[go: up one dir, main page]

CN113505397A - Authorization method, server, system and storage medium - Google Patents

Authorization method, server, system and storage medium Download PDF

Info

Publication number
CN113505397A
CN113505397A CN202110853651.5A CN202110853651A CN113505397A CN 113505397 A CN113505397 A CN 113505397A CN 202110853651 A CN202110853651 A CN 202110853651A CN 113505397 A CN113505397 A CN 113505397A
Authority
CN
China
Prior art keywords
authentication
authorization
server
authentication token
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110853651.5A
Other languages
Chinese (zh)
Other versions
CN113505397B (en
Inventor
冯宇东
李伟仁
马思雨
黄秀萍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202110853651.5A priority Critical patent/CN113505397B/en
Publication of CN113505397A publication Critical patent/CN113505397A/en
Application granted granted Critical
Publication of CN113505397B publication Critical patent/CN113505397B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

本公开提供了一种授权方法,应用于金融技术领域,包括:授权服务器响应于接收到的授权请求,生成鉴权令牌,该鉴权令牌包括该用户信息,该鉴权令牌中的用户信息缓存于预设存储空间;授权服务器向鉴权服务器发送鉴权请求,该鉴权请求携带该鉴权令牌;鉴权服务器基于该鉴权令牌进行鉴权,得到鉴权结果;鉴权服务器将该鉴权结果返回给该授权服务器,以及,鉴权服务器从该预设存储空间中删除该用户信息。本公开还提供了一种授权方法、授权服务器、鉴权服务器、授权系统、计算机系统及可读存储介质。

Figure 202110853651

The present disclosure provides an authorization method, which is applied in the field of financial technology, including: an authorization server generates an authentication token in response to a received authorization request, the authentication token includes the user information, and the The user information is cached in a preset storage space; the authorization server sends an authentication request to the authentication server, and the authentication request carries the authentication token; the authentication server performs authentication based on the authentication token, and obtains an authentication result; The authorization server returns the authentication result to the authorization server, and the authentication server deletes the user information from the preset storage space. The present disclosure also provides an authorization method, an authorization server, an authentication server, an authorization system, a computer system, and a readable storage medium.

Figure 202110853651

Description

Authorization method, server, system and storage medium
Technical Field
The present disclosure relates to the field of internet technologies, and in particular, to an authorization method, an authorization server, an authentication server, an authorization system, a computer system, and a readable storage medium.
Background
With the popularity of internet applications, the opening and sharing become the main characteristics of the current internet, the integration of different services provided by internet service providers is the inevitable trend of internet development, and the disclosure of user information on the premise of permission of user authorization can be realized based on the oauth2.0 protocol.
In the process of implementing the concept of the present disclosure, the inventor finds that in the related art, at least the following problem exists, the user performs authentication by providing login information, and after the authentication is successful, the authorization server directly authorizes and then successfully logs in, and the security is low.
Disclosure of Invention
In view of the above, the present disclosure provides an authorization method, an authorization server, an authentication server, an authorization system, a computer system, and a readable storage medium.
One aspect of the present disclosure provides an authorization method, applied to an authorization server, including:
responding to the received authorization request, generating an authentication token, wherein the authentication token comprises the user information, and the user information in the authentication token is cached in a preset storage space;
and sending an authentication request to an authentication server, wherein the authentication request carries the authentication token so that the authentication server performs authentication based on the authentication token to obtain an authentication result, returning the authentication result to the authorization server, and deleting the user information from the preset storage space.
In an embodiment, the authentication token further comprises first timestamp information indicating a generation time or a transmission time of the authentication token.
In an embodiment, the authorization request carries an identifier of a sender of the authorization request, and the authentication token further includes the identifier of the sender.
In one embodiment, the method further comprises:
acquiring login information input by a user;
verifying whether the login information is correct;
if the login information is correct, returning authorization confirmation prompt information to the resource client;
and receiving authorization confirmation information returned by the authorization client based on the authorization confirmation prompt information, and executing the operation of acquiring the user information from the preset storage space in response to the received authorization request.
In an embodiment, wherein:
when the authentication result is that the authentication is passed, receiving user information returned by the authentication server;
and sending the user information to a login client for calling the resource client to log in so as to successfully log in the login client.
In one embodiment, before sending the authentication request to the authentication server, the method includes:
and encrypting and signing the authentication token.
Another aspect of the present disclosure provides an authorization method applied to an authentication server, including:
responding to a received authentication request carrying an authentication token, authenticating based on the authentication token to obtain an authentication result, generating the authentication token through an authorization server, wherein the authentication token comprises the user information, and the user information in the authentication token is cached in a preset storage space;
returning the authentication result to the authorization server;
and deleting the user information from the preset storage space.
In an embodiment, the authentication token further includes first timestamp information, the first timestamp information indicates a generation time or a sending time of the authentication token, the authenticating based on the authentication token, and obtaining an authentication result includes:
analyzing the authentication token to obtain first timestamp information;
acquiring a current timestamp;
calculating a difference between the current timestamp and the first timestamp;
judging whether the difference value meets a preset condition or not;
if the difference value does not meet the preset condition, the authentication result is authentication failure;
and if the difference value meets the preset condition, the authentication result is that the authentication is passed.
In an embodiment, the authorization request carries an identifier of a sender of the authorization request, the authentication token further includes the identifier of the sender, and the performing authentication based on the authentication token to obtain the authentication result includes:
searching the identification of the sender in a preset identification library, wherein the identification library stores the identification of all legal senders;
if the identifier of the sender is not found, the authentication result is authentication failure;
and if the identifier of the sender is found, the authentication result is that the authentication is passed.
In an embodiment, when the authentication result is that the authentication is passed, the returning the authentication result to the authorization server includes:
and sending the user information to the authorization server so that the authorization server sends the user information to a login client for calling the resource client to log in, so as to successfully log in the login client.
In an embodiment, before performing authentication based on the authentication token and obtaining an authentication result, the method includes:
decrypting and verifying the authentication token;
if the decryption and signature verification processing is successful, the operation of carrying out authentication based on the authentication token to obtain an authentication result is executed;
and if the decryption and/or signature verification processing fails, sending prompt information of the failure of the decryption and/or signature verification processing to the authorization server.
Another aspect of the present disclosure provides an authorization server, including:
the authentication token generation module is used for responding to the received authorization request and generating an authentication token, wherein the authentication token comprises the user information, and the user information in the authentication token is cached in a preset storage space;
and the request sending module is used for sending an authentication request to an authentication server, wherein the authentication request carries the authentication token so that the authentication server performs authentication based on the authentication token to obtain an authentication result, the authentication result is returned to the authorization server, and the user information is deleted from the preset storage space.
In an embodiment, the authentication token further comprises first timestamp information indicating a generation time or a transmission time of the authentication token.
In an embodiment, the authorization request carries an identifier of a sender of the authorization request, and the authentication token further includes the identifier of the sender.
In one embodiment, the method further comprises:
the login information acquisition module is used for acquiring login information input by a user;
the login information verification module is used for verifying whether the login information is correct or not;
the confirmation information returning module is used for returning authorization confirmation prompt information to the resource client side if the login information is correct;
and the confirmation information receiving module is used for receiving the authorization confirmation information returned by the authorization client based on the authorization confirmation prompt information, and executing the operation of responding to the received authorization request and acquiring the user information from the preset storage space.
In an embodiment, the user information receiving module is configured to receive user information returned by the authentication server when the authentication result is that authentication is passed;
and the user information sending module is used for sending the user information to a login client for calling the resource client to log in so as to successfully log in the login client.
In one embodiment, the method further comprises:
and the processing module is used for encrypting and signing the authentication token.
Another aspect of the present disclosure provides an authentication server, including:
the authentication module is used for responding to a received authentication request carrying an authentication token, authenticating based on the authentication token to obtain an authentication result, wherein the authentication token is generated by an authorization server, the authentication token comprises the user information, and the user information in the authentication token is cached in a preset storage space;
the authentication result returning module is used for returning the authentication result to the authorization server;
and the user information deleting module is used for deleting the user information from the preset storage space.
In one embodiment, the authentication token further comprises first timestamp information indicating a generation time or a transmission time of the authentication token, the authentication module comprises:
the analysis submodule is used for analyzing the authentication token to obtain first timestamp information;
the timestamp obtaining submodule is used for obtaining a current timestamp;
a calculation sub-module for calculating a difference between the current timestamp and the first timestamp;
the judgment submodule is used for judging whether the difference value meets a preset condition or not;
the first judgment submodule is used for judging that the authentication result is authentication failure if the difference value does not meet the preset condition;
and the second judging submodule is used for judging that the authentication result is authenticated if the difference value meets the preset condition.
In an embodiment, the authorization request carries an identifier of a sender of the authorization request, the authentication token further includes the identifier of the sender, and the authentication module includes:
the searching submodule is used for searching the identification of the sender in a preset identification library, and the identification library stores the identification of all legal senders;
the first judging submodule is also used for judging that the authentication result is authentication failure if the identification of the sender is not found;
and the second judging submodule is also used for judging that the authentication result is authenticated if the identifier of the sender is found.
In an embodiment, when the authentication result is that the authentication is passed, the authentication result returning module specifically sends the user information to the authorization server, so that the authorization server sends the user information to a login client that invokes the resource client to log in, so as to successfully log in the login client.
In one embodiment, the method further comprises:
the decoding processing module is used for decoding and verifying the authentication token;
the authentication module is further configured to execute the operation of performing authentication based on the authentication token to obtain an authentication result if the decryption and signature verification processing is successful;
and the information sending module is used for sending prompt information of the failure of the decryption and/or signature verification processing to the authorization server if the decryption and/or signature verification processing fails.
Another aspect of the present disclosure provides an authorization system, including: an authorization server as described above, and an authentication server as described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method as described above when executed.
Another aspect of the disclosure provides a computer program comprising computer executable instructions for implementing the method as described above when executed.
According to the embodiment of the disclosure, after receiving an authorization request, the authorization request is not directly given to a resource client, but an authentication token is generated in response to the received authorization request, the authentication token includes the user information, the user information in the authentication token is cached in a preset storage space, an authentication request is sent to an authentication server, and the authentication request carries the authentication token, so that the authentication server performs authentication based on the authentication token to obtain an authentication result, the authentication result is returned to the authorization server, and the user information is deleted from the preset storage space. The security of the user information is effectively checked through the authentication server, and the user information cached in the preset storage space is deleted to prevent the authentication request from being replayed.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically shows an exemplary system architecture to which an authorization method may be applied, according to an embodiment of the present disclosure;
FIG. 2 schematically shows a flow chart of an authorization method according to an embodiment of the present disclosure;
FIG. 3 schematically shows a flow chart of an authorization method according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow chart of an authorization method according to an embodiment of the disclosure;
fig. 5 schematically shows a flowchart of operation S401 in an authorization method according to an embodiment of the present disclosure;
fig. 6 schematically shows a flowchart of operation S401 in an authorization method according to an embodiment of the present disclosure;
FIG. 7 schematically shows a block diagram of an authorization server according to an embodiment of the disclosure;
fig. 8 schematically shows a block diagram of an authentication server according to an embodiment of the present disclosure;
FIG. 9 schematically shows a block diagram of a computer system according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
It should be noted that the authorization method, the authorization server, the authentication server, the authorization system, the computer system, and the storage medium of the present disclosure may be applied to the internet in the financial field, and may also be applied to any field other than the financial field.
In the technical scheme of the disclosure, the acquisition, storage, application and the like of the personal information of the related user all accord with the regulations of related laws and regulations, necessary security measures are taken, and the customs of the public order is not violated.
Embodiments of the present disclosure provide an authorization method. The method comprises the steps that an authorization server responds to a received authorization request to generate an authentication token, the authentication token comprises user information, and the user information in the authentication token is cached in a preset storage space; the authorization server sends an authentication request to an authentication server, wherein the authentication request carries the authentication token; the authentication server authenticates based on the authentication token to obtain an authentication result; the authentication server returns the authentication result to the authorization server, and the authentication server deletes the user information from the preset storage space.
Fig. 1 schematically illustrates an exemplary system architecture 100 to which an authorization method may be applied, according to an embodiment of the disclosure. It should be noted that fig. 1 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 1, a system architecture 100 according to this embodiment may include a terminal device 101, a network 102, an authorization server 103, and an authentication server 104. The network 102 serves as a medium for providing communication links between the terminal device 101, the authorization server 103 and the authentication server 104. Network 104 may include various connection types, such as wired and/or wireless communication links, and so forth.
The user may use the terminal device 101 to interact with the authorization server 103 via the network 102 to receive or send messages or the like. Various messaging client applications, such as financial applications, shopping applications, web browser applications, search applications, instant messaging tools, mailbox clients, and/or social platform software, etc. (by way of example only) may be installed on terminal device 101.
The terminal device 101 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like. The terminal device 101 may be loaded with a resource client and a login client, and the resource client and the login client may be provided with services by the same service provider, or may be provided with services by different service providers, but the different service providers comply with the oauth2.0 protocol. The user can adopt the login information of the resource client to log in through the login client. For example, a user opens a login client, selects to log in through a resource client, the login client calls the resource client, the user inputs corresponding login information in the resource client for authentication, and the user can log in the login client after the authentication is passed.
The authorization server 103 may be configured to authenticate the received login information of the user and return an authentication result to the resource client of the terminal device 101. In the present disclosure, the authorization server 103 may be further configured to send an authentication request to the authentication server 104 after the login information of the user is authenticated, and allow the user to log in to the login client in the terminal device 101 after the authentication is passed.
The authentication server 104 may be configured to perform authentication after receiving the authentication request, and return an authentication result to the authorization server 103. Specifically, if the authentication is passed, the user is allowed to log in the login client in the terminal device 101.
It should be noted that the authorization method provided by the embodiment of the present disclosure may be generally executed by the authorization server 103 and the authentication server 104. Or by other servers having the respective functions of performing the authorization server 103 and the authentication server 104 as performed in the present disclosure. Further, the authorization server 103 and the authentication server 104 are also a server, or a server cluster.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Fig. 2 schematically shows a flow chart of an authorization method according to an embodiment of the present disclosure.
As shown in fig. 2, the method includes operations S201 to S203 applied to the authorization server.
In operation S201, in response to the received authorization request, an authentication token is generated, where the authentication token includes the user information, and the user information in the authentication token is cached in a preset storage space.
In operation S202, an authentication request is sent to the authentication server, where the authentication request carries the authentication token, so that the authentication server performs authentication based on the authentication token to obtain an authentication result, returns the authentication result to the authorization server, and deletes the user information from the preset storage space.
In this disclosure, the user information corresponds to the authorization request, for example, after the user inputs login information at the resource client, the resource client requests authorization from the authorization server, and the user information acquired by the authorization server from the preset storage space is the user information corresponding to the login information. Such as a user name and password, a phone number and an authentication code, etc.
In this disclosure, the preset storage space may be located in the authorization server, may also be located in the authentication server, or, in a certain database, this disclosure does not limit this. The user information may be stored in the preset storage space in a form of a table or a form of a key-value pair, which is not limited by the present disclosure.
In this disclosure, the user information may be deleted from the preset storage space after the authentication token is generated, or the user information may be deleted from the preset storage space after the authentication request is sent to the authentication server, or the user information may be deleted from the preset storage space during the authentication process of the authentication server, or may be deleted from the preset storage space, which is not limited in this disclosure. Furthermore, the user information may be deleted from the preset storage space by an authorization server, an authentication server, or any other server or terminal, which is not limited by this disclosure.
In an embodiment of the present disclosure, the authentication token further includes first timestamp information indicating a generation time or a transmission time of the authentication token. Then, performing authentication based on the authentication token, and obtaining an authentication result specifically may be: analyzing the authentication token to obtain first timestamp information, obtaining a current timestamp, calculating a difference value between the current timestamp and the first timestamp, judging whether the difference value meets a preset condition, if the difference value does not meet the preset condition, determining that the authentication result is authentication failure, and if the difference value meets the preset condition, determining that the authentication result is authentication passing.
In an embodiment of the present disclosure, the authorization request carries an identifier of a sender of the authorization request, and the authentication token further includes the identifier of the sender. Then, performing authentication based on the authentication token, and obtaining an authentication result specifically may be: and searching the identifier of the sender in a preset identifier library, storing the identifiers of all legal senders in the identifier library, wherein if the identifier of the sender is not searched, the authentication result is authentication failure, and if the identifier of the sender is searched, the authentication result is authentication passing.
In an embodiment of the present disclosure, before sending the authentication request to the authentication server, the method further includes: and encrypting and signing the authentication token. In the present disclosure, the encryption process and the signature process may be performed in an existing manner, and the present disclosure is not limited thereto.
According to the embodiment of the disclosure, after receiving an authorization request, the authorization request is not directly given to a resource client, but an authentication token is generated in response to the received authorization request, the authentication token includes the user information, the user information in the authentication token is cached in a preset storage space, an authentication request is sent to an authentication server, and the authentication request carries the authentication token, so that the authentication server performs authentication based on the authentication token to obtain an authentication result, the authentication result is returned to the authorization server, and the user information is deleted from the preset storage space. The security of the user information is effectively checked through the authentication server, and the user information cached in the preset storage space is deleted to prevent the authentication request from being replayed.
Fig. 3 schematically shows a flow chart of an authorization method according to an embodiment of the present disclosure.
As shown in fig. 3, the method includes operations S301 to S303 applied to an authorization server.
In operation S301, login information input by a user is acquired.
In operation S302, it is verified whether the login information is correct.
In operation S303, if the login information is correct, an authorization confirmation prompt message is returned to the resource client.
In operation S304, authorization confirmation information returned by the authorization client based on the authorization confirmation prompting information is received.
In operation S201, in response to the received authorization request, an authentication token is generated, where the authentication token includes the user information, and the user information in the authentication token is cached in a preset storage space.
In operation S202, an authentication request is sent to the authentication server, where the authentication request carries the authentication token, so that the authentication server performs authentication based on the authentication token to obtain an authentication result, returns the authentication result to the authorization server, and deletes the user information from the preset storage space.
In an embodiment of the present disclosure, when the authentication result is that the authentication is passed, the authorization server receives the user information returned by the authentication server; and the authorization server sends the user information to a login client for calling the resource client to log in so as to successfully log in the login client.
In this disclosure, the login information input by the user may be a user name and a password, a mobile phone number and an authentication code, and the disclosure is not limited thereto. The login information input by the user corresponds to the user information, and both have global uniqueness.
In the present disclosure, if the login information is incorrect, a prompt message indicating that the authentication failed is directly returned to the resource client. Specifically, in the case where the authentication failure is due to a password input error, the user may be prompted for a password input error. In the case that the authentication failure is due to the absence of the user name, the user may be prompted that the user name does not exist.
Fig. 4 schematically shows a flow chart of an authorization method according to an embodiment of the present disclosure.
As shown in fig. 4, the method includes operations S301 to S303 applied to an authentication server.
In operation S401, in response to a received authentication request carrying an authentication token, performing authentication based on the authentication token to obtain an authentication result, where the authentication token is generated by an authorization server, the authentication token includes the user information, and the user information in the authentication token is cached in a preset storage space;
in operation S402, returning the authentication result to the authorization server;
in operation S403, the user information is deleted from the preset storage space.
According to the embodiment of the disclosure, the security of the user information is effectively checked by the authentication server, and the user information cached in the preset storage space is deleted, so that the authentication request can be prevented from being replayed.
In an embodiment of the present disclosure, the authentication token further includes first timestamp information, where the first timestamp information indicates a generation time or a sending time of the authentication token, and as shown in fig. 5, operation S401 includes operations S501 to S506: in operation S501, the authentication token is analyzed to obtain first timestamp information; in operation S502, a current timestamp is acquired; calculating a difference between the current time stamp and the first time stamp in operation S503; in operation S504, it is determined whether the difference satisfies a preset condition; in operation S505, if the difference does not satisfy the preset condition, the authentication result is authentication failure; in operation S506, if the difference satisfies the predetermined condition, the authentication result is that the authentication is passed.
In the present disclosure, whether the difference value satisfies the preset condition may be whether the difference value is smaller than a preset threshold value, or the difference value is within a preset range, and the preset threshold value may be 1 minute, 2 minutes, 5 minutes, or the like. The predetermined range may be within 30 seconds, within 1 minute, etc., which the present disclosure does not limit.
In an embodiment of the present disclosure, the authorization request carries an identifier of a sender of the authorization request, and the authentication token further includes the identifier of the sender, as shown in fig. 6, operation S401 includes operations S601 to S603: in operation S601, the identifier of the sender is searched in a preset identifier library, and all legal identifiers of the sender are stored in the identifier library; in operation S602, if the identifier of the sender is not found, the authentication result is authentication failure; in operation S603, if the identifier of the sender is found, the authentication result is that the authentication is passed.
In this disclosure, the manners shown in fig. 5 and fig. 6 may also be adopted to determine whether the authentication result passes or not, specifically, if any one of the manners shown in fig. 5 and fig. 6 has an authentication result that is authentication failure, the authentication result of operation S401 is authentication failure, and if both the manners shown in fig. 5 and fig. 6 have authentication results that are authentication success, the authentication result of operation S401 is authentication success.
In an embodiment of the present disclosure, when the authentication result is that the authentication is passed, operation S402 includes: and sending the user information to the authorization server so that the authorization server sends the user information to a login client calling the resource client to log in, so as to log in the login client successfully.
In an embodiment of the present disclosure, before operation S402, the authentication token needs to be decrypted and checked; if the decryption and signature verification processing is successful, executing the operation of carrying out authentication based on the authentication token to obtain an authentication result; and if the decryption and/or signature verification processing fails, sending prompt information of the failure of the decryption and/or signature verification processing to the authorization server.
Fig. 7 schematically shows a block diagram of an authorization server according to an embodiment of the disclosure.
As shown in fig. 7, the authorization server 700 includes an authentication token generation module 710 and a request transmission module 720.
An authentication token generation module 710, configured to generate an authentication token in response to the received authorization request, where the authentication token includes the user information, and the user information in the authentication token is cached in a preset storage space;
a request sending module 720, configured to send an authentication request to an authentication server, where the authentication request carries the authentication token, so that the authentication server performs authentication based on the authentication token to obtain an authentication result, returns the authentication result to the authorization server, and deletes the user information from the preset storage space.
The authentication token also includes first timestamp information indicating a generation time or a transmission time of the authentication token.
In an embodiment of the present disclosure, the authorization request carries an identifier of a sender of the authorization request, and the authentication token further includes the identifier of the sender.
In an embodiment of the present disclosure, the method further includes:
the login information acquisition module is used for acquiring login information input by a user;
the login information verification module is used for verifying whether the login information is correct or not;
the confirmation information returning module is used for returning authorization confirmation prompt information to the resource client side if the login information is correct;
and the confirmation information receiving module is used for receiving the authorization confirmation information returned by the authorization client based on the authorization confirmation prompt information, and executing the operation of acquiring the user information from the preset storage space in response to the received authorization request.
In an embodiment of the present disclosure, the method further includes:
the user information receiving module is used for receiving the user information returned by the authentication server when the authentication result is that the authentication is passed;
and the user information sending module is used for sending the user information to a login client for calling the resource client to log in so as to successfully log in the login client.
In an embodiment of the present disclosure, the method further includes: and the processing module is used for encrypting and signing the authentication token.
Fig. 8 schematically shows a block diagram of an authentication server according to an embodiment of the present disclosure.
As shown in fig. 8, the authentication server 800 includes an authentication module 810, an authentication result returning module 820, and a user information deleting module 830.
The authentication module 810 is configured to respond to a received authentication request carrying an authentication token, perform authentication based on the authentication token to obtain an authentication result, where the authentication token is generated by an authorization server, the authentication token includes the user information, and the user information in the authentication token is cached in a preset storage space;
an authentication result returning module 820, configured to return the authentication result to the authorization server;
the user information deleting module 830 is configured to delete the user information from the preset storage space.
In an embodiment of the present disclosure, the authentication token further includes first timestamp information, the first timestamp information indicates a generation time or a transmission time of the authentication token, and the authentication module 810 includes:
the analysis submodule is used for analyzing the authentication token to obtain first timestamp information;
the timestamp obtaining submodule is used for obtaining a current timestamp;
a calculation sub-module for calculating a difference between the current timestamp and the first timestamp;
the judgment submodule is used for judging whether the difference value meets a preset condition or not;
the first judgment submodule is used for judging that the authentication result is authentication failure if the difference value does not meet the preset condition;
and the second judging submodule is used for judging that the authentication result is that the authentication is passed if the difference value meets the preset condition.
In an embodiment of the present disclosure, the authorization request carries an identifier of a sender of the authorization request, the authentication token further includes the identifier of the sender, and the authentication module 810 includes:
the searching submodule is used for searching the identification of the sender in a preset identification library, and the identification library stores the identifications of all legal senders;
the first judging submodule is also used for judging that the authentication result is authentication failure if the identification of the sender is not found;
the second determining submodule is further configured to determine that the authentication result is authenticated if the identifier of the sender is found.
In an embodiment of the present disclosure, when the authentication result is that the authentication is passed, the authentication result returning module specifically sends the user information to the authorization server, so that the authorization server sends the user information to a login client that invokes the resource client to log in, so as to successfully log in the login client.
In an embodiment of the present disclosure, the method further includes:
the decoding processing module is used for decoding and verifying the authentication token;
the authentication module is further configured to execute the operation of performing authentication based on the authentication token to obtain an authentication result if the decryption and signature verification processing is successful;
and the information sending module is used for sending prompt information of the failure of the decryption and/or signature verification processing to the authorization server if the decryption and/or signature verification processing fails.
The embodiment of the disclosure also provides an authorization system, which comprises the authorization server and the authentication server.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
For example, any number of the authentication token generation module 710 and the request transmission module 720 may be combined and implemented in one module/unit/sub-unit, or any one of the modules/units/sub-units may be split into a plurality of modules/units/sub-units. Alternatively, at least part of the functionality of one or more of these modules/units/sub-units may be combined with at least part of the functionality of other modules/units/sub-units and implemented in one module/unit/sub-unit. According to an embodiment of the present disclosure, at least one of the authentication token generation module 710 and the request transmission module 720 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware by any other reasonable way of integrating or packaging a circuit, or in any one of three implementations of software, hardware, and firmware, or in a suitable combination of any of them. Alternatively, at least one of the authentication token generation module 710 and the request transmission module 720 may be at least partially implemented as a computer program module, which when executed may perform a corresponding function.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
FIG. 9 schematically shows a block diagram of a computer system suitable for implementing the above described method according to an embodiment of the present disclosure. The computer system illustrated in FIG. 9 is only one example and should not impose any limitations on the scope of use or functionality of embodiments of the disclosure.
As shown in fig. 9, a computer system 900 according to an embodiment of the present disclosure includes a processor 901 which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)902 or a program loaded from a storage section 908 into a Random Access Memory (RAM) 903. Processor 901 may comprise, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 901 may also include on-board memory for caching purposes. The processor 901 may comprise a single processing unit or a plurality of processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 903, various programs and data necessary for the operation of the system 900 are stored. The processor 901, the ROM 902, and the RAM 903 are connected to each other through a bus 904. The processor 901 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 902 and/or the RAM 903. Note that the programs may also be stored in one or more memories other than the ROM 902 and the RAM 903. The processor 901 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
System 900 may also include an input/output (I/O) interface 905, input/output (I/O) interface 905 also connected to bus 904, according to an embodiment of the present disclosure. The system 900 may also include one or more of the following components connected to the I/O interface 905: an input portion 906 including a keyboard, a mouse, and the like; an output section 907 including components such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 908 including a hard disk and the like; and a communication section 909 including a network interface card such as a LAN card, a modem, or the like. The communication section 909 performs communication processing via a network such as the internet. The drive 910 is also connected to the I/O interface 905 as necessary. A removable medium 911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 910 as necessary, so that a computer program read out therefrom is mounted into the storage section 908 as necessary.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 909, and/or installed from the removable medium 911. The computer program, when executed by the processor 901, performs the above-described functions defined in the system of the embodiment of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to an embodiment of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium. Examples may include, but are not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 902 and/or the RAM 903 described above and/or one or more memories other than the ROM 902 and the RAM 903.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (25)

1.一种授权方法,应用于授权服务器,包括:1. An authorization method, applied to an authorization server, comprising: 响应于接收到的授权请求,生成鉴权令牌,所述鉴权令牌包括所述用户信息,所述鉴权令牌中的用户信息缓存于预设存储空间;In response to the received authorization request, an authentication token is generated, the authentication token includes the user information, and the user information in the authentication token is cached in a preset storage space; 向鉴权服务器发送鉴权请求,所述鉴权请求携带所述鉴权令牌,以使所述鉴权服务器基于所述鉴权令牌进行鉴权,得到鉴权结果,将所述鉴权结果返回给所述授权服务器,以及,从所述预设存储空间中删除所述用户信息。Send an authentication request to the authentication server, where the authentication request carries the authentication token, so that the authentication server performs authentication based on the authentication token, obtains an authentication result, and uses the authentication token. The result is returned to the authorization server, and the user information is deleted from the preset storage space. 2.根据权利要求1所述的方法,所述鉴权令牌还包括第一时间戳信息,所述第一时间戳信息指示所述鉴权令牌的生成时间或发送时间。2. The method of claim 1, wherein the authentication token further comprises first time stamp information, the first time stamp information indicating a generation time or a transmission time of the authentication token. 3.根据权利要求1所述的方法,所述授权请求携带授权请求发送方的标识,所述鉴权令牌还包括所述发送方的标识。3. The method according to claim 1, wherein the authorization request carries an identifier of a sender of the authorization request, and the authentication token further includes the identifier of the sender. 4.根据权利要求1所述的方法,还包括:4. The method of claim 1, further comprising: 获取用户输入的登录信息;Get the login information entered by the user; 验证所述登录信息是否正确;verify that the login information is correct; 若所述登录信息正确,则向资源客户端返回授权确认提示信息;If the login information is correct, return authorization confirmation prompt information to the resource client; 接收授权客户端基于所述授权确认提示信息返回的授权确认信息,执行所述响应于接收到的授权请求,从预设存储空间中获取用户信息的操作。Receive the authorization confirmation information returned by the authorization confirmation prompt information based on the authorization confirmation prompt information, and perform the operation of acquiring the user information from the preset storage space in response to the received authorization request. 5.根据权利要求4所述的方法,其中:5. The method of claim 4, wherein: 当所述鉴权结果为鉴权通过时,接收所述鉴权服务器返回的用户信息;When the authentication result is that the authentication passes, receiving the user information returned by the authentication server; 将所述用户信息发送给调用所述资源客户端进行登录的登录客户端,以成功登录所述登录客户端。The user information is sent to the login client that invokes the resource client to log in, so as to successfully log in to the login client. 6.根据权利要求1至5任意一项所述的方法,所述向鉴权服务器发送鉴权请求之前,包括:6. The method according to any one of claims 1 to 5, before sending the authentication request to the authentication server, comprising: 对所述鉴权令牌进行加密和签名处理。Encrypt and sign the authentication token. 7.一种授权方法,应用于鉴权服务器,包括:7. An authorization method, applied to an authentication server, comprising: 响应于接收到的携带鉴权令牌的鉴权请求,基于所述鉴权令牌进行鉴权,得到鉴权结果,所述鉴权令牌通过授权服务器生成,所述鉴权令牌包括所述用户信息,所述鉴权令牌中的用户信息缓存于预设存储空间;In response to the received authentication request carrying the authentication token, perform authentication based on the authentication token to obtain an authentication result, the authentication token is generated by the authorization server, and the authentication token includes all the user information, the user information in the authentication token is cached in a preset storage space; 将所述鉴权结果返回给所述授权服务器;returning the authentication result to the authorization server; 从所述预设存储空间中删除所述用户信息。Delete the user information from the preset storage space. 8.根据权利要求7所述的方法,所述鉴权令牌还包括第一时间戳信息,所述第一时间戳信息指示所述鉴权令牌的生成时间或发送时间,所述基于所述鉴权令牌进行鉴权,得到鉴权结果包括:8. The method according to claim 7, wherein the authentication token further comprises first time stamp information, the first time stamp information indicating the generation time or the transmission time of the authentication token, the The authentication token is used for authentication, and the authentication results obtained include: 解析所述鉴权令牌,得到第一时间戳信息;Parsing the authentication token to obtain first timestamp information; 获取当前时间戳;Get the current timestamp; 计算所述当前时间戳与所述第一时间戳之间的差值;calculating the difference between the current timestamp and the first timestamp; 判断所述差值是否满足预设条件;judging whether the difference satisfies a preset condition; 若所述差值不满足所述预设条件,则所述鉴权结果为鉴权失败;If the difference does not meet the preset condition, the authentication result is an authentication failure; 若所述差值满足所述预设条件,则所述鉴权结果为鉴权通过。If the difference satisfies the preset condition, the authentication result is that the authentication is passed. 9.根据权利要求7所述的方法,所述授权请求携带授权请求发送方的标识,所述鉴权令牌还包括所述发送方的标识,所述基于所述鉴权令牌进行鉴权,得到鉴权结果包括:9. The method according to claim 7, wherein the authorization request carries an identifier of a sender of the authorization request, the authentication token further comprises an identifier of the sender, and the authentication is performed based on the authentication token , the authentication results obtained include: 在预设的标识库中查找所述发送方的标识,所述标识库中存储所有合法的发送方的标识;Find the identifier of the sender in a preset identifier library, where the identifiers of all legal senders are stored; 若没有查找到所述发送方的标识,则所述鉴权结果为鉴权失败;If the identifier of the sender is not found, the authentication result is an authentication failure; 若查找到所述发送方的标识,则所述鉴权结果为鉴权通过。If the identifier of the sender is found, the authentication result is that the authentication is passed. 10.根据权利要求7所述的方法,当所述鉴权结果为鉴权通过时,所述将所述鉴权结果返回给所述授权服务器包括:10. The method according to claim 7, when the authentication result is that the authentication is passed, the returning the authentication result to the authorization server comprises: 将所述用户信息发送给所述授权服务器,以使所述授权服务器将所述用户信息发送给调用所述资源客户端进行登录的登录客户端,以成功登录所述登录客户端。Send the user information to the authorization server, so that the authorization server sends the user information to the login client that invokes the resource client to log in, so as to successfully log in to the login client. 11.根据权利要求7至10任意一项所述的方法,所述基于所述鉴权令牌进行鉴权,得到鉴权结果之前,包括:11. The method according to any one of claims 7 to 10, wherein the performing authentication based on the authentication token, before obtaining an authentication result, comprising: 对所述鉴权令牌进行解密和验签处理;Perform decryption and signature verification processing on the authentication token; 若所述解密和验签处理成功,则执行所述基于所述鉴权令牌进行鉴权,得到鉴权结果的操作;If the decryption and signature verification process is successful, the operation of performing the authentication based on the authentication token to obtain the authentication result is performed; 若所述解密和/或验签处理失败,则向所述授权服务器发送解密和/或验签处理失败的提示信息。If the decryption and/or signature verification processing fails, a prompt message indicating that the decryption and/or signature verification processing fails is sent to the authorization server. 12.一种授权服务器,包括:12. An authorization server, comprising: 鉴权令牌生成模块,用于响应于接收到的授权请求,生成鉴权令牌,所述鉴权令牌包括所述用户信息,所述鉴权令牌中的用户信息缓存于预设存储空间;An authentication token generation module, configured to generate an authentication token in response to the received authorization request, the authentication token includes the user information, and the user information in the authentication token is cached in a preset storage space; 请求发送模块,用于向鉴权服务器发送鉴权请求,所述鉴权请求携带所述鉴权令牌,以使所述鉴权服务器基于所述鉴权令牌进行鉴权,得到鉴权结果,将所述鉴权结果返回给所述授权服务器,以及,从所述预设存储空间中删除所述用户信息。A request sending module, configured to send an authentication request to an authentication server, where the authentication request carries the authentication token, so that the authentication server performs authentication based on the authentication token and obtains an authentication result , returning the authentication result to the authorization server, and deleting the user information from the preset storage space. 13.根据权利要求12所述的授权服务器,所述鉴权令牌还包括第一时间戳信息,所述第一时间戳信息指示所述鉴权令牌的生成时间或发送时间。13. The authorization server according to claim 12, wherein the authentication token further comprises first time stamp information, the first time stamp information indicating the generation time or the sending time of the authentication token. 14.根据权利要求12所述的授权服务器,所述授权请求携带授权请求发送方的标识,所述鉴权令牌还包括所述发送方的标识。14. The authorization server according to claim 12, wherein the authorization request carries an identifier of a sender of the authorization request, and the authentication token further includes the identifier of the sender. 15.根据权利要求12所述的授权服务器,还包括:15. The authorization server of claim 12, further comprising: 登录信息获取模块,用于获取用户输入的登录信息;The login information acquisition module is used to acquire the login information input by the user; 登录信息验证模块,用于验证所述登录信息是否正确;a login information verification module for verifying whether the login information is correct; 确认信息返回模块,用于若所述登录信息正确,则向资源客户端返回授权确认提示信息;A confirmation information return module, used for returning authorization confirmation prompt information to the resource client if the login information is correct; 确认信息接收模块,用于接收授权客户端基于所述授权确认提示信息返回的授权确认信息,执行所述响应于接收到的授权请求,从预设存储空间中获取用户信息的操作。The confirmation information receiving module is configured to receive the authorization confirmation information returned by the authorization client based on the authorization confirmation prompt information, and perform the operation of obtaining the user information from the preset storage space in response to the received authorization request. 16.根据权利要求15所述的授权服务器,其中:16. The authorization server of claim 15, wherein: 用户信息接收模块,用于当所述鉴权结果为鉴权通过时,接收所述鉴权服务器返回的用户信息;a user information receiving module, configured to receive the user information returned by the authentication server when the authentication result is that the authentication is passed; 用户信息发送模块,用于将所述用户信息发送给调用所述资源客户端进行登录的登录客户端,以成功登录所述登录客户端。A user information sending module, configured to send the user information to a login client that invokes the resource client to log in, so as to successfully log in to the login client. 17.根据权利要求12至16任意一项所述的授权服务器,还包括:17. The authorization server according to any one of claims 12 to 16, further comprising: 处理模块,用于对所述鉴权令牌进行加密和签名处理。The processing module is used for encrypting and signing the authentication token. 18.一种鉴权服务器,包括:18. An authentication server, comprising: 鉴权模块,用于响应于接收到的携带鉴权令牌的鉴权请求,基于所述鉴权令牌进行鉴权,得到鉴权结果,所述鉴权令牌通过授权服务器生成,所述鉴权令牌包括所述用户信息,所述鉴权令牌中的用户信息缓存于预设存储空间;The authentication module is configured to perform authentication based on the authentication token to obtain an authentication result in response to the received authentication request carrying the authentication token, and the authentication token is generated by the authorization server, and the authentication token is generated by the authorization server. The authentication token includes the user information, and the user information in the authentication token is cached in a preset storage space; 鉴权结果返回模块,用于将所述鉴权结果返回给所述授权服务器;an authentication result returning module, for returning the authentication result to the authorization server; 用户信息删除模块,用于从所述预设存储空间中删除所述用户信息。A user information deletion module, configured to delete the user information from the preset storage space. 19.根据权利要求18所述的鉴权服务器,所述鉴权令牌还包括第一时间戳信息,所述第一时间戳信息指示所述鉴权令牌的生成时间或发送时间,所述鉴权模块包括:19. The authentication server according to claim 18, wherein the authentication token further comprises first time stamp information, the first time stamp information indicates a generation time or a transmission time of the authentication token, the The authentication module includes: 解析子模块,用于解析所述鉴权令牌,得到第一时间戳信息;a parsing sub-module for parsing the authentication token to obtain first timestamp information; 时间戳获取子模块,用于获取当前时间戳;Timestamp acquisition sub-module, used to get the current timestamp; 计算子模块,用于计算所述当前时间戳与所述第一时间戳之间的差值;a calculation submodule for calculating the difference between the current timestamp and the first timestamp; 判断子模块,用于判断所述差值是否满足预设条件;a judging submodule for judging whether the difference satisfies a preset condition; 第一判定子模块,用于若所述差值不满足所述预设条件,则所述鉴权结果为鉴权失败;a first determination submodule, used for if the difference does not meet the preset condition, the authentication result is an authentication failure; 第二判定子模块,用于若所述差值满足所述预设条件,则所述鉴权结果为鉴权通过。The second determination sub-module is configured to, if the difference satisfies the preset condition, the authentication result is that the authentication is passed. 20.根据权利要求18所述的鉴权服务器,所述授权请求携带授权请求发送方的标识,所述鉴权令牌还包括所述发送方的标识,所述鉴权模块包括:20. The authentication server according to claim 18, wherein the authorization request carries the identifier of the sender of the authorization request, the authentication token further comprises the identifier of the sender, and the authentication module comprises: 查找子模块,用于在预设的标识库中查找所述发送方的标识,所述标识库中存储所有合法的发送方的标识;A search submodule, used for searching the identifier of the sender in a preset identifier library, where the identifiers of all legal senders are stored in the identifier library; 第一判定子模块,还用于若没有查找到所述发送方的标识,则所述鉴权结果为鉴权失败;The first determination sub-module is also used for if the identifier of the sender is not found, the authentication result is an authentication failure; 第二判定子模块,还用于若查找到所述发送方的标识,则所述鉴权结果为鉴权通过。The second determination sub-module is further configured to, if the identifier of the sender is found, the authentication result is that the authentication is passed. 21.根据权利要求18所述的鉴权服务器,当所述鉴权结果为鉴权通过时,所述鉴权结果返回模块具体由于将所述用户信息发送给所述授权服务器,以使所述授权服务器将所述用户信息发送给调用所述资源客户端进行登录的登录客户端,以成功登录所述登录客户端。21. The authentication server according to claim 18, when the authentication result is that the authentication passes, the authentication result returning module is specifically due to sending the user information to the authorization server, so that the The authorization server sends the user information to the login client that invokes the resource client to log in, so as to successfully log in to the login client. 22.根据权利要求18至21任意一项所述的鉴权服务器,还包括:22. The authentication server according to any one of claims 18 to 21, further comprising: 解处理模块,用于对所述鉴权令牌进行解密和验签处理;a solution processing module for decrypting and verifying signature of the authentication token; 所述鉴权模块,还用于若所述解密和验签处理成功,则执行所述基于所述鉴权令牌进行鉴权,得到鉴权结果的操作;The authentication module is further configured to perform the operation of performing authentication based on the authentication token to obtain an authentication result if the decryption and signature verification processes are successful; 信息发送模块,用于若所述解密和/或验签处理失败,则向所述授权服务器发送解密和/或验签处理失败的提示信息。An information sending module, configured to send a message indicating that the decryption and/or signature verification processing fails to the authorization server if the decryption and/or signature verification processing fails. 23.一种授权系统,包括:如权利要求12至17任意一项所述的授权服务器,以及,如权利要求18至22任意一项所述的鉴权服务器。23. An authorization system, comprising: the authorization server according to any one of claims 12 to 17, and the authentication server according to any one of claims 18 to 22. 24.一种计算机系统,包括:24. A computer system comprising: 一个或多个处理器;one or more processors; 存储器,用于存储一个或多个程序,memory for storing one or more programs, 其中,当所述一个或多个程序被所述一个或多个处理器执行时,使得所述一个或多个处理器实现权利要求1至6中任一项所述的方法,或者,实现权利要求7至11中任一项所述的方法。Wherein, when the one or more programs are executed by the one or more processors, the one or more processors cause the one or more processors to implement the method of any one of claims 1 to 6, or, to implement the claim The method of any one of claims 7 to 11. 25.一种计算机可读存储介质,其上存储有可执行指令,该指令被处理器执行时使处理器实现权利要求1至6中任一项所述的方法,或者,实现权利要求7至11中任一项所述的方法。25. A computer-readable storage medium having executable instructions stored thereon which, when executed by a processor, cause the processor to implement the method of any one of claims 1 to 6, or, to implement claims 7 to 7 The method of any one of 11.
CN202110853651.5A 2021-07-27 2021-07-27 Authorization method, server, system and storage medium Active CN113505397B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110853651.5A CN113505397B (en) 2021-07-27 2021-07-27 Authorization method, server, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110853651.5A CN113505397B (en) 2021-07-27 2021-07-27 Authorization method, server, system and storage medium

Publications (2)

Publication Number Publication Date
CN113505397A true CN113505397A (en) 2021-10-15
CN113505397B CN113505397B (en) 2025-01-10

Family

ID=78014263

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110853651.5A Active CN113505397B (en) 2021-07-27 2021-07-27 Authorization method, server, system and storage medium

Country Status (1)

Country Link
CN (1) CN113505397B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114219416A (en) * 2021-11-04 2022-03-22 北京来也网络科技有限公司 RPA robot floating authorization method and device combining RPA and AI and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108259502A (en) * 2018-01-29 2018-07-06 平安普惠企业管理有限公司 For obtaining the identification method of interface access rights, server-side and storage medium
US20180337783A1 (en) * 2015-02-27 2018-11-22 Feitian Technologies Co., Ltd. Operating method for push authentication system and device
CN109347888A (en) * 2018-12-21 2019-02-15 北京博明信德科技有限公司 Method for authenticating, gateway and authentication device based on RESTful
CN109587126A (en) * 2018-11-26 2019-04-05 平安科技(深圳)有限公司 User anthority identifying method and system
CN109617907A (en) * 2019-01-04 2019-04-12 平安科技(深圳)有限公司 Authentication method, electronic device and computer readable storage medium
CN111245774A (en) * 2018-11-29 2020-06-05 阿里巴巴集团控股有限公司 Resource request processing method, device and system
CN111770088A (en) * 2020-06-29 2020-10-13 南方电网科学研究院有限责任公司 Data authentication method, apparatus, electronic device and computer-readable storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180337783A1 (en) * 2015-02-27 2018-11-22 Feitian Technologies Co., Ltd. Operating method for push authentication system and device
CN108259502A (en) * 2018-01-29 2018-07-06 平安普惠企业管理有限公司 For obtaining the identification method of interface access rights, server-side and storage medium
CN109587126A (en) * 2018-11-26 2019-04-05 平安科技(深圳)有限公司 User anthority identifying method and system
CN111245774A (en) * 2018-11-29 2020-06-05 阿里巴巴集团控股有限公司 Resource request processing method, device and system
CN109347888A (en) * 2018-12-21 2019-02-15 北京博明信德科技有限公司 Method for authenticating, gateway and authentication device based on RESTful
CN109617907A (en) * 2019-01-04 2019-04-12 平安科技(深圳)有限公司 Authentication method, electronic device and computer readable storage medium
CN111770088A (en) * 2020-06-29 2020-10-13 南方电网科学研究院有限责任公司 Data authentication method, apparatus, electronic device and computer-readable storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
华;: "几种常见的授权和鉴权技术(五)", 自动化博览, no. 12 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114219416A (en) * 2021-11-04 2022-03-22 北京来也网络科技有限公司 RPA robot floating authorization method and device combining RPA and AI and storage medium

Also Published As

Publication number Publication date
CN113505397B (en) 2025-01-10

Similar Documents

Publication Publication Date Title
US9848328B2 (en) User authentication in a mobile environment
JP5429912B2 (en) Authentication system, authentication server, service providing server, authentication method, and program
CN104967604B (en) Login method and system
CN110958119A (en) Identity verification method and device
CN112491778A (en) Authentication method, device, system and medium
CN113572763B (en) Data processing method and device, electronic equipment and storage medium
CN114553570B (en) Method, device, electronic equipment and storage medium for generating token
CN111355726A (en) Identity authorization login method and device, electronic equipment and storage medium
US20230186304A1 (en) Transaction Validation Service
CN107920060B (en) Data access method and device based on account
CN112131021A (en) Access request processing method and device
US11977620B2 (en) Attestation of application identity for inter-app communications
CN113282951A (en) Security verification method, device and equipment for application program
CN106533685B (en) Identity authentication method, device and system
CN113949566B (en) Resource access method, device, electronic equipment and medium
CN106331003A (en) A method and device for accessing an application portal system on a cloud desktop
US11539711B1 (en) Content integrity processing on browser applications
CN113505397B (en) Authorization method, server, system and storage medium
CN112769565B (en) Method, device, computing equipment and medium for upgrading cryptographic algorithm
CN114244525A (en) Request data processing method, device, equipment and storage medium
CN113190812A (en) Login method, system, electronic equipment and storage medium
WO2022088710A1 (en) Mirror image management method and apparatus
CN110399706B (en) Authorization authentication method, device and computer system
TWI546698B (en) Login system based on servers, login authentication server, and authentication method thereof
US20230396618A1 (en) Token based identity verification and consent management

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant