[go: up one dir, main page]

CN120354390A - Implementation method for constructing unified user authentication center based on OIDC framework - Google Patents

Implementation method for constructing unified user authentication center based on OIDC framework

Info

Publication number
CN120354390A
CN120354390A CN202510821631.8A CN202510821631A CN120354390A CN 120354390 A CN120354390 A CN 120354390A CN 202510821631 A CN202510821631 A CN 202510821631A CN 120354390 A CN120354390 A CN 120354390A
Authority
CN
China
Prior art keywords
user
token
unified
oidc
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202510821631.8A
Other languages
Chinese (zh)
Inventor
刘志辉
王东
江俊鹏
李青
满涛
吕博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute Of Scientific And Technical Information Of China
Original Assignee
Institute Of Scientific And Technical Information Of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute Of Scientific And Technical Information Of China filed Critical Institute Of Scientific And Technical Information Of China
Priority to CN202510821631.8A priority Critical patent/CN120354390A/en
Publication of CN120354390A publication Critical patent/CN120354390A/en
Pending legal-status Critical Current

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a realization method for constructing a unified user authentication center based on OIDC frames, which comprises the steps of S1, integrating user data sources, constructing a unified science and technology management user information base, S2, constructing a unified user authentication center of the science and technology management industry, S3, upgrading relevant functions of each service platform system of the science and technology management industry, finishing OIDC unified user authentication service docking, realizing unified identity management, S4, comprehensively coordinating system interfaces of each service platform of the science and technology management industry, and ensuring seamless cooperation between each service platform of the science and technology management industry and the OIDC unified user authentication center. The method has the advantages that the method solves the problems of cross-system and cross-platform identity management and authority control of informatization in the scientific and technological management industry, realizes efficient and safe user identity management, enhances the system safety, improves the system convenience, reduces the complexity of system integration and improves the management efficiency of the informatization system.

Description

Implementation method for constructing unified user authentication center based on OIDC framework
Technical Field
The invention relates to the technical field of computer information security, in particular to an implementation method for constructing a unified user authentication center based on OIDC frames.
Background
With the rapid growth of the internet, the number and variety of network applications has increased explosively. The user authentication and authorization mechanism is a key for guaranteeing network security and privacy. On one hand, the user needs to frequently log in a plurality of different application programs, and each application needs to create an independent account number and a password, which brings great memory burden to the user and is cumbersome to operate. For example, a user may have an account number in a plurality of different types of applications such as a social network, an e-commerce platform, online office software, etc., and login information needs to be input again each time the applications are switched, so that experience is poor. On the other hand, it is costly and difficult for application developers and service providers to construct and maintain a secure set of authentication systems on their own. Different applications may employ different authentication approaches, resulting in many obstacles in cross-application collaboration, sharing of user resources, and the like.
Meanwhile, with the rising of emerging technologies such as cloud computing and micro-service architecture, interaction between applications is more frequent, and the requirement for authorized access to the API is also increasing. In this context, there is an urgent need for a standardized, generalized authentication and authorization solution to enable seamless interfacing between different applications and efficient sharing of user identity information.
Currently, the mainstream authentication and authorization framework includes oauth2.0 and Saml, kerberos, WS-Federation. (1) Oauth2.0 works well as a widely used authorization framework in solving API authorization problems, but it was not originally designed primarily for user authentication. While some oauth2.0 implementations attempt to solve the user authentication problem by adding some proprietary additional content, there is a lack of a unified, canonical standard practice. (2) Saml is an older standard based on XML and may face more compatibility problems and complexities when integrated with some new applications. (3) Kerberos is mainly used for identity authentication in local area network environments, and generally depends on a specific operating system and network environment, such as Windows domain environment, and application of Kerberos in cloud environment may be limited, and additional configuration and adaptation are required. (4) WS-Federation is an identity Federation standard based on SOAP protocol, is relatively complex and difficult to configure and use, and based on SOAP, there may be some unmatched problems in application in RESTful architecture.
For the science and technology management industry, the user information of the science and technology management industry is distributed in multiple sources, the user center management is traditional and single, the unified management of role definition and system authority cannot be realized under the condition of repeated login of multiple systems, and the difference of the user authority ranges cannot be avoided. The role definition and authorization among the systems are random, have large variability and are not standard, so that the information sharing among the systems is not facilitated, and the management cost is increased. The user roles are managed and maintained by each system by default, the user center is not responsible for the management of the authority of each system, and the access function and the data range of the user cannot be restrained and supervised.
At present, the technology management industry has the phenomenon that a plurality of certificates or multiple ends (PC ends, mobile ends and the like) of users cannot be recorded at the same time, and the data are redundant and asynchronous, so that unified management of the users is not easy. In principle, users in the system only have unique valid certificates, but in the science and technology management industry, as more and more foreign scientists actively participate in the cooperation of national science and technology planning projects, foreign scientific researchers who have legal identities are more and more popular, the users possibly have a plurality of different valid certificates, and the binding and uniqueness of multiple certificates of logged-in users are ensured through a unified user management and authentication mechanism.
The system has the challenges of crossing domestic platforms and non-domestic platforms, needs to ensure the safety and reduce the system integration cost, and is in line with the national information safety management requirement, the scientific and technological management informatization system has completed partial domestic substitution, so that a unified user authentication center needs to be compatible with the domestic and non-domestic platforms, the problem of crossing the platforms and being compatible with standardization in the scientific and technological management industry is needed to be solved, and the related problems that the heterogeneous system does not have unified authentication logic, repeated development is needed, the system integration cost is high and the like in the past are needed to be solved.
Disclosure of Invention
The invention aims to provide an implementation method for constructing a unified user authentication center based on OIDC framework, so as to solve the problems in the prior art.
In order to achieve the above purpose, the technical scheme adopted by the invention is as follows:
An implementation method for constructing unified user authentication center based on OIDC framework comprises the following steps,
S1, integrating user data sources to construct a unified science and technology management user information base;
S2, constructing a unified user authentication center of the science and technology management industry, wherein the unified user authentication center can realize the functions of user identity authentication, dynamic authorization management, token life cycle management, user information full life cycle management, single sign-on, security audit and log record;
S3, upgrading relevant functions of each service platform system in the science and technology management industry, finishing OIDC unified user authentication service docking, and realizing unified identity management, wherein the method comprises the steps of preliminary stage preparation of the technology management system upgrading, docking user authentication, user information, token verification and single sign-on function service;
s4, comprehensively joint debugging the system interfaces of all service platforms in the science and technology management industry, and ensuring seamless cooperation between all service platforms in the science and technology management industry and OIDC unified user authentication centers.
Preferably, the technology management user information base comprises a client login configuration table, a login log record table, a client registration information table, a user and client relationship table, a unit information table, a role information table, a user information table and a user unit relationship table;
The client login configuration table is used for storing client id, creation time, client login url and client login verification mode;
the log record table is used for storing a login account, a login ip address, login time, login state and login error information;
the user registration information table is used for storing a client id, a client authorization starting time, a client key, a client authentication mode and an authorization scope;
The user and client relationship table is used for storing client id, user id, creation time and user type;
The unit information table is used for storing unit names, unit numbers, unit addresses and legal names;
The role information table is used for storing role names, role numbers and role types;
The user information table is used for storing user names, user numbers, user accounts, user password ciphertext and certificate numbers;
The user unit relation table is used for storing user ids and unit ids.
Preferably, the user identity authentication service is specifically to realize unified identity authentication based on OIDC protocol, support multi-level security policy and compliance requirements of the technical industry, verify identity information of a technical management user, and ensure that the user is a legal visitor;
The dynamic authorization management is specifically based on role-based access control, realizes fine-grained authority control, supports dynamic role allocation and authority lifting of scientific research projects, and comprises the steps of defining which application programs, services or data can be accessed by a user and which operations can be executed on the resources by the user;
The token life cycle management refers to the generation, issuance and verification of access tokens and identity tokens, ensures token security, prevents leakage and abuse, and adapts to the high security requirement of a science and technology management scene; when the user is successfully authenticated and authorized, the unified user authentication center generates an access token and an identity token, and the tokens contain user information and other related claims which are subjected to specific digital signature in the science and technology management industry, have a certain validity period and can ensure the authenticity and the integrity of the token;
The user information full life cycle management comprises the steps of realizing centralized storage, dynamic synchronization and compliance management of science and technology management user data through the user information full life cycle management, adopting a unified user storage architecture to store and manage basic information of users, using specific data structures and table designs of the science and technology management industry to ensure the integrity and consistency of the data, adopting SCIM protocol to drive synchronization, ensuring the data synchronous update when the user information is updated, desensitizing sensitive data through declaration and access control and JWE encryption transmission, and simultaneously managing role, authority and authentication history information of the users;
The single sign-on is specifically that through SSO token passing and SSO session management, a science and technology management user only needs to sign in one application program once, and can access resources in other application programs integrated with a unified user authentication center without logging in again;
The security audit and log record is characterized in that authentication and authorization activities of a user are recorded through the log so as to conduct security audit and fault investigation, the log is regularly subjected to security audit to check whether abnormal activities or security holes exist, a risk rule engine and an audit data visual billboard are built, and real-time monitoring and alarming of system user identity authentication management are achieved.
Preferably, the advanced preparation of the technology management system is specifically that the existing system is evaluated and the transformation planning is carried out, including the steps of carding the existing authentication mechanism, defining the docking range and making a compatibility scheme, and the registration of the OIDC client is completed by registering the client at OIDC Provider and configuring key parameters;
The user authentication function docking is specifically implemented by redirecting a user to an authentication service for logging in through discovering OIDC unified user authentication service metadata when the user accesses the science and technology management system and processing a callback of the authentication service;
The user information acquisition function docking is specifically implemented by using an access token to acquire user information by each service platform, analyzing the user information and using the user information in the service platform to realize the user information acquisition function docking;
the token verification function docking specifically comprises the steps of verifying the validity of an access token, processing the expiration and refreshing of the token to realize the docking of the token verification functions of all service platforms;
the single sign-on function docking is specifically implemented by each service platform through processing SSO tokens and participating in SSO session management.
Preferably, in the advanced stage preparation of the technology management system,
The method comprises the steps of combing the existing authentication mechanisms, namely, listing the current authentication modes of all service platforms;
Defining a docking range, namely determining a functional module to be docked;
The compatibility scheme is specifically formulated by performing protocol conversion on the old system which does not support OIDC through a reverse proxy or an API gateway.
Preferably, the user authentication function interface comprises,
The discovery OIDC of the metadata of the unified user authentication service is specifically that each scientific and technological management service platform needs to be capable of discovering OIDC of the metadata of the unified user authentication service, and relevant configuration information is acquired by acquiring wellknown endpoints of the authentication service;
Redirecting the user to the authentication service for login, namely redirecting the user to OIDC an authorization endpoint of the unified user authentication service by the service platform when the science and technology management user needs to perform identity authentication on the service platform;
The callback for processing the authentication service is specifically that the authentication service redirects the user back to the redirected URL appointed by the service platform after the user finishes logging in and carries an authorization code or token, and the service platform needs to be capable of processing the callback, extracting the authorization code or token and using the authorization code or token to acquire the identity information of the user.
Preferably, in the user information acquisition function docking,
The service platform can use the access token to send a request to a OIDC user information endpoint of unified user authentication service after the access token is acquired so as to acquire the user information;
Analyzing the user information and using the user information in the service platform, wherein after receiving the user information, the technology management service platform needs to analyze the user information and store the user information in a user session of the service platform so as to be used in subsequent service processing.
Preferably, in the token authentication function docking,
Verifying the validity of the access token, namely, when the service platform receives a request with the access token, verifying the validity of the token, and verifying the token by sending the token to a token verification endpoint of OIDC unified user authentication service or signing and verifying the token by using a public key;
The processing token expiration and refreshing are specifically that if the access token is expired, the service platform needs to be able to handle the situation and request a new access token from the authentication service by using the refresh token; the service platform needs to store the refresh token at the same time as storing the user session and use it to obtain a new access token when needed.
Preferably, in a single sign-on function docking,
The processing of the SSO token is specifically that if the service platform wants to support single sign-on, the SSO token issued by the unified user authentication service needs to be processed OIDC, when the user logs in on a service platform integrated with OIDC unified user authentication service, the authentication service issues an SSO token, and the token can be used on other service platforms integrated with OIDC unified user authentication service to realize single sign-on;
The participating SSO session management is specifically that the service platform needs to participate OIDC in SSO session management of unified user authentication service, when a user logs out on one service platform, the authentication service needs to inform other service platforms integrated with OIDC unified user authentication service, so that the service platforms can log out the session of the user, and single point log out is realized.
Preferably, the specific process of the science and technology management user accessing the resource service through the unified user authentication center is that,
A1, a user accesses resources, namely, a science and technology management user initiates an access request for a science and technology management industry resource service in a client, after receiving the request, the resource service checks the login state and the authorization state of the user, and if the user is not logged in and unauthorized, the resource service starts an authorization process;
A2, constructing an authorization code request, namely inputting login information by a user on a unified login page, carrying out identity verification by an authentication center based on a technological management user information base of the unified user authentication center after receiving the login information of the user, generating a disposable authorization code by the authentication center after the authentication is passed, redirecting the user back to a redirect_uri appointed by a resource service by the authentication center, and carrying out the generated authorization code in the redirected URL;
A3, constructing a request for acquiring the token, namely, after a server of the resource service receives the callback request with the authorization code, extracting the authorization code from the URL;
A4, after receiving the token acquisition request of the resource service, the authentication center firstly checks the client_id, redirect_uri and client_secret in the request to ensure that the request is from a legal client, and the callback address is correct, and checks the validity of the authorization code;
A5, carrying token request resources, namely, in the subsequent request for accessing the resource service, carrying the acquired access token by the client of the user to initiate a resource request to the resource service;
A6, checking token, namely after the server of the resource service receives the request of the user, firstly extracting an access token from the request;
A7, checking successfully, namely if the checking result returned by the authentication center indicates that the access token is valid and legal and the authorization scope meets the current request, the resource service considers that the user has the authority to access the requested resource;
and A8, the server of the resource service acquires the resource content requested by the user from the storage of the server and returns the resource content to the client of the user, and the user can view or use the resource content in the browser.
The security policy and encryption technology of identity authentication are improved, the security of a science and technology management system is enhanced, unified identity authentication and user information management are built for the science and technology management industry, stricter security policy and encryption technology are convenient to use, security risks caused by user information decentralized management are reduced, the integrity of a Token is ensured by JWT signature (such as RS256/ES 256), the leakage risk of the Token is reduced by short-term Token and Refresh Token, the security of the Token is ensured, and the overall security of the science and technology management system is improved. The user login information is encrypted, transmitted and stored by introducing a national security technology, so that the security of the private data is ensured.
2. The technology management user authority model reconstruction and mutual trust authentication are integrated, the system authority loopholes are eliminated, the application safety and the data safety are improved, the role authorities of various user groups are analyzed, a complete technology management user system is established, and an authority mechanism which can uniformly allocate functions and data access on demand is formed. Meanwhile, based on a science and technology management user architecture library, a OIDC new technology framework is adopted to reconstruct an efficient user authentication mechanism, so that multi-terminal authentication services, such as scanning login, face authentication and the like, can be easily expanded by being compatible with a conventional authentication mode on the basis of unified identity authentication and reverse authentication of a login user.
3. The unified identity authentication standardization of the cross-domestic and non-domestic platforms is realized, the integration complexity is reduced, namely, the standardization of the format and the interaction flow of the scientific and technological management user identity information is realized through OIDC protocol, and the integration complexity of the unified user authentication center and the third party system is reduced. Meanwhile, OIDC is a standard protocol, is compatible with domestic and non-domestic platforms, has definite specifications, and each language should have a corresponding library to realize the logic of the client and the server. For example, java has Spring Security OAuth, python has Authlib, node. Js has passport-oidc, etc. The unified authentication center provides standard compliant endpoints such as discovery document (/. Well-knownz openid-configuration) so that clients can be automatically configured, simple and easy to integrate. Meanwhile, each system does not need to realize user authentication logic, and only needs to integrate OIDC clients. The authentication logic is concentrated in the authentication center, so that maintenance and upgrading are facilitated, repeated development is avoided, and meanwhile, the system integration complexity is reduced.
4. Focusing on the whole life cycle management of the identity of the science and technology management user, improving the safety supervision and audit, wherein a unified user authentication center of the science and technology management industry constructed by OIDC framework plays a special role of OIDC framework in links of the whole life cycle management of the science and technology management industry, such as user registration, authentication, permission change, cancellation and the like. For example, using OIDC for identity federation mechanisms, user registration of existing technology management systems is integrated. When the authority is changed, claims of OIDC is utilized to dynamically update the user attribute, so that the authority is ensured to be effective in real time. By establishing a unified user identity view, the user identity information centralized management is realized, and the functions of unified user identity life cycle management, user self-service (such as password reset, user information modification and the like) and the like are provided. The system expansibility is improved, tens of millions of scientific research user identity management is supported, and the system is transversely expanded to multi-country science and technology cooperation scenes. Meanwhile, secure token issuing and verification are realized through OIDC, token leakage and tampering are prevented, and system security is enhanced. And can utilize OIDC's log function or with third party log system integration, record all authentication event and token issuing conditions of science and technology management system, realize sift and count granularity, satisfy scientific research data high sensitivity requirement, reinforcing system security and compliance.
Drawings
FIG. 1 is a block diagram of a OIDC unified user authentication center in an embodiment of the present invention;
fig. 2 is a flow chart of OIDC authorization code patterns in an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the detailed description is presented by way of example only and is not intended to limit the invention.
In this embodiment, a OIDC framework is adopted to construct a unified user authentication center for the technology management industry, and the unified user authentication center is suitable for user identity management, single Sign On (SSO), cross-domain authentication and authority control under the multi-service scene of the technology management industry. The system and the method solve the problems of informatization cross-system and cross-platform identity management and authority control in the scientific and technological management industry, realize efficient and safe user identity management, enhance the system safety, improve the system convenience, reduce the complexity of system integration and improve the management efficiency of the informatization system.
OIDC aims to provide a standardized way to verify the identity of a user and to obtain its basic information. Unlike oauth2.0 alone, OIDC focuses not only on authorization (i.e., allowing applications to access the user's resources on other services), but also on authentication—confirming "who you are". Meanwhile OIDC introduced the concept of an ID Token, which is a JSON Web Token (JWT) that contains user identity information, so that applications can be sure of "who" is accessing, not just what ‌ can be accessed. The OpenID Connect is used as an identity verification layer above OAuth2.0, and the complex challenge of user identity verification in a modern network environment is effectively solved through a standardized flow and a strong security characteristic.
Compared with OAuth2.0: OIDC, the method constructs an identity authentication layer on the basis of the OAuth2.0 protocol, and realizes dual functions of identity authentication and authorization. OIDC provides a more comprehensive solution by adding authentication capabilities than OAuth2 protocol, which only provides authorization functions. Oauth2.0 is mainly used for authorization and focuses on authority management of resource access, and OIDC adds an identity verification function on the basis of oauth2.0, so that user identity information can be provided, and the oauth2.0 can be used as a more proper choice of a unified identity authentication center, and the trouble that an identity verification mechanism is additionally built when only oauth2.0 is used is avoided. Meanwhile OIDC simplifies the identity-related operation, OIDC defines the standard identity token format and flow, so that the user identity information is simpler and standardized to acquire and verify, and a developer can process the identity verification logic more easily.
Compared with Saml: OIDC, the method is based on modern Web technologies such as OAuth2.0 and JSON, and is more suitable for development of modern Web applications and mobile applications. At the same time OIDC typically has a lighter weight implementation, and is relatively simple to configure and use. The method allows more flexible authentication flow customization, and can better adapt to the changes of different application scenes and business requirements. Moreover, for the identity authentication scene of the mobile application, OIDC can be better combined with the characteristics of the mobile platform, so that a more friendly user experience and a more convenient integration mode are provided.
Compared with Kerberos, OIDC is based on an open Internet standard, can better support the requirements of cross-platform and cross-network identity authentication, and is suitable for integration among various different environments and systems. Meanwhile, OIDC is easier to integrate with cloud services, and OIDC is easier and natural to integrate with cloud services along with the wide application of cloud computing. Many cloud platforms provide support for OIDC, so that unified identity authentication is more convenient to realize in a cloud environment.
Compared with WS-Federation OIDC, the method is easier to understand and use by developers in a concise design and a JSON-based interaction mode. Meanwhile, OIDC is widely supported by a plurality of open source frameworks and commercial products, and richer community resources and technical documents can be referred. And OIDC has higher support on RESTful architecture, OIDC can be matched with the RESTful architecture in the application development of the RESTful architecture popular at present, and the RESTful-style interface is more matched with the RESTful-style interface based on HTTP and JSON, so that the RESTful-based identity authentication and authorization flow can be conveniently realized.
As shown in fig. 1, in this embodiment, a OIDC framework is adopted to construct a unified user authentication center in the science and technology management industry, a science and technology management user information base is established, related functions of each service platform in the science and technology management industry are upgraded, and interface connection adjustment of system interfaces of each service platform is completed, so that the unified identity authentication center is uniformly applied. Specifically comprises the following four parts of contents,
1. Integrating user data sources, constructing a unified science and technology management user information base, and realizing cross-system and cross-platform identity information centralized management and dynamic synchronization
The science and technology management industry has a plurality of institutions and systems, and each maintains user data, so that cooperation is difficult, and in order to realize user data centralized management of different systems, each application can use the same user information, so that data islands are avoided, and a unified user information base is required to be constructed.
Integrating science and technology to manage data sources of each system, distributing globally unique sub (Subject Identifier) for each user to realize user data aggregation and standardization, realizing dynamic declaration (Claims) management through a declaration expansion mechanism and real-time declaration injection, and completing user information synchronization and lifecycle linkage based on an event-driven synchronization and automation policy engine.
The content of the science and technology management user information base mainly comprises a client login configuration table, a login log record table, a client registration information table, a user and client relationship table, a unit information table, a role information table, a user information table and a user unit relationship table.
(1) The client login configuration table mainly stores relevant information such as client id, creation time, client login url, client login verification mode and the like.
(2) The log record list mainly stores the relevant information such as the account number of the user, the login ip address, the login time, the login state, the login error information and the like.
(3) The client registration information table mainly stores relevant information such as client id, client authorization starting time, client secret key, client authentication mode, authorization range and the like.
(4) The user and client relationship table mainly stores relevant information such as client id, user id, creation time, user type, and the like.
(5) The unit information table mainly stores unit related information such as unit names, unit numbers, unit addresses, legal names, and the like.
(6) The character information table mainly stores related information such as character names, character numbers, character types and the like.
(7) The user information table mainly stores user related information such as user name, user number, user account number, user password ciphertext, certificate number and the like.
(8) The user unit relation table mainly stores related information such as user id, unit id and the like.
2. Construction of a uniform user authentication center in the science and technology management industry OIDC, and realization of full-flow closed-loop management from identity authentication to audit tracing
The technology management industry OIDC is constructed to unify the function service of a user authentication center, and the functions of user identity authentication, dynamic authorization management, token life cycle management, user information full life cycle management, single Sign On (SSO), security audit, log record and the like are realized.
2.1 User identity authentication service
Unified identity verification based on OIDC protocol is realized, multi-level security policy and compliance requirements of the technical industry are supported, identity information of a technical management user is verified, and the user is ensured to be a legal visitor. Users can log in and access the science and technology management system in various modes, such as a user name and password login mode, a social account login mode (such as a third party account login mode using WeChat, payment treasures and the like), a multi-factor authentication mode and the like.
2.2 Dynamic authorization management
Based on the access control of roles, fine-granularity authority control is realized, and dynamic role allocation and authority lifting of scientific research projects are supported. This includes defining which applications, services, or data the user can access, and which operations the user can perform on these resources. The authority model fusion is carried out by adopting an RBAC+ABAC mixed model, and the technical means such as dynamic statement (Claims) are injected to realize dynamic authorization, and the authority revocation mechanism can be realized through real-time token revocation.
2.3 Token lifecycle management
Token lifecycle management refers to generating, issuing and verifying access tokens (access tokens) and identity tokens (id tokens), guaranteeing token security, preventing leakage and abuse, and adapting to high security requirements of a science and technology management scenario. These tokens are used to authorize the user to access the protected resource after successful authentication of the user. After the user is successfully authenticated and authorized, the authentication center generates an access token and an identity token, and the tokens contain user information and other related claims which are subjected to specific digital signatures of the science and technology management industry, have a certain validity period and can ensure the authenticity and the integrity of the tokens.
2.4 User information full lifecycle management
Through the full life cycle management of the user information, the centralized storage, dynamic synchronization and compliance management of the scientific and technological management user data are realized. The system adopts a unified user storage architecture to store and manage the basic information of users, such as user names, passwords, email addresses, mobile phone numbers and the like, uses a specific data structure and table design of the science and technology management industry to ensure the integrity and consistency of data, adopts SCIM protocol to drive synchronization, ensures the synchronous update of data when the user information is updated, and desensitizes sensitive data through declaration and access control and JWE encryption transmission. And simultaneously manages information such as roles, authorities, authentication histories and the like of the users.
2.5 Single sign-on (SSO)
Single sign-on (SSO) enables seamless login across a technology management system, and improves collaboration efficiency. Through SSO token passing and SSO session management, a science and technology management user can access resources in other application programs integrated with an authentication center without logging in again only by logging in one application program once.
2.6 Security audit and Log recording
The security audit and the log record realize the traceability of the full-link operation and meet the compliance audit requirement of the objective industry. The authentication and authorization activities of the user are recorded through the log so as to carry out security audit and fault investigation, wherein the security audit and fault investigation comprises information such as login time, login location, accessed resources, operation behaviors and the like of the user. And (5) carrying out security audit on the log regularly, and checking whether abnormal activities or security holes exist. And a risk rule engine and an audit data visual billboard are built, so that real-time monitoring and alarming of system user identity authentication management are realized.
The above is the primary function of the technology management industry OIDC unifying the user authentication center. In practical application, the method is adjusted and expanded according to specific requirements and scenes. Meanwhile, in order to ensure the security and reliability of the authentication center, a series of security measures are adopted, such as encryption communication, SQL injection prevention, cross-site script attack prevention and the like
3. Related functions of each service platform system in the science and technology management industry are upgraded, OIDC unified user authentication service docking is completed, and safe, efficient and compliant unified identity management is realized
The upgrade technology management industry public service platform, special management platform, national science and technology library expert system and other service platforms are connected OIDC (OpenID Connect) to unify user authentication services, including the prior stage preparation of technology management system upgrade, the user authentication, the user information, token verification, single Sign On (SSO) and other functional services.
3.1 Advanced upgrade preparation of science and technology management System
Evaluating an existing system and performing transformation planning, including carding existing authentication mechanisms, defining a docking range and making a compatibility scheme. And the client registration is accomplished OIDC by registering the client at OIDC Provider, configuring the key parameters.
(1) Carding the existing authentication mechanism:
And listing the current authentication modes (such as LDAP, SAML and local account numbers) of each service platform (such as a public service platform, a special management platform, a national science and technology library expert system and the like) and evaluating the compatibility.
(2) Defining a docking range:
And determining the functional modules (such as login pages, API gateways and permission verification components) to be docked.
(3) And (5) making a compatibility scheme:
For older systems that do not support OIDC, protocol translation is performed through a reverse proxy or API gateway (e.g., OIDC-to-LDAP adapter).
3.2 User authentication function docking
When a user accesses the science and technology management system, the metadata of the user authentication service is unified through the discovery OIDC, the user is redirected to the authentication service to log in, and the callback of the authentication service is processed to realize the butt joint of the user authentication function. The method comprises the following specific steps:
(1) Unified user authentication service metadata discovery OIDC
Each technology management service platform needs metadata that enables discovery OIDC of unified user authentication services, typically by acquiring wellknown endpoints of authentication services to obtain relevant configuration information. This endpoint provides important information about the authentication service, such as authorization endpoints, token endpoints, user information endpoints, etc. For example, the proprietary management platform may send an HTTP GET request to wellknown endpoints (e.g., HTTPs:// yourauthserver/. Wellknown/openidconfiguration) of the authentication service and then parse the returned JSON data to obtain various configuration parameters of the authentication service.
(2) Redirecting a user to an authentication service for login
When the science and technology management user needs to perform identity authentication on the service platform, the service platform should redirect OIDC the user to an authorized endpoint of the unified user authentication service. In redirection, the service platform needs to pass some necessary parameters, such as client ID, authorization scope of request, redirect URL, etc. For example, the service platform may build a URL similar to https://yourauthserver/oauth2/authorizeclient_id=yourclientid&scope=openid profile email&redirect_uri=yourredirecturi, and then redirect the user's browser to this URL.
(3) Callback processing authentication service
After the user finishes logging in, the authentication service redirects the user back to the redirect URL appointed by the service platform and carries an authorization code or token. The service platform needs to be able to process this callback, extract the authorization code or token, and use it to obtain the identity information of the user. For example, upon receiving a callback request, the service platform extracts an authorization code from the URL and then uses this authorization code to send a request to the token endpoint of the authentication service to obtain an access token and an identity token.
3.3 User information acquisition function docking
Each service platform acquires user information by using the access token, analyzes the user information and uses the user information to realize the butt joint of the user information acquisition function in the service platform, and the specific realization method is as follows:
(1) Obtaining user information using an access token
After the service platform obtains the access token, the service platform may use the token to send a request to the user information endpoint OIDC unifying the user authentication service to obtain the detailed information of the user. User information is typically returned in JSON format, containing information about the user's ID, user name, email address, role, etc. For example, the service platform may send an HTTP GET request to the user information endpoint (e.g., HTTPs:// yourauthserver/userinfo) of the authentication service and include the access token (e.g., authentication: bearer youraccesstoken) in the authentication header of the request.
(2) Parsing user information and using in a service platform
After receiving the user information, the science and technology management service platform needs to analyze the JSON data and store the user information in a user session of the service platform so as to be used in subsequent service processing. For example, the service platform may store information such as the user's ID, username, etc. in the user session object for use when the page displays user information or makes authorization decisions.
3.4 Token authentication function docking
The butt joint of the token verification functions of each service platform is realized by verifying the validity of the access token, processing the expiration and refreshing of the token, and the specific realization steps are as follows:
(1) Verifying validity of an access token
When the service platform receives a request with an access token, it needs to verify the validity of this token. This may be verified by sending the token to a token verification endpoint of OIDC unified user authentication service or by signing the token using a public key. For example, the service platform may send an HTTP POST request to a token verification endpoint (e.g., HTTPs:// yourauthserver/oauth 2/token/introspect) of the authentication service, and include the access token and some necessary parameters (e.g., client_id, client_secret, etc.) in the request body, and then determine whether the token is valid based on the returned result of the authentication service.
(2) Processing token expiration and refresh:
If the access token expires, the service platform needs to be able to handle this and request a new access token from the authentication service using the refresh token. The service platform needs to store the refresh token at the same time as storing the user session and use it to obtain a new access token when needed. For example, when the service platform detects that the access token expires, a request is sent to the token endpoint of the authentication service using the stored refresh token, where the request parameters include grant_type=refresh_token、refresh_token=yourrefreshtoken、client_id=yourclientid、client_secret=yourclientsecret, etc., to obtain a new access token and refresh token.
3.5 Single Sign On (SSO) functional docking
Each service platform realizes Single Sign On (SSO) function docking by processing SSO tokens and participating in SSO session management, and the specific implementation steps are as follows:
(1) Processing SSO tokens
If the service platform wishes to support single sign-on, it needs to be able to process OIDC SSO tokens issued by the unified user authentication service. When a user logs in on a service platform integrated with OIDC unified user authentication service, the authentication service may issue an SSO token, and the token may be used on other service platforms integrated with OIDC unified user authentication service to implement single sign-on. For example, when a user redirects from one service platform to another, the SSO token is carried. The receiver service platform needs to be able to extract this token and send it to the authentication service for verification. If the token is valid, the user can access the resources of the receiver service platform without logging in again.
(2) Participation in SSO session management:
The business platform needs to participate OIDC in SSO session management for unified user authentication services. When a user logs out on a service platform, the authentication service needs to inform other service platforms integrated with OIDC unified user authentication service so that the service platforms can log out the session of the user to realize single point log-out. For example, the service platform may subscribe to the SSO event notification of the authentication service, and when receiving the notification that the user logs out, the service platform may log out the session of the user on the platform, so as to ensure that the user cannot continue to access the resources of the platform after logging out of other platforms.
By interfacing these functional services, the service platform can integrate with OIDC unified user authentication services, and provide safe, convenient and fast identity authentication and authorization services for users.
4. System interfaces of all service platforms in the science and technology management industry are comprehensively combined to ensure seamless cooperation between all service platforms in the science and technology management industry and OIDC unified user authentication center
And the system interfaces of each business platform such as a special platform, a public service platform and the like of the joint debugging science and technology management industry comprise a unified authentication platform for client system joint and a unified authentication platform resource server configuration.
4.1, Unified authentication platform for client system docking
The unified authentication platform is constructed based on OIDC protocol standard and authorizes the login system. Before the client performs the unified authentication platform to authorize login access, the client can start the access flow after the unified authentication platform applies for and obtains corresponding clientid and CLIENTSECRET. The specific implementation flow is as follows:
(1) Selecting the corresponding springboot version according to jdk version
(2) Oauth2.0 client profile
(3) Oauth2.0 client configuration class
(4) Is provided to the front end interface
4.2 Unified authentication platform resource Server configuration
The unified authentication platform is constructed based on OIDC protocol standard and authorizes the login system. Before the unified authentication platform authorizes login access, the resource server can start the access flow after acquiring the address of the authorization server. The specific implementation flow is as follows:
(1) Adding dependent items
(2) Configuration class
(3) Every time the resource server interface address, the front end firstly requests the lower client to acquire accessToken interfaces
(4) And carrying accessToken the access resource server interface after the accessToken interface is acquired.
In this embodiment, as shown in fig. 2, the whole interaction flow of the resource service accessed by the science and technology management user through the unified user authentication center is realized through OIDC authorization code mode, the OIDC authorization code mode realizes safe user authentication and authorization for the science and technology management industry, ensures that only authorized users can access the resource protected by the industry, and simultaneously ensures the communication safety and legality between the resource service and the authentication center, and the whole process mainly comprises eight aspects of accessing the resource from the user, constructing an authorization code request, constructing a token acquisition request, issuing a token, carrying a token request resource, checking the token, checking success and returning the resource:
1. user access to resources
(1) The technology management user initiates an access request to the technology management industry resource A or resource B in a client (browser).
(2) After the resource service (assuming resource a) receives the request, the user's login status and authorization status are checked. Resource a decides to initiate the authorization procedure because the user is not logged in and not authorized.
(3) And the resource A constructs a redirection URL and redirects the browser of the user to a unified login page of a unified authentication center of the science and technology management industry. The redirect URL contains some key parameters, such as response_type=code, indicating that the request is a response of the authorization code type, client_id for identifying the specific client (resource a) requesting authorization, and possibly scope parameters for specifying the authorization scope of the request.
2. Building authorization code requests
(1) After the browser of the user is redirected to a unified login page of a unified authentication center of the science and technology management industry, the user inputs login information such as own user name and password on the page.
(2) And after receiving the login information of the user, the authentication center performs identity verification based on the technological management user information uniformly stored in the authentication center. The authentication process may include checking the correctness of the user name and password, verifying whether the user is locked, etc.
(3) If the user's identity passes, the authentication center generates an authorization code (code). This authorization code is disposable and has a short validity period for ensuring the security of the authorization procedure.
(4) The authentication center redirects the user back to the redirect_uri pre-designated by the resource a and brings the generated authorization code in the redirected URL, i.e. redirect_ uricode =xxxx. Meanwhile, the authentication center records the login state of the user in the unified authentication center so as to facilitate the subsequent authorization and authentication process.
3. Building get token request
(1) After the server of the resource A receives the callback request with the authorization code, the authorization code is extracted from the URL.
(2) The resource a uses client_secret (which is secret information obtained when the resource a registers with the authentication center, for enhancing security, preventing the authorization code from being maliciously used), redirect_uri (consistent with that previously sent to the authentication center, for verifying the validity of the callback), client_id (for identifying the resource a), and authorization code, etc. to construct a request for acquiring the token.
(3) Resource a sends this request to the token endpoint of the unified authentication center.
4. Issuing token
(1) After the authentication center receives the token acquisition request of the resource A, the information such as client_id, redirect_uri, client_secret and the like in the request is checked first to ensure that the request comes from a legal client and the callback address is correct.
(2) The authentication center checks the validity of the authorization code, including whether it has been used, expired, etc.
(3) If the information check is correct and the authorization code is valid, the authentication center issues an access token (access token) and possibly other tokens, such as a refresh token (refresh token), depending on the requested authorization range and other factors.
(4) The authentication center returns these tokens to the server of resource a.
5. Carrying token request resources
(1) The client (browser) of the user carries the access token acquired in the last step in the subsequent request for accessing the resource A. This token is typically added to the request's Authorization header, such as the Authorization beer < access token >.
(2) The user's client initiates a resource request to resource a.
6. Check token
(1) After receiving the request of the user, the server of the resource A extracts the access token from the request.
(2) And the resource A sends the token to an authentication center for verification. The contents of the check may include the validity of the token (whether it is expired, revoked, etc.), the legitimacy (whether it is issued by the authentication center, tampered, etc.), and whether the scope of authorization matches the currently requested resource.
7. Check success
If the verification result returned by the authentication center indicates that the token is valid and legitimate and the scope of authorization satisfies the current request, then resource A considers that the user has the right to access the requested resource.
8. Returning resources
(1) The server of resource a obtains the resource content requested by the user from its own store.
(2) Resource a returns the resource content to the user's client (browser) where the user can view or use the resource.
By adopting the technical scheme disclosed by the invention, the following beneficial effects are obtained:
the invention provides a realization method for constructing a unified user authentication center based on OIDC framework, which upgrades the security policy and encryption technology of identity authentication, enhances the security of a science and technology management system, constructs unified identity authentication and user information management for the science and technology management industry, is convenient to adopt a stricter security policy and encryption technology, reduces the security risk caused by user information decentralized management, ensures the integrity of a Token through a JWT signature (such as RS256/ES 256), reduces the risk of Token leakage through a short-term Token and a Refresh Token, ensures the security of the Token, and improves the security of the whole science and technology management system. The user login information is encrypted, transmitted and stored by introducing a national security technology, so that the security of the private data is ensured. The technology management user authority model reconstruction and mutual trust authentication are integrated, the system authority loopholes are eliminated, the application safety and the data safety are improved, the role authorities of various user groups are analyzed, a complete technology management user system is established, and an authority mechanism which can uniformly allocate functions and data access on demand is formed. Meanwhile, based on a science and technology management user architecture library, a OIDC new technology framework is adopted to reconstruct an efficient user authentication mechanism, so that multi-terminal authentication services, such as scanning login, face authentication and the like, can be easily expanded by being compatible with a conventional authentication mode on the basis of unified identity authentication and reverse authentication of a login user. The unified identity authentication standardization of the cross-domestic and non-domestic platforms is realized, the integration complexity is reduced, namely, the standardization of the format and the interaction flow of the scientific and technological management user identity information is realized through OIDC protocol, and the integration complexity of the unified user authentication center and the third party system is reduced. Meanwhile, OIDC is a standard protocol, is compatible with domestic and non-domestic platforms, has definite specifications, and each language should have a corresponding library to realize the logic of the client and the server. For example, java has Spring Security OAuth, python has Authlib, node. Js has passport-oidc, etc. The unified authentication center provides standard compliant endpoints such as discovery document (/. Well-knownz openid-configuration) so that clients can be automatically configured, simple and easy to integrate. Meanwhile, each system does not need to realize user authentication logic, and only needs to integrate OIDC clients. The authentication logic is concentrated in the authentication center, so that maintenance and upgrading are facilitated, repeated development is avoided, and meanwhile, the system integration complexity is reduced. Focusing on the whole life cycle management of the identity of the science and technology management user, improving the safety supervision and audit, wherein a unified user authentication center of the science and technology management industry constructed by OIDC framework plays a special role of OIDC framework in links of the whole life cycle management of the science and technology management industry, such as user registration, authentication, permission change, cancellation and the like. For example, using OIDC for identity federation mechanisms, user registration of existing technology management systems is integrated. When the authority is changed, claims of OIDC is utilized to dynamically update the user attribute, so that the authority is ensured to be effective in real time. By establishing a unified user identity view, the user identity information centralized management is realized, and the functions of unified user identity life cycle management, user self-service (such as password reset, user information modification and the like) and the like are provided. The system expansibility is improved, tens of millions of scientific research user identity management is supported, and the system is transversely expanded to multi-country science and technology cooperation scenes. Meanwhile, secure token issuing and verification are realized through OIDC, token leakage and tampering are prevented, and system security is enhanced. And can utilize OIDC's log function or with third party log system integration, record all authentication event and token issuing conditions of science and technology management system, realize sift and count granularity, satisfy scientific research data high sensitivity requirement, reinforcing system security and compliance.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which is also intended to be covered by the present invention.

Claims (10)

1.一种基于OIDC框架构建统一用户认证中心的实现方法,其特征在于:包括如下步骤,1. A method for building a unified user authentication center based on the OIDC framework, characterized in that it includes the following steps: S1、整合用户数据源,构建统一科技管理用户信息库;S1. Integrate user data sources and build a unified technology management user information database; S2、构建科技管理行业统一用户认证中心;所述统一用户认证中心能够实现用户身份认证、动态授权管理、令牌生命周期管理、用户信息全生命周期管理、单点登录及安全审计和日志记录功能;S2. Build a unified user authentication center for the technology management industry; the unified user authentication center can realize user identity authentication, dynamic authorization management, token life cycle management, user information full life cycle management, single sign-on, security audit and log recording functions; S3、升级科技管理行业各业务平台系统相关功能,完成OIDC统一用户认证服务对接,实现统一的身份管理;包括科技管理系统升级前期准备、对接用户认证、用户信息、令牌验证及单点登录功能服务;S3. Upgrade the functions of various business platform systems in the technology management industry, complete the OIDC unified user authentication service connection, and realize unified identity management; including the preliminary preparation for the technology management system upgrade, connection user authentication, user information, token verification and single sign-on function services; S4、全面联调科技管理行业各业务平台系统接口,确保科技管理行业各业务平台与OIDC统一用户认证中心无缝协同。S4. Comprehensively coordinate the system interfaces of various business platforms in the technology management industry to ensure seamless collaboration between various business platforms in the technology management industry and the OIDC unified user authentication center. 2.根据权利要求1所述的基于OIDC框架构建统一用户认证中心的实现方法,其特征在于:所述科技管理用户信息库包括客户端登录配置表、登录日志记录表、客户端注册信息表、用户和客户端关系表、单位信息表、角色信息表、用户信息表及用户单位关系表;2. According to the implementation method of building a unified user authentication center based on the OIDC framework of claim 1, it is characterized in that: the technology management user information database includes a client login configuration table, a login log record table, a client registration information table, a user and client relationship table, a unit information table, a role information table, a user information table and a user unit relationship table; 所述客户端登录配置表用于存储客户端id、创建时间、客户端登录url、客户端登录验证方式;The client login configuration table is used to store the client id, creation time, client login url, and client login verification method; 所述登录日志记录表用于存储登录人帐号、登录ip地址、登录时间、登录状态、登录错误信息;The login log record table is used to store the login user account, login IP address, login time, login status, and login error information; 所述用户端注册信息表用于存储客户端id、客户端授权开始时间、客户端密钥、客户端认证方式、授权范围;The user terminal registration information table is used to store the client ID, client authorization start time, client key, client authentication method, and authorization scope; 所述用户和客户端关系表用于存储客户端id、用户id、创建时间、用户类型;The user and client relationship table is used to store client id, user id, creation time, and user type; 所述单位信息表用于存储单位名称、单位编号、单位地址、法人姓名;The unit information table is used to store the unit name, unit number, unit address, and legal person name; 所述角色信息表用于存储角色名称、角色编号、角色类型;The role information table is used to store role names, role numbers, and role types; 所述用户信息表用于存储用户姓名、用户编号、用户帐号、用户密码密文、证件号码;The user information table is used to store user name, user number, user account number, user password ciphertext, and certificate number; 所述用户单位关系表用于存储用户id、单位id。The user-unit relationship table is used to store user IDs and unit IDs. 3.根据权利要求1所述的基于OIDC框架构建统一用户认证中心的实现方法,其特征在于:用户身份认证服务具体为,实现基于OIDC协议的统一身份验证,支持多级安全策略和科技行业合规要求,验证科技管理用户的身份信息,确保用户是合法的访问者;3. According to the implementation method of building a unified user authentication center based on the OIDC framework as described in claim 1, it is characterized in that: the user identity authentication service specifically implements unified identity authentication based on the OIDC protocol, supports multi-level security policies and compliance requirements of the technology industry, verifies the identity information of technology management users, and ensures that the user is a legitimate visitor; 动态授权管理具体为,基于角色的访问控制,实现细粒度权限控制,支持科研项目的动态角色分配与权限升降;包括定义用户可以访问哪些应用程序、服务或数据,以及用户在这些资源上可以执行哪些操作;通过采用RBAC + ABAC混合模型进行权限模型融合,通过注入动态声明技术手段实现动态授权,通过实时令牌吊销实现权限撤销机制;Dynamic authorization management is specifically about role-based access control, implementing fine-grained permission control, and supporting dynamic role allocation and permission upgrade and downgrade for scientific research projects. It includes defining which applications, services, or data users can access, and which operations users can perform on these resources. It integrates permission models by adopting the RBAC + ABAC hybrid model, implements dynamic authorization by injecting dynamic declaration technology, and implements permission revocation mechanism by real-time token revocation. 令牌生命周期管理是指生成、颁发和验证访问令牌和身份令牌,并保障令牌安全,防止泄露与滥用,适应科技管理场景的高安全性需求;这些令牌用于在用户成功认证后,授权用户访问受保护的资源;当用户成功认证并获得授权后,统一用户认证中心生成访问令牌和身份令牌,且这些令牌包含了经过科技管理行业特定的数字签名的用户信息和其他相关声明,并具有一定的有效期,能够确保令牌的真实性和完整性;Token lifecycle management refers to the generation, issuance and verification of access tokens and identity tokens, and the protection of token security, prevention of leakage and abuse, and the adaptation to the high security requirements of science and technology management scenarios; these tokens are used to authorize users to access protected resources after they have been successfully authenticated; when users have been successfully authenticated and authorized, the unified user authentication center generates access tokens and identity tokens, and these tokens contain user information and other relevant statements that have been digitally signed specifically for the science and technology management industry, and have a certain validity period, which can ensure the authenticity and integrity of the tokens; 用户信息全生命周期管理具体为,通过用户信息全生命周期管理,实现科技管理用户数据的集中存储、动态同步与合规治理;采用统一用户存储架构,存储和管理用户的基本信息,使用科技管理行业特定的数据结构和表设计来确保数据的完整性和一致性;采用SCIM协议驱动同步,保障用户信息更新时数据同步更新;通过声明及访问控制及JWE加密传输对敏感数据脱敏;同时管理用户的角色、权限、认证历史信息;The full life cycle management of user information is as follows: Through the full life cycle management of user information, the centralized storage, dynamic synchronization and compliance governance of technology management user data are realized; a unified user storage architecture is adopted to store and manage basic user information, and the data structure and table design specific to the technology management industry are used to ensure the integrity and consistency of the data; the SCIM protocol is used to drive synchronization to ensure that data is updated synchronously when user information is updated; sensitive data is desensitized through declarations, access control and JWE encrypted transmission; and user roles, permissions, and authentication history information are managed at the same time; 单点登录具体为,通过SSO令牌传递与SSO会话管理,科技管理用户只需在一个应用程序中登录一次,即可在其他集成了统一用户认证中心的应用程序中无需再次登录访问资源;Single sign-on means that through SSO token delivery and SSO session management, technology management users only need to log in once in one application, and can access resources in other applications that integrate the unified user authentication center without logging in again; 安全审计和日志记录具体为,通过日志记录用户的认证和授权活动,以便进行安全审计和故障排查;定期对日志进行安全审计,检查是否存在异常活动或安全漏洞;打造风险规则引擎及审计数据可视化看板,实现系统用户身份认证管理实时监控与告警。Security auditing and logging specifically include recording user authentication and authorization activities through logs to facilitate security auditing and troubleshooting; conducting regular security audits on logs to check for abnormal activities or security vulnerabilities; and creating a risk rule engine and audit data visualization dashboard to achieve real-time monitoring and alerting of system user authentication management. 4.根据权利要求1所述的基于OIDC框架构建统一用户认证中心的实现方法,其特征在于:科技管理系统升级前期准备具体为,评估现有系统并进行改造规划,包括梳理现有认证机制、定义对接范围并制定兼容性方案,并通过在OIDC Provider注册客户端,配置关键参数完成OIDC客户端注册;4. According to the implementation method of building a unified user authentication center based on the OIDC framework of claim 1, it is characterized in that: the preliminary preparation for upgrading the science and technology management system is specifically to evaluate the existing system and make a transformation plan, including sorting out the existing authentication mechanism, defining the docking scope and formulating a compatibility plan, and completing the OIDC client registration by registering the client in the OIDC Provider and configuring key parameters; 用户认证功能对接具体为,在用户访问科技管理系统时,通过发现OIDC统一用户认证服务元数据,重定向用户到认证服务进行登录,并处理认证服务的回调实现用户认证功能对接;The user authentication function docking is specifically to discover the OIDC unified user authentication service metadata when the user accesses the technology management system, redirect the user to the authentication service to log in, and process the callback of the authentication service to achieve the user authentication function docking; 用户信息获取功能对接具体为,各业务平台通过使用访问令牌获取用户信息,解析用户信息后并在业务平台中使用实现用户信息获取功能对接;Specifically, each business platform obtains user information by using an access token, parses the user information, and uses it in the business platform to achieve the user information acquisition function connection; 令牌验证功能对接具体为,通过验证访问令牌的有效、处理令牌过期和刷新实现各业务平台令牌验证功能对接;The token verification function connection is to verify the validity of the access token, handle token expiration and refresh, and realize the token verification function connection of each business platform; 单点登录功能对接具体为,各业务平台通过处理SSO令牌、参与SSO会话管理实现单点登录功能对接。The single sign-on function connection is specifically that each business platform realizes the single sign-on function connection by processing SSO tokens and participating in SSO session management. 5.根据权利要求4所述的基于OIDC框架构建统一用户认证中心的实现方法,其特征在于:科技管理系统升级前期准备中,5. According to the method for implementing a unified user authentication center based on the OIDC framework of claim 4, it is characterized in that: in the early stage of upgrading the technology management system, 梳理现有认证机制具体为,列出各业务平台的当前认证方式;Sorting out the existing authentication mechanisms specifically includes listing the current authentication methods of each business platform; 定义对接范围具体为,确定需要对接的功能模块;Defining the scope of docking specifically includes determining the functional modules that need to be docked; 制定兼容性方案具体为,对不支持OIDC的旧系统,通过反向代理或API网关进行协议转换。The specific compatibility plan is to perform protocol conversion through reverse proxy or API gateway for old systems that do not support OIDC. 6.根据权利要求4所述的基于OIDC框架构建统一用户认证中心的实现方法,其特征在于:用户认证功能对接包括,6. The method for implementing a unified user authentication center based on the OIDC framework according to claim 4 is characterized in that: the user authentication function connection includes: 发现OIDC统一用户认证服务元数据具体为,各科技管理业务平台需要能够发现OIDC统一用户认证服务的元数据,通过获取认证服务的wellknown端点来获取相关配置信息;Discovering the metadata of the OIDC unified user authentication service: Each technology management business platform needs to be able to discover the metadata of the OIDC unified user authentication service and obtain relevant configuration information by obtaining the well-known endpoint of the authentication service; 重定向用户到认证服务进行登录具体为,当科技管理用户在业务平台上需要进行身份认证时,业务平台应将用户重定向到OIDC统一用户认证服务的授权端点;Redirect users to the authentication service to log in. Specifically, when a technology management user needs to authenticate himself on the business platform, the business platform should redirect the user to the authorization endpoint of the OIDC unified user authentication service; 处理认证服务的回调具体为,认证服务在用户完成登录后,会将用户重定向回业务平台指定的重定向URL,并携带一个授权码或令牌,业务平台需要能够处理这个回调,提取授权码或令牌,并使用它来获取用户的身份信息。Specifically, the authentication service callback is processed as follows: after the user completes login, the authentication service will redirect the user back to the redirection URL specified by the business platform with an authorization code or token. The business platform needs to be able to handle this callback, extract the authorization code or token, and use it to obtain the user's identity information. 7.根据权利要求4所述的基于OIDC框架构建统一用户认证中心的实现方法,其特征在于:用户信息获取功能对接中,7. The method for implementing a unified user authentication center based on the OIDC framework according to claim 4 is characterized in that: in the docking of the user information acquisition function, 使用访问令牌获取用户信息具体为,业务平台在获取到访问令牌后,可以使用这个令牌向OIDC统一用户认证服务的用户信息端点发送请求,以获取用户信息;Using the access token to obtain user information: After obtaining the access token, the business platform can use the token to send a request to the user information endpoint of the OIDC unified user authentication service to obtain user information. 解析用户信息并在业务平台中使用具体为,科技管理业务平台接收到用户信息后,需要解析用户信息,并将用户信息存储在业务平台的用户会话中,以便在后续的业务处理中使用。Parsing user information and using it in the business platform Specifically, after the technology management business platform receives the user information, it needs to parse the user information and store the user information in the user session of the business platform for use in subsequent business processing. 8.根据权利要求4所述的基于OIDC框架构建统一用户认证中心的实现方法,其特征在于:令牌验证功能对接中,8. The method for implementing a unified user authentication center based on the OIDC framework according to claim 4 is characterized in that: during the token verification function docking, 验证访问令牌的有效性具体为,当业务平台接收到带有访问令牌的请求时,需要验证这个令牌的有效性,通过将令牌发送到OIDC统一用户认证服务的令牌验证端点进行验证,或者使用公钥对令牌进行签名验证;Verify the validity of the access token. Specifically, when the business platform receives a request with an access token, it needs to verify the validity of the token by sending the token to the token verification endpoint of the OIDC unified user authentication service for verification, or by signing the token with a public key. 处理令牌过期和刷新具体为,若访问令牌过期,业务平台需要能够处理这种情况,并使用刷新令牌向认证服务请求新的访问令牌;业务平台需要在存储用户会话时,同时存储刷新令牌,并在需要时使用它来获取新的访问令牌。To handle token expiration and refresh, if the access token expires, the business platform needs to be able to handle this situation and use the refresh token to request a new access token from the authentication service; the business platform needs to store the refresh token when storing the user session and use it to obtain a new access token when needed. 9.根据权利要求4所述的基于OIDC框架构建统一用户认证中心的实现方法,其特征在于:单点登录功能对接中,9. The method for implementing a unified user authentication center based on the OIDC framework according to claim 4 is characterized in that: in the single sign-on function docking, 处理SSO令牌具体为,若业务平台希望支持单点登录,需要能够处理OIDC统一用户认证服务颁发的SSO令牌,当用户在一个集成了OIDC统一用户认证服务的业务平台上登录后,认证服务会颁发一个SSO令牌,这个令牌能够在其他集成了OIDC统一用户认证服务的业务平台上使用,实现单点登录;Specifically, if the business platform wants to support single sign-on, it needs to be able to process the SSO token issued by the OIDC unified user authentication service. When a user logs in on a business platform that has integrated the OIDC unified user authentication service, the authentication service will issue an SSO token. This token can be used on other business platforms that have integrated the OIDC unified user authentication service to achieve single sign-on. 参与SSO会话管理具体为,业务平台需要参与OIDC统一用户认证服务的SSO会话管理,当用户在一个业务平台上退出登录时,认证服务需要通知其他集成了OIDC统一用户认证服务的业务平台,以便这些业务平台也能够注销用户的会话,实现单点退出。Specifically, participating in SSO session management means that the business platform needs to participate in the SSO session management of the OIDC unified user authentication service. When a user logs out on a business platform, the authentication service needs to notify other business platforms that have integrated the OIDC unified user authentication service so that these business platforms can also log out the user's session and achieve single-point logout. 10.根据权利要求1至9任一所述的基于OIDC框架构建统一用户认证中心的实现方法,其特征在于:科技管理用户通过统一用户认证中心访问资源服务的具体过程为,10. The implementation method for building a unified user authentication center based on the OIDC framework according to any one of claims 1 to 9 is characterized in that: the specific process of a technology management user accessing resource services through the unified user authentication center is: A1、用户访问资源:科技管理用户在客户端中发起对科技管理行业资源服务的访问请求;资源服务接收到请求后,检查用户的登录状态和授权状态,若用户未登录且未授权,资源服务会启动授权流程;资源服务构建一个重定向URL,将用户的客户端重定向到科技管理行业统一认证中心鉴权中心的统一登录页面;A1. User access to resources: A technology management user initiates an access request to the technology management industry resource service in the client; after receiving the request, the resource service checks the user's login status and authorization status. If the user is not logged in and unauthorized, the resource service starts the authorization process; the resource service constructs a redirect URL to redirect the user's client to the unified login page of the authentication center of the unified authentication center of the technology management industry; A2、构建授权码请求:用户在统一登录页面输入登录信息,鉴权中心接收到用户的登录信息后,基于统一用户认证中心的科技管理用户信息库进行身份验证;验证通过后,鉴权中心生成一个一次性的授权码;鉴权中心将用户重定向回资源服务预先指定的redirect_uri,并在重定向的URL中带上生成的授权码;同时,鉴权中心在统一用户认证中心中记录用户的登录状态;A2. Constructing an authorization code request: The user enters login information on the unified login page. After receiving the user's login information, the authentication center performs identity authentication based on the technology management user information database of the unified user authentication center. After the authentication is passed, the authentication center generates a one-time authorization code. The authentication center redirects the user back to the redirect_uri pre-specified by the resource service, and carries the generated authorization code in the redirected URL. At the same time, the authentication center records the user's login status in the unified user authentication center. A3、构建获取token请求:资源服务的服务器接收到带有授权码的回调请求后,从URL中提取出授权码;资源服务使用client_secret、redirect_uri、client_id和授权码构建一个获取token的请求,并将该请求发送给统一用户认证中心鉴权中心的令牌端点;A3. Build a request to obtain a token: After receiving the callback request with the authorization code, the resource service server extracts the authorization code from the URL; the resource service uses the client_secret, redirect_uri, client_id and authorization code to build a request to obtain a token, and sends the request to the token endpoint of the unified user authentication center; A4、签发token:鉴权中心接收到资源服务的获取token请求后,首先核对请求中的client_id、redirect_uri和client_secret,确保请求来自合法的客户端,并且回调地址是正确的,并检查授权码的有效性;如果信息核对无误且授权码有效,鉴权中心根据请求的授权范围签发访问令牌和可能的其他令牌,并将这些令牌返回给资源服务的服务器;A4. Issuing token: After receiving the request to obtain a token from the resource service, the authentication center first checks the client_id, redirect_uri and client_secret in the request to ensure that the request comes from a legitimate client and the callback address is correct, and checks the validity of the authorization code; if the information is correct and the authorization code is valid, the authentication center issues an access token and possible other tokens according to the authorization scope of the request, and returns these tokens to the server of the resource service; A5、携带token请求资源:用户的客户端在后续需要访问资源服务的请求中,携带获取到的访问令牌向资源服务发起资源请求;A5. Requesting resources with token: In subsequent requests to access resource services, the user's client carries the obtained access token to initiate resource requests to the resource service; A6、校验token:资源服务的服务器接收到用户的请求后,首先从请求中提取出访问令牌;资源服务将这个访问令牌发送给鉴权中心进行校验;A6. Verify token: After receiving the user's request, the resource service server first extracts the access token from the request; the resource service sends the access token to the authentication center for verification; A7、校验成功:若鉴权中心返回的校验结果表明访问令牌是有效的和合法的,并且授权范围满足当前请求,那么资源服务认为用户具有访问所请求资源的权限;A7. Verification success: If the verification result returned by the authentication center shows that the access token is valid and legal, and the authorization scope meets the current request, then the resource service considers that the user has the authority to access the requested resource; A8、资源服务的服务器从自己的存储中获取用户请求的资源内容,并将资源内容返回给用户的客户端,用户能够在浏览器中查看或使用这些资源内容。A8. The resource service server obtains the resource content requested by the user from its own storage and returns the resource content to the user's client. The user can view or use the resource content in the browser.
CN202510821631.8A 2025-06-19 2025-06-19 Implementation method for constructing unified user authentication center based on OIDC framework Pending CN120354390A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202510821631.8A CN120354390A (en) 2025-06-19 2025-06-19 Implementation method for constructing unified user authentication center based on OIDC framework

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202510821631.8A CN120354390A (en) 2025-06-19 2025-06-19 Implementation method for constructing unified user authentication center based on OIDC framework

Publications (1)

Publication Number Publication Date
CN120354390A true CN120354390A (en) 2025-07-22

Family

ID=96405101

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202510821631.8A Pending CN120354390A (en) 2025-06-19 2025-06-19 Implementation method for constructing unified user authentication center based on OIDC framework

Country Status (1)

Country Link
CN (1) CN120354390A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120602221A (en) * 2025-08-01 2025-09-05 苏州元脑智能科技有限公司 Single sign-on method, system and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN201118607Y (en) * 2007-11-19 2008-09-17 上海久隆电力科技有限公司 Uniform identity authentication platform system
CN107852417A (en) * 2016-05-11 2018-03-27 甲骨文国际公司 Multi-tenant identity and data security management cloud service
CN115941249A (en) * 2022-10-16 2023-04-07 中电万维信息技术有限责任公司 Multi-tenant authentication method based on OIDC and OAuth authorization code modes
CN118802549A (en) * 2024-04-26 2024-10-18 中国移动通信集团设计院有限公司 Optimization method and device of authentication and authorization system
CN118827224A (en) * 2024-08-07 2024-10-22 中国科学院计算机网络信息中心 A unified authentication and authorization architecture for the open science community
CN119337342A (en) * 2024-10-28 2025-01-21 启明信息技术股份有限公司 A centralized authority management system and method for enterprise applications
CN119484033A (en) * 2024-10-23 2025-02-18 紫光云技术有限公司 A multi-mode unified identity authentication method based on OAuth2.0 technology

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN201118607Y (en) * 2007-11-19 2008-09-17 上海久隆电力科技有限公司 Uniform identity authentication platform system
CN107852417A (en) * 2016-05-11 2018-03-27 甲骨文国际公司 Multi-tenant identity and data security management cloud service
CN115941249A (en) * 2022-10-16 2023-04-07 中电万维信息技术有限责任公司 Multi-tenant authentication method based on OIDC and OAuth authorization code modes
CN118802549A (en) * 2024-04-26 2024-10-18 中国移动通信集团设计院有限公司 Optimization method and device of authentication and authorization system
CN118827224A (en) * 2024-08-07 2024-10-22 中国科学院计算机网络信息中心 A unified authentication and authorization architecture for the open science community
CN119484033A (en) * 2024-10-23 2025-02-18 紫光云技术有限公司 A multi-mode unified identity authentication method based on OAuth2.0 technology
CN119337342A (en) * 2024-10-28 2025-01-21 启明信息技术股份有限公司 A centralized authority management system and method for enterprise applications

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120602221A (en) * 2025-08-01 2025-09-05 苏州元脑智能科技有限公司 Single sign-on method, system and storage medium

Similar Documents

Publication Publication Date Title
Carretero et al. Federated identity architecture of the European eID system
CN102638454B (en) A plug-in single sign-on integration method for HTTP authentication protocol
US9130921B2 (en) System and method for bridging identities in a service oriented architectureprofiling
US8452881B2 (en) System and method for bridging identities in a service oriented architecture
AU2003212723B2 (en) Single sign-on secure service access
US8990911B2 (en) System and method for single sign-on to resources across a network
CN112468481B (en) Single-page and multi-page web application identity integrated authentication method based on CAS
US9111086B2 (en) Secure management of user rights during accessing of external systems
CN109981561A (en) Monomer architecture system moves to the user authen method of micro services framework
EP1641215B1 (en) System and method for bridging identities in a service oriented architecture
CN120354390A (en) Implementation method for constructing unified user authentication center based on OIDC framework
CN119449446A (en) An API call control system and authentication method with different security protection levels for specific fields
WO2024216006A1 (en) Controlling authorization through licensing and policy enforcement of attributes
CN117097540A (en) Campus identity verification safety management method based on intelligent network connection
Kretarta et al. Secure user management gateway for microservices architecture apis using keycloak on xyz
Zwattendorfer et al. Middleware architecture for cross-border identification and authentication
Hakobyan Authentication and authorization systems in cloud environments
Kovacevic et al. Token-based identity management in the distributed cloud
Pizzuco School of Computer Science
Fernandes Authentication API-A SSO Authentication and Authorisation Infrastructure for Web
Ma et al. Authentication delegation for subscription-based remote network services
Gonçalves Authentication and accounting framework for SDN controller
Hosseyni et al. Formal security analysis of the OpenID FAPI 2.0 Security Profile with FAPI 2.0 Message Signing, FAPI-CIBA, Dynamic Client Registration and Management: technical report
Archer et al. Cloud Native Data Security with OAuth: A Scalable Zero Trust Architecture
Cole SECURING WEB CALLOUTS IN SALESFORCE WITH OAUTH 2.0 AND NAMED CREDENTIALS

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination