code, and if the user authentication session is retrieved, determines that the user has passed the identity Authenticate and issue the application token, and return the application token to the authentication client program; wherein the user authentication session is used to maintain the authentication information and identity information of the user.

3. The single sign-on method according to claim 1, wherein the obtaining an application token from an authentication server according to the access request comprises:

Sending the request information to the authentication server, so that the authentication server: retrieves the user authentication session associated with the unique identification code, and if the user authentication session is not retrieved, determines that the user fails identity authentication and return an unauthenticated message to the authentication client program, where the unauthenticated message is used to indicate that the user has not passed the identity authentication, and the user authentication session is used to maintain the authentication information and identity information of the user;

The input identity authentication information is received through the login authentication interface, and the identity authentication information is sent to the authentication server, so that the authentication server can verify the user according to the identity authentication information, and If successful, create the user authentication session and return an authentication success message to the authentication client program, the authentication success message being used to indicate that the user has passed identity authentication; and

Receive the authentication success message, and apply for the application token to the authentication server again, so that the authentication server: in the case that the user authentication session has been created, determine that the user has passed the identity authentication and respond to the Apply again to issue the application token, and return the application token to the authentication client program.

4. The single sign-on method according to claim 2 or 3, characterized in that, further comprising performing a user offline operation through the authentication client program:

receive an opt-out action for the user; and

In response to the logout operation, logout the user and send a user logout notification to the authentication server to cause the authentication server to log out of the user authentication session, clear the application token, and send the user to the target server A logout notification to take the target server offline for the user.

5. The single sign-on method according to claim 2 or 3, further comprising performing a user offline operation through the target application:

receive an opt-out action for the user; and

In response to the logout operation, a notification message for indicating the user to go offline is generated, and the notification message is sent to the target server, so that the target server performs at least one of the following operations: offline the user the user, and notify the authentication server to log out or update the user authentication session and clear the application token.

6. A single sign-on device, applied to a terminal device, characterized in that the terminal device has a built-in authentication client program and multiple application programs, and the multiple application programs include a browser and an application client program; the The device includes:

The authentication login module is used to perform the following operations through the authentication client program:

7. A single sign-on method for use in an authentication server, wherein the method comprises:

Receive request information for requesting an application token sent by a terminal device through an authentication client program; the authentication client is built in the terminal device, and is used to intercept the user's access request in the terminal device and based on the access request requesting to apply for the application token, where the application token is used to indicate that the user has been authenticated and has access rights;

Determine whether the user has passed the identity authentication according to the request information, and determine whether to issue the application token according to the judgment result; and

If the user has been authenticated, issue the application token and return the application token to the authentication client program, so that the authentication client program can send the access request and the application token to the authentication client program. The token is forwarded to the target server for the target server to perform a login based on the access request and the application token.

8 . The single sign-on method according to claim 7 , wherein the request information comprises a unique identification code associated with the terminal device; and the determination of whether the user has passed identity authentication according to the request information, And determine whether to issue the application token according to the judgment result, including:

Retrieve the user authentication session associated with the unique identification code, and if the user authentication session is retrieved, determine that the user has been authenticated and determine to issue the application token, which is bound to the The user authentication session is used to maintain the authentication information and identity information of the user.

9 . The single sign-on method according to claim 7 , wherein the request information comprises a unique identification code associated with the terminal device; the determination of whether the user has passed identity authentication according to the request information, And determine whether to issue the application token according to the judgment result, including:

Retrieve the user authentication session associated with the unique identification code, and if the user authentication session is not retrieved, determine that the user has not been authenticated and return an unauthenticated message to the authentication client program for the authentication The client program submits identity authentication information according to the unauthenticated message; the unauthenticated message is used to indicate that the user has not passed identity authentication, and the user authentication session is used to maintain the authentication information and identity information of the user;

Verify the user according to the identity authentication information;

If the user authentication is successful, create the user authentication session and return an authentication success message to the authentication client program, so that the authentication client program applies the application to the authentication server again based on the authentication success message token; the authentication success message is used to indicate that the user has been authenticated; and

In response to the reapplication of the authentication client program: in the case that the user authentication session has been created, determine that the user has passed the identity authentication and determine to issue the application token, which is bound to the user authentication session.

10. The single sign-on method according to claim 8 or 9, characterized in that, further comprising:

In response to the user logout notification: logout the user authentication session, clear the application token, and send a user logout notification to the target server to log the target server off the user.

11. The single sign-on method according to claim 8 or 9, characterized in that, further comprising:

Receive a user offline notification provided by the target server; and

In response to the user offline notification: logout or update the user authentication session, and clear the application token.

12. The single sign-on method according to claim 11, wherein the user authentication session is associated with one or more application server programs in the target server, and the user authentication session is logged out or updated ,include:

If the user authentication session is associated with an application server program in the target server, log out of the user authentication session; or

If the user authentication session is associated with multiple application server programs in the target server, and the user logout notification is based on the logout of the user by the target application server program in the multiple application server programs If the operation is obtained, the user authentication session is updated to delete the associated information applied by the target server in the user authentication session.

13. A single sign-on device for use in an authentication server, wherein the device comprises:

a receiving module, configured to receive request information for requesting an application token sent by a terminal device through an authentication client program; the authentication client is built in the terminal device and used to intercept a user's access request in the terminal device and apply for the application token based on the access request, where the application token is used to indicate that the user has passed identity authentication and has access rights;

A determination module, configured to determine whether the user has passed identity authentication according to the request information, and determine whether to issue the application token according to the judgment result; and

an issuing module, configured to issue the application token if the user has passed identity authentication, and return the application token to the authentication client program, so that the authentication client program sends the access request and the application token are forwarded to the target server, so that the target server performs login according to the access request and the application token.

14. A computer device, comprising a memory, a processor, and a computer program stored in the memory and running on the processor, wherein the processor is used to implement claims 1 to 5 when the processor executes the computer program and the steps of the single sign-on method described in any one of 7 to 12.

15. A computer-readable storage medium, characterized in that a computer program is stored therein, the computer program can be executed by at least one processor, so that the at least one processor executes claims 1-5, 7 Steps of the single sign-on method of any one of to 12.

16. A single sign-on system, characterized in that the system comprises a terminal device, an authentication server and a target server; the terminal device has a built-in authentication client program and multiple application programs; wherein:

The terminal device is configured to perform the following operations through the authentication client program: intercepting an access request sent by a user through a target application, where the target application is any one of multiple applications, and the multiple applications include browsing and an application client program; and sending request information for applying for an application token to the authentication server, where the application token is used to indicate that the user has been authenticated and has access rights;

the authentication server, configured to issue the application token according to the request information, and return the application token to the authentication client program;

The target server is configured to receive the access request and the application token forwarded by the authentication client program, and execute a response to the access request based on the application token, where the response includes an approval to log in or Login denied.

17. The single sign-on system according to claim 16, wherein the request information comprises a unique identification code associated with the terminal device;

The authentication server is further configured to: retrieve the user authentication session associated with the unique identification code, and if the user authentication session is retrieved, determine that the user has passed the identity authentication and issue the application token, The application token is bound to the user authentication session, and the application token is returned to the authentication client program; wherein the user authentication session is used to maintain the user's authentication information and identity information .

18. The single sign-on system according to claim 16, wherein the request information comprises a unique identification code associated with the terminal device;

The authentication server is further configured to: retrieve the user authentication session associated with the unique identification code, and if the user authentication session is not retrieved, determine that the user has not passed the identity authentication and report to the authentication client program Returns an unauthenticated message; the unauthenticated message is used to indicate that the user has not passed identity authentication, and the user authentication session is used to maintain the authentication information and identity information of the user;

The terminal device is further configured to, through the authentication client program: receive the unauthenticated message, and display a login authentication interface based on the unauthenticated message; receive the input identity authentication information through the login authentication interface, and display the authentication The identity authentication information is sent to the authentication server;

The authentication server is further configured to: authenticate the user according to the identity authentication information; if the user authentication succeeds, create the user authentication session and return an authentication success message to the authentication client program; the authentication A success message is used to indicate that the user has been authenticated;

The terminal device is further configured to, through the authentication client program: reapply for the application token to the authentication server based on the authentication success message;

The authentication server is further configured to, in response to the re-application of the authentication client program: in the case that the user authentication session has been created, determine that the user has passed the identity authentication and determine to issue the application token, The application token is bound to the user authentication session, and the application token is returned to the authentication client program.

19. The single sign-on system according to claim 17 or 18, characterized in that:

The terminal device is further configured to, through the authentication client program: receive a logout operation for the user, logout the user based on the logout operation, and send a user logout notification to the target server;

The authentication server is further configured to perform at least one of the following operations in response to the user logout notification: logout of the user authentication session, clear the application token, and send a user logout notification to the target server to make all The target server goes offline for the user.

20. The single sign-on system according to claim 17 or 18, characterized in that:

The terminal device is further configured to receive, through the target application, a logout operation for the user, and in response to the logout operation, generate a notification message for indicating that the user is offline, and send the notification to the user. sending the message to the target server;

The target server is further configured to: log off the user based on the notification message, and send a user logoff notification to the authentication server;

The authentication server, in response to the user offline notification: logout or update the user authentication session, and clear the application token.

21. The single sign-on system according to claim 20, wherein the user authentication session is associated with one or more application server programs in the target server, and the user authentication session is logged out or updated ,include: