CN110324276A

CN110324276A - A kind of method, system, terminal and electronic equipment logging in application

Info

Publication number: CN110324276A
Application number: CN201810266079.0A
Authority: CN
Inventors: 林伟; 王波; 王锐; 朱青蓥; 阮闪闪
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2018-03-28
Filing date: 2018-03-28
Publication date: 2019-10-11
Anticipated expiration: 2038-03-28
Also published as: CN110324276B

Abstract

The invention discloses a kind of method, system, terminal and electronic equipments for logging in application, belong to field of information security technology.The described method includes: the first application is after getting the license confirmation for the second application of subscriber identity information login that user allows to apply using described first in terminal, the certification request for carrying the authenticated encryption information of identification information of the second application is sent to certificate server, when the authentication result returned according to certificate server determines that the second application is legal, access token is obtained from the service server of the first application and the access token that will acquire is sent to the second application, so that the second application can use the business datum that access token obtains user from service server, user is allowed to use the business datum in the business that carry out second is applied simultaneously.The present invention transmits data by way of encryption, avoids information in transmission process and is stolen, to ensure that the safety for the data that user records on service server.

Description

A kind of method, system, terminal and electronic equipment logging in application

Technical field

The present invention relates to field of information security technology more particularly to a kind of method, system, terminal and electronics for logging in application Equipment.

Background technique

As the prevalence of CRM software and the user volume of the application with functions such as customer account managements increasingly increase, Either there is the users of the application of functions such as customer account management or other third company to be all not only satisfied in the application Using the correlation function of the application, they prefer to can be by the related software development kit of the application and development (Software Development Kit, SDK) can the account on third-party application using the application logged in and made With the correlation function of the application, such as customer account management function.In order to avoid causing the wealth of the leakage of customer information and then influence client The generation with adverse events such as personal safeties is produced, will there is the customer information using upper management of the functions such as customer account management to give Third-party application in use, the legitimacy of safety and third-party application to customer data more stringent requirements are proposed.

And in the existing client-based authenticated login scheme of third-party application, usually client enrollment is managed with client The username and password used when the applications of functions such as reason is sent to server in clear text manner.This method is in transmission process In, username and password is easily stolen to be taken, and the information leakage of client is easily led to.

Therefore, third-party application based on user with functions such as customer account managements using upper subscriber identity information into When row authenticated login, how to improve the safety of subscriber identity information is one of the technical problems that are urgent to solve in the prior art.

Summary of the invention

The embodiment of the present invention provides a kind of method, system, terminal and electronic equipment for logging in application, to solve existing skill In art third-party application using user using upper subscriber identity information log in when because subscriber identity information is stolen Caused by customer data reveal, and then the problems such as endanger property and the personal safety of client.

In a first aspect, the embodiment of the present invention provides a kind of method for logging in application, comprising:

First application obtains the license confirmation that user logs in the second application, and the license confirmation, which is used to indicate user, to be allowed to make Second application is logged in the subscriber identity information of first application；

First application sends certification request to certificate server and receives the authentication result that the certificate server returns, institute The authenticated encryption information that certification request carries the identification information of second application is stated, includes described second in the authentication result The encryption information of the legitimacy authentication result of application；

When first application is legal according to legitimacy authentication result confirmation second application of second application, to business Server sends access token acquisition request, and the access token that will acquire is sent to the second application, so that second application The business datum of user is obtained from the service server using the access token and user is allowed to answer in progress described second The business datum is used when business.

In this way, first apply getting user allow using first application subscriber identity information log in second application After license confirmation, by the way that the sensitive data for being sent to certificate server is encrypted, it ensure that data in transmission process Safety, so as to avoid in the prior art because transmit plaintext sensitive data due to caused by user recorded on service server Data generation the problems such as being stolen.

Optionally, the subscriber identity information includes account information and encrypted message；And

The authenticated encryption information are as follows: using the encrypted message to the identification information and first key of second application The encryption information that the public key of centering is encrypted.

By being encrypted in the encrypted message of the first upper registration of application to sensitive data using user, even if encryption Obtained authenticated encryption information is stolen, and since stolen party does not know decipherment algorithm and decruption key, is also impossible to crack Sensitive data out, to ensure that the safety of data in transmission process.

Preferably, the authentication result also includes the encryption information of the public key of access permission instruction and the second cipher key pair, The access permission instruction, which is used to indicate, allows the user to access intermediate server using the subscriber identity information of the first application； And

It is described to service server send access token acquisition request before, further includes:

First application sends the acquisition of credentials request of access service server, the acquisition of credentials request to intermediate server In carry credentials encryption information, the credentials encryption information is using the second cipher key pair public key to the access permission What instruction was encrypted, the public key of second cipher key pair and access permission instruction are to utilize described first The private key of cipher key pair decrypts what the authentication result obtained；And

First application receives the acquisition of credentials of the intermediate server transmission as a result, carrying in the acquisition of credentials result Allowed results encryption information, the allowed results encryption information are that intermediate server utilizes second obtained from certificate server close It is close using second after the private key of key centering is decrypted the credentials encryption information and is verified to the access permission instruction decrypted The public key of license ticket and third cipher key pair is encrypted in the private key of key centering；

First application is decrypted the allowed results encryption information using the public key of second cipher key pair, and benefit The license ticket is encrypted with the public key of the third cipher key pair decrypted to obtain access permission encryption information；With And

First application, which carries the access permission encryption information, is sent to business in the access token acquisition request Server, so as to utilize what is obtained from intermediate server after the service server receives the access token acquisition request The access permission encryption information is decrypted in the private key of third cipher key pair, and logical verifying to the license ticket Later, distribute the access token for second application, and using the private key of third cipher key pair to the access token into Row encryption obtains access permission result information, and the access permission result information is sent to the first application.

First application with transmitted by way of encryption between certificate server, intermediate server and service server plus Close data thus it can be prevented that stolen party after obtaining encryption data, due to that can not know decipherment algorithm reconciliation Migong key then Encryption data can not be decrypted, which thereby enhance the safety of transmission link, and then also ensure that subscriber identity information Safety, further avoid what user caused by due to subscriber identity information is stolen recorded on service server The loss of business datum and so on.

Preferably, before the access token is sent to the second application, further includes:

First applies after receiving the access permission result information, using the public key of the third cipher key pair to institute It states access permission result information to be decrypted, obtains the access token.

Since data are encryptions in the downlink transfer link of service server to the first application, therefore the first application needs pair Access permission result information is decrypted, and access token could be obtained only after successful decryption, thereby ensures that visit The safety of token is asked, if decryption is unsuccessful to indicate that the application for receiving access permission result information may be illegal, but due to this Using that can not decrypt access token, which is also impossible to obtain user in the business number of service server using access token According to also avoid the leakage of business datum.

Preferably, before the license confirmation of first application acquisition user the second application of login, further includes:

Receive the cipher key acquisition request that the second application is sent；

The public key of the 4th cipher key pair is sent to second application, so that second application utilizes the 4th key The identification information of second application is encrypted in the public key of centering, and the carrying of obtained information to be verified is being logged in First application is sent in request；

After receiving logging request, place is decrypted to the information to be verified using the private key of the 4th cipher key pair Reason obtains the identification information of second application.

The transmission link between first the second application of application causes loss of data because monitored in order to prevent, and the present invention mentions Out when sending data to the first application, the sensitive datas such as the identification information of the second application are encrypted, by encryption Data are transmitted between the second application and the first application, avoid the occurrence of sensitive data is stolen.

Preferably, the information to be verified further includes the encryption information of the public key of the 5th cipher key pair；And by the visit It asks that token is sent to the second application, specifically includes:

The access token is encrypted using the public key of the 5th cipher key pair decrypted, obtains password letter Breath；And

The password information is sent to second application.

The second application is sent to for the access token safety that will acquire, and the first application carries out at encryption access token Reason, be stolen so as to avoid access token in transmission process and so on, and then also avoid illegal application utilization The case where access token acquisition business datum, occurs.

4th key pair is the first application generation, or the service server generation applied for first； 5th key pair is the second application generation, or the service server generation applied for second.

Second aspect, the embodiment of the present invention provide a kind of system for logging in application, comprising: certificate server and business service Device, in which:

Certificate server, after the certification request of the first application transmission in receiving terminal, to the certification request The identification information of the second application is authenticated in the terminal of middle carrying, and to the first application return authentication as a result, described recognize The encryption information comprising the legitimacy authentication result of the second application in terminal in result is demonstrate,proved, wherein the certification request is described the One applies and sends after the license confirmation for getting user and logging in the second application, and the license confirmation is used to indicate user's permission The subscriber identity information applied using described first logs in second application；

Service server, for after receiving the access token acquisition request that first application is sent, Xiang Suoshu the One application sends access token, so that the access token that first application will acquire is sent to the second application, by described second The business datum of user is obtained from the service server using the access token and user is allowed to carry out described the The business datum is used when the business of two applications, wherein the access token acquisition request is first application according to The legitimacy authentication result for second application that certificate server returns confirms to be sent when second application is legal.

Preferably, the system also includes intermediate servers；And it is also indicated comprising access permission in the authentication result With the encryption information of the public key of the second cipher key pair, the access permission instruction, which is used to indicate, allows the user to answer using first Subscriber identity information accesses intermediate server；And

The intermediate server, in the acquisition of credentials for receiving the access service server that first application is sent After request, the credentials encryption information is decrypted using the private key of the second cipher key pair obtained from certificate server and to decrypting Access permission instruction be verified after, using the private key of the second cipher key pair to the public key of license ticket and third cipher key pair It is encrypted to obtain allowed results encryption information；And the allowed results encryption information is carried in acquisition of credentials result It is sent to the first application, wherein the public key of second cipher key pair and access permission instruction are that first application utilizes The private key of the first key centering decrypts what the authentication result obtained；

The service server, specifically for after receiving the access token acquisition request, using from intermediary service The private key for the third cipher key pair that device obtains carries out the access permission encryption information carried in the access token acquisition request Decryption processing, and after being verified to the license ticket decrypted, the access token, and benefit are distributed for second application The access token is encrypted with the private key of third cipher key pair to obtain access permission result information, by the access Allowed results information is sent to the first application, wherein the access permission encryption information is that first application utilizes described second The allowed results encryption information carried in the acquisition of credentials result is decrypted in the public key of cipher key pair, and utilizes and decrypt The public key of third cipher key pair the license ticket is encrypted to obtain.

Preferably, carrying timestamp in the license ticket, the timestamp is used to indicate the life of the license ticket At the time；And

The service server, specifically for determine the license ticket that is obtained from intermediate server and the license that decrypts with It whether consistent demonstrate,proves；If consistent, the timestamp in the license ticket is extracted, however, it is determined that go out the timestamp before the deadline, Then determination is verified the license ticket.

By carrying out validation verification to license ticket, when determining that license ticket is invalid without being sent to the first application Access token can prevent illegal application from holding invalid license ticket and obtain access token, in this way to ensure that user's The safety of business datum.

Optionally, the subscriber identity information includes account information and encrypted message；And the authenticated encryption information is also The encryption information of the public key of first key centering including acquisition；And

The certificate server, specifically for after receiving the certification request, according to the account information of storage with it is close The corresponding relationship of code information, determines the corresponding encrypted message of the account information carried in certification request；And according to the message in cipher Breath, if to the authenticated encryption information successful decryption, it is determined that subscriber identity information certification is passed through；And it will decrypt The identification information of second application is sent to open platform；And it receives the open platform and the legitimacy of second application is recognized Demonstrate,prove result；And using the public key of first key centering decrypted to the legitimacy authentication result of second application, described Authentication result, the access permission of subscriber identity information indicate and the public key of the second cipher key pair is encrypted；And it will obtain Authentication result be sent to it is described first application.

In order to guarantee the safety of downlink transfer link between certificate server and the first application, to needing to be sent to first The data of application are encrypted, to ensure that the safety of downlink transfer link data；In addition, in order to guarantee that first answers With between intermediate server in uplink link data safety, certificate server to the public key of the second cipher key pair into Row encryption utilizes the second cipher key pair decrypted so that first applies when sending data to intermediate server Public key the data that send of needs are encrypted, the data for thus avoiding being sent to intermediate server are stolen situation Generation.

The third aspect, the embodiment of the present invention provide a kind of method for logging in application, are applied in certificate server, Yi Jisuo The method of stating includes:

After the certification request that the first application is sent in receiving terminal, in the terminal carried in the certification request the The identification information of two applications is authenticated；And

To the first application return authentication as a result, the legitimacy comprising the second application in terminal in the authentication result is recognized The encryption information of result is demonstrate,proved, so that legitimacy authentication result confirmation described second of first application according to second application Using it is legal when, send access token acquisition request to service server, and the access token that will acquire is sent to the second application, So that described second obtains the business datum of user from the service server using the access token and allows user The business datum is used when carrying out the business of second application；Wherein the certification request is applied for described first and is being obtained It gets after user logs in the license confirmation of the second application and sends, the license confirmation, which is used to indicate user, to be allowed using described the The subscriber identity information of one application logs in second application.

Preferably, the subscriber identity information includes account information and encrypted message, the authenticated encryption information further includes The encryption information of the public key of the first key centering of acquisition；And the authentication result is obtained by the following method:

According to the corresponding relationship of the account information of storage and encrypted message, the account information pair carried in certification request is determined The encrypted message answered；

According to the encrypted message, if to the authenticated encryption information successful decryption, it is determined that believe the user identity Breath certification passes through；And

The identification information of decrypt second application is sent to open platform；And

The open platform is received to the legitimacy authentication result of second application；

Legitimacy authentication result, the user using the public key of the first key centering decrypted to second application Authentication result, the access permission of identity information indicate and the public key of the second cipher key pair is encrypted, and obtains authentication result.

Certificate server can just allow the by authenticating to the identification information of the second application only after certification passes through One application to service server send access token acquisition request, just can guarantee so reliable second using user in industry The business datum of business server；In addition, ensure that certificate server by the way that the data for being sent to the first application are encrypted The safety of the data of downlink transfer link transmission between the first application.

Fourth aspect, the embodiment of the present invention provide a kind of method for logging in application, are applied in service server, Yi Jisuo State method, comprising:

Receive the access token acquisition request that the first application is sent in terminal；

Access token is sent to first application, so that the access token that first application will acquire is sent to second Using obtaining the business datum of user from the service server using the access token by described second and allow to use Family uses the business datum when carrying out the business of second application, wherein the access token acquisition request is described the When legitimacy authentication result confirmation second application for second application that one application is returned according to certificate server is legal It sends.

Preferably, carrying license ticket in the access token acquisition request；And it is sent to first application Before access token, further includes:

The license ticket is verified.

Further, timestamp is carried in the license ticket, the timestamp is used to indicate the license ticket Generate the time；And determination is verified the license ticket by the following method:

Determine the license ticket carried from the license ticket and the access token acquisition request that intermediate server obtains It is whether consistent；

If consistent, the timestamp in the license ticket is extracted, however, it is determined that go out the timestamp before the deadline, then really It is fixed that the license ticket is verified.

5th aspect, the embodiment of the present invention provide a kind of terminal for logging in application, comprising:

Acquiring unit, the license confirmation of the second application is logged in for obtaining user, and the license confirmation is used to indicate user The subscriber identity information for allowing to apply using described first logs in second application；

First transmission unit, for sending certification request to certificate server, the certification request carries described second and answers The authenticated encryption information of identification information；

First receiving unit, the authentication result returned for receiving the certificate server include in the authentication result The encryption information of the legitimacy authentication result of second application；

Second transmission unit, it is legal for legitimacy authentication result confirmation second application according to second application When, access token acquisition request is sent to service server, and the access token that will acquire is sent to the second application, so that described Second obtains the business datum of user from the service server using the access token and user is allowed to carry out institute The business datum is used when stating the business of the second application.

Preferably, the subscriber identity information includes account information and encrypted message；And

Preferably, the authentication result also includes the encryption information of the public key of access permission instruction and the second cipher key pair, The access permission instruction, which is used to indicate, allows the user to access intermediate server using the subscriber identity information of the first application； And the terminal, further includes:

Third transmission unit, for second transmission unit to service server send access token acquisition request it Before, the acquisition of credentials request of access service server is sent to intermediate server, carries documentary in the acquisition of credentials request Encryption information, the credentials encryption information are to be encrypted using the second cipher key pair public key to access permission instruction What processing obtained, the public key of second cipher key pair and access permission instruction are to utilize the private of the first key centering Key decrypts what the authentication result obtained；

Second receiving unit, for receiving the acquisition of credentials of the intermediate server transmission as a result, the acquisition of credentials knot Allowed results encryption information is carried in fruit, the allowed results encryption information is utilized for intermediate server and obtained from certificate server After the private key of the second cipher key pair obtained is decrypted the credentials encryption information and is verified to the access permission instruction decrypted, The public key of license ticket and third cipher key pair is encrypted using the private key of the second cipher key pair；

First processing units carry out the allowed results encryption information for the public key using second cipher key pair Decryption, and the license ticket is encrypted to obtain access permission using the public key of third cipher key pair decrypted and is added Confidential information；

4th transmission unit is sent out in the access token acquisition request for carrying the access permission encryption information Service server is given, so that after the service server receives the access token acquisition request, using from intermediary service The access permission encryption information is decrypted in the private key of third cipher key pair that device obtains, and to the license with After card is verified, the access token is distributed for second application, and using the private key of third cipher key pair to the visit It asks that token is encrypted to obtain access permission result information, the access permission result information is sent to the first application.

Preferably, the terminal, further includes:

The second processing unit, for before the access token is sent to the second application by second transmission unit, After receiving the access permission result information, the access permission result is believed using the public key of the third cipher key pair Breath is decrypted, and obtains the access token.

Preferably, the terminal, further includes:

Third processing unit, for connecing before the license confirmation that the acquiring unit obtains that user logs in the second application Receive the cipher key acquisition request that the second application is sent；The public key that the 4th cipher key pair is sent to second application, so that described the Two applications are encrypted the identification information of second application using the public key of the 4th cipher key pair, and will obtain Information to be verified carrying be sent in logging request it is described first application；It is close using the 4th after receiving logging request The information to be verified is decrypted in the private key of key centering, obtains the identification information of second application.

Preferably, the information to be verified further includes the encryption information of the public key of the 5th cipher key pair；And

Second transmission unit, specifically for the public key using the 5th cipher key pair decrypted to the access token It is encrypted, obtains password information；And the password information is sent to second application.

6th aspect, the embodiment of the present invention provide a kind of device for logging in application, are set in certificate server, Yi Jisuo Stating device includes:

Authentication unit, after the certification request of the first application transmission in receiving terminal, in the certification request The identification information of the second application is authenticated in the terminal of carrying；

Transmission unit, for the first application return authentication as a result, including in terminal second in the authentication result The encryption information of the legitimacy authentication result of application, so that first application authenticates knot according to the legitimacy of second application When fruit confirmation second application is legal, access token acquisition request, and the access token that will acquire are sent to service server It is sent to the second application, so that described second obtains the business of user using the access token from the service server Data simultaneously allow user to use the business datum when carrying out the business of second application；Wherein the certification request is institute It states first and applies and sent after the license confirmation for getting user and logging in the second application, the license confirmation is used to indicate user The subscriber identity information for allowing to apply using described first logs in second application.

Preferably, the subscriber identity information includes account information and encrypted message, the authenticated encryption information further includes The encryption information of the public key of the first key centering of acquisition；And

The transmission unit, specifically for determining certification according to the account information of storage and the corresponding relationship of encrypted message The corresponding encrypted message of the account information carried in request；According to the encrypted message, if being decrypted to the authenticated encryption information Success, it is determined that subscriber identity information certification is passed through；And the identification information of the decrypt second application is sent to out It is laid flat platform；And the open platform is received to the legitimacy authentication result of second application；It is close using decrypt first The public key of key centering permits the legitimacy authentication result, the authentication result of the subscriber identity information, access of second application It can indicate to be encrypted with the public key of the second cipher key pair, obtain authentication result.

7th aspect, the embodiment of the present invention provide a kind of device for logging in application, are set to service server and described Device, comprising:

Receiving unit, for receiving the access token acquisition request that the first application is sent in terminal；

Transmission unit, for sending access token to first application, so that the access that first application will acquire Token is sent to the second application, obtains the industry of user from the service server using the access token by described second Business data simultaneously allow user when carrying out the business of second application using the business datum, wherein the access token obtains Taking request is described in the described second legitimacy authentication result applied that first application is returned according to certificate server confirms What the second application was sent when legal.

Preferably, carrying license ticket in the access token acquisition request；And described device, further includes:

Processing unit is used for before the transmission unit sends access token to first application, to the license Credential verification passes through.

Preferably, timestamp is carried in the license ticket, the timestamp is used to indicate the life of the license ticket At the time；And

The processing unit, specifically for determining that the license ticket obtained from intermediate server and the access token obtain Whether the license ticket carried in request is consistent；If consistent, the timestamp in the license ticket is extracted, however, it is determined that go out described Timestamp is before the deadline, it is determined that is verified to the license ticket.

Eighth aspect, the embodiment of the present invention provide a kind of electronic equipment, comprising:

At least one processor；And

The memory being connect at least one described processor communication；Wherein,

The memory is stored with the instruction that can be executed by least one described processor, and described instruction is by described at least one A processor executes, so that at least one described processor is able to carry out the method that terminal side provided by the present application logs in application, Perhaps it is able to carry out the method for the login application of certificate server side provided by the present application or is able to carry out provided by the present application The method of the login application of service server side.

9th aspect, the embodiment of the present invention provide a kind of nonvolatile computer storage media, and being stored with computer can hold Row instruction, the computer executable instructions are used to execute the method that terminal side provided by the present application logs in application, or are used for The method for executing the login application of certificate server side provided by the present application, or for executing business service provided by the present application The method of the login application of device side.

The invention has the advantages that:

Provided in an embodiment of the present invention to log in method, system, terminal and the electronic equipment applied, the first application is worked as in terminal After getting the license confirmation that the subscriber identity information that user allows to apply using described first logs in the second application, taken to certification Business device sends the certification request for carrying the authenticated encryption information of identification information of the second application, returns according to certificate server Authentication result when determining that the second application is legal, obtain access token and the access that will acquire from the service server of the first application Token is sent to the second application, so that the second application can use the business that access token obtains user from service server Data, while user being allowed to use the business datum in the business that carry out second is applied.The present invention is by way of encryption Data are transmitted, information in transmission process is avoided and is stolen, to ensure that the data that user records on service server Safety.

Other features and advantages of the present invention will be illustrated in the following description, also, partly becomes from specification It obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention can be by written explanation Specifically noted structure is achieved and obtained in book, claims and attached drawing.

Detailed description of the invention

The drawings described herein are used to provide a further understanding of the present invention, constitutes a part of the invention, this hair Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:

Fig. 1 a is one of the configuration diagram of system provided in an embodiment of the present invention for logging in application；

Fig. 1 b is provided in an embodiment of the present invention based on equipment room each in the system for logging in application shown in Fig. 1 a interaction Realize one of the flow diagram of method for logging in application；

Fig. 1 c is the schematic diagram of the login interface of the second application provided in an embodiment of the present invention；

Fig. 1 d is the authorization login interface figure that the first application provided in an embodiment of the present invention is shown to terminal user；

Fig. 1 e is that terminal user provided in an embodiment of the present invention shows when applying currently without login first to terminal user Login interface figure；

Fig. 1 f is the interface schematic diagram that the first application provided in an embodiment of the present invention allows terminal user's switching account；

Fig. 2 is the method flow schematic diagram provided in an embodiment of the present invention for obtaining authentication result；

Fig. 3 is the flow diagram provided in an embodiment of the present invention that the information such as access token are sent to the second application；

Fig. 4 a is the two of the configuration diagram of the system provided in an embodiment of the present invention for logging in application；

Fig. 4 b is provided in an embodiment of the present invention based on equipment room each in the system for logging in application shown in Fig. 4 a interaction Realize the flow diagram for logging in the method for application；

Fig. 5 is the flow diagram that service server provided in an embodiment of the present invention verifies license ticket；

Fig. 6 is the structural schematic diagram of the device of the login application of terminal side provided in an embodiment of the present invention；

Fig. 7 is the structural schematic diagram of the device of the login application of certificate server side provided in an embodiment of the present invention；

Fig. 8 is the structural schematic diagram of the device of the login application of service server side provided in an embodiment of the present invention；

Fig. 9 is the structural schematic diagram of user terminal provided in an embodiment of the present invention；

Figure 10 is the structural schematic diagram of computing device provided in an embodiment of the present invention.

Specific embodiment

Third-party application is being used using terminal user when subscriber identity information in another application logs in order to prevent Unsafe problems caused by the leakage of family identity information occur, the embodiment of the invention provides it is a kind of log in application method, System, terminal and electronic equipment.

Below in conjunction with Figure of description, preferred embodiment of the present invention will be described, it should be understood that described herein Preferred embodiment only for the purpose of illustrating and explaining the present invention and is not intended to limit the present invention, and in the absence of conflict, this hair The feature in embodiment and embodiment in bright can be combined with each other.

In order to solve the problems, such as that the information security proposed by the present invention for improving user, the embodiment of the present invention are based on shown in Fig. 1 a The framework of authenticated login system propose a solution.For convenience, the present invention in terminal be arranged there are two It is illustrated for, one of application is referred to as the first application, another application is referred to as the second application.Second application Using terminal user first application upper registration subscriber identity information log in when, by adding to the data of transmission Close mode, to prevent subscriber identity information to be ravesdropping or steal, thus guarantee the safety of subscriber identity information in transmission process, And then user is also avoided in the leakage of the customer information of the first upper management of application.As shown in Figure 1a, login application is System includes certificate server 11 and service server 21.The system provided in an embodiment of the present invention for logging in application is used for in terminal Second apply using user first using upper subscriber identity information log in when controlling.In conjunction with Fig. 1 a, first Using corresponding service server 21, terminal user applies using first and is registered in advance on service server 21；Second Using the server 41 with oneself, but the second application is not registered on the server of oneself 41, main reason is that, If user is just registered once with an application, larger burden, therefore this can be brought to the memory capability of user by registering too many account Invention application scenarios can carry out authorization login using upper subscriber identity information first using user for the second application.It needs Illustrate, if applying in terminal comprising multiple second, will increase the server of respective numbers in Fig. 1 a.

Firstly, user open a terminal in second in application, user based on second application using user first application On subscriber identity information can trigger a logging request when being logged in, thus first apply after getting logging request, An authorization login interface can be shown to user in the first application, when choosing authorization to log in, the first application can receive user It is directed to the license confirmation of logging request triggering to user, then sends certification request to certificate server 11.Authentication service Device 11 is after receiving certification request, after the completion of the legitimacy certification to the second application, can issue certification knot to the first application Fruit.First applies after determining that certificate server 11 passes through the legitimacy certification of second application, to the first application pair The service server 21 answered sends access token acquisition request.Service server 21 after receiving access token acquisition request, The access token is sent into the first application.The access token is sent to the second application again by the first application, so that second answers With obtaining the business datum of user from service server 21 using the access token and user allowed to answer carrying out described second The business datum is used when business, for example, the second application can use the business datum got and access token is stepped on The server 41 of the second application of record.

The leakage for the data that user records on service server 21 in order to prevent, first applies in the embodiment of the present invention Before sending certification request to certificate server 11, the information carried can will be needed to be encrypted, as to the second application Identification information is encrypted to obtain authenticated encryption information, then again carries authenticated encryption information and sends in certification request To certificate server 11, thus during certification request is transmitted to certificate server 11, even if certification request is stolen, It is unable to get the information of user due to not knowing enciphering and deciphering algorithm, to prevent the information leakage of user.

Wherein, it is communicatively coupled between user terminal and certificate server 11 and service server 21 by network, it should Network can be local area network, wide area network etc..User terminal can for portable equipment (such as: mobile phone, plate, laptop Deng), or PC (PC, Personal Computer).

Below with reference to system framework figure shown in Fig. 1 a, the method provided by the invention for logging in application is introduced, is joined Interaction flow schematic diagram shown in Fig. 1 b is examined, may comprise steps of:

S11, the second application send communication request to the first application.

When it is implemented, user opens second in application, the second application can be shown as illustrated in figure 1 c to user at the terminal Login interface, be that the subscriber identity information that the second application can be applied based on two first be logged in shown in Fig. 1 c. When the second application can be logged in based on multiple first applications, then multiple be filled with can be shown in the login interface of the second application " first application log in " to favored area, when user press one " the first application logs in " it is corresponding when favored area, then show User logs in the server 41 of the second application using the subscriber identity information for the first application chosen.Login interface shown in Fig. 1 c An only illustrative displaying interface, can be shown with transverse screen and also be shown with vertical screen, specifically can be according to the category of the second application Depending on property.

Preferably, can then be stepped on to first using transmission when user's pressing any " the first application logs in " is after favored area Record request.During sending logging request, in order to guarantee the safety of sensitive data between applying, the present invention proposes that second answers With that first can send communication request to the first application, which is used to indicate the public affairs that the first application issues the 4th cipher key pair Key.

The public key for the 4th cipher key pair that S12, the first application will acquire is sent to the second application.

It preferably, the 4th key pair is the first application generation, or is the service server of the first application It generates；

In this step, the 4th key pair can be generated by the first application and be stored in terminal local, and then the first application can To be sent to the second application from the public key that the 4th cipher key pair is locally extracted.

When terminal local stores key, higher requirement is proposed to the storage security of terminal, it may be necessary to eventually It holds and a series of process flows is carried out to the key of storage, also need to be implemented a series of inverse processing when extracting key in this way, compare It is cumbersome.For this purpose, the embodiment of the present invention proposes that key can be issued by the server dynamic of the first application.Executing this step When, first applies after receiving communication request, can send to the server of the first application and obtain key request, server exists It receives after obtaining key request, then the public key of the 4th cipher key pair generated to first using transmission by server, so that the The above-mentioned public key that one application issues server is sent to the second application.

Preferably, can use rivest, shamir, adelman RSA Algorithm generates the 4th key pair, generated using RSA Algorithm Data key is encrypted, and encryption data can be improved cracks difficulty, ensure that the safety of downstream transmission data.

S13, the second application are encrypted using identification information of the public key to second application, are obtained to be tested Demonstrate,prove information.

Subscriber identity information in order to permit the second application that user is utilized to apply first logs in the server of oneself, The legitimacy to the second application is needed to verify, therefore the second application needs to send the mark letter of the second application to the first application Breath.Preferably, the identity that the identification information can be, but not limited to as the second application, abbreviation appid.The appid is second After applying successfully on an open platform, open platform is that the second application uniquely distributes.It should be noted that any application It after the completion of exploitation, is intended to use in the market, needs first to be applied on an open platform, after applying successfully, open platform is It can be one unique appid of the application distribution.Therefore, second can be verified with appid using legitimacy.Therefore in this step In the appid that described second applies can be sent to the first application as its identification information.

In order to guarantee to transmit the safety of data between applying, it can use the public affairs for the 4th cipher key pair that the first application returns The identification information of second application is encrypted in key, obtains information to be verified.

S14, the second application carry the information to be verified is sent to first application in logging request.

In this step, in order to allow the service server 21 of the first application that the second application access user is allowed to be based on first The information recorded on service server 21 is applied, second answers using the verifying second that can be used in for needing to obtain step S13 The information to be verified carrying of legitimacy is sent to the first application in logging request, so that the first application is according to the second application Identification information know the legitimacy of the second application.

Preferably, second applies while sending logging request to the first application, other than carrying information to be verified, also The api list of the second application can be carried in the logging request, include to request access to user first in the api list The details of the user registered in the service server 21 of application, for example, the details can be, but not limited to for user it is close Title, user's head portrait and buddy list etc..

Specifically, the second application can send logging request to the first application in such a way that scheme is jumped, and second answers With a scheme identification code can be generated, is then carried and send jointly to first together with api list in logging request and answer With, wherein the identification code is used to indicate the first application and shows authorization login interface to user.

Preferably, second applies when sending api list, needs can be added in local pasting boards pasteBoard and are asked Then the content for the api list asked is named the pasting boards for the content for being stored with api list, by it is described name and it is described Identification code carrying is sent to the first application in logging request.

Specifically, there is SDK kit in second application, the interface of the first application can be called by SDK, is realized Logging request is sent to the first application.

S15, first are applied after receiving the logging request, using the private key of the 4th cipher key pair to the logging request In information to be verified be decrypted, obtain it is described second application identification information.

In this step, since the public key encryption that information to be verified is the 4th cipher key pair sent using the first application obtains , therefore first applies after receiving the logging request, it can be from the private key that the 4th cipher key pair is locally extracted out, to described Information to be verified is decrypted, so as to obtain the identification information of the second application.

If the 4th key pair is stored in server side, the information to be verified can be sent to clothes by the first application Business device, is decrypted the information to be verified by the public key of the 4th cipher key pair of server by utilizing, so as to decrypt To second application identification information be sent to the first application, thus first application can also obtain the second application mark letter Breath.

Specifically, it first applies after receiving the logging request, extracts identification code from the logging request, according to The corresponding relationship of identification code and address determines the address letter of the corresponding authorization login page of identification code in the logging request Breath, first jumps to the corresponding authorization login interface of the address information using according to the address information determined, can specifically join It examines and authorizes login interface shown in Fig. 1 d.

Preferably, first applies after receiving the logging request, it can be first according to the second application decrypted Identification information obtains second to open platform and applies the api list applied when open platform is registered.Obtaining the api column After table, further according to the name of the pasting boards carried in the logging request, it is corresponding that the name is searched from the terminal local Then pasting boards obtain the second application and are intended to the api list requested from the service server 21 of the first application, compare the two api List, if request api list in have not from the api list that open platform obtains, show the second application Requesting it does not have the content of permission, then the no longer first application is upper shows authorization login interface as shown in Figure 1 d.For example, second Comprising the pet name, head portrait, buddy list and bank in the first api list requested using the service server 21 for being intended to apply from first Transaction Information, but described second only has the pet name, head portrait and buddy list using the permission applied when registering on an open platform Three contents, i.e., first application from obtained in open platform second application the 2nd api list in only comprising the pet name, head portrait and Three contents of buddy list, so, the second application are intended to the bank transaction letter requested from the service server 21 of the first application Breath then shows that the second application does not have the permission for the bank transaction information for obtaining terminal user, then not in the 2nd api list First application will not show authorization login interface to user, also the just not no authenticated login process of back.Only when the second application Content in the api list of request is included in from the api list that open platform obtains, and Cai Huixiang user shows that authorization logs in boundary Face, and then have subsequent authenticated login process.

Preferably, second apply to first application send logging request in can also carry the second application title and The information such as icon, while the first application can also get the app information of the second application from open platform, the app information can With but title and the icon etc. that are not limited to the second application, the first application may determine that the title of the second application in logging request It is whether consistent with the app information of the second application obtained from open platform with the information such as icon, it can be executed if consistent Follow-up process is caused by that can prevent the second application from executing follow-up process because being forged the second application progress comprehensive verification The case where information leakage, occurs.

Preferably, first applies after receiving the logging request, the logging request can also be sent to first Using corresponding service server, the information to be verified is decrypted by service server, on the one hand returns to decryption Data out, i.e., the appid of the second application；On the other hand, the appid by the decrypt second application is sent to open platform, The second application is authenticated by development platform, while obtaining api list and app information from development platform.

S16, the first application show authorization login interface to user.

In this step, after the first application passes through the api list verification that second application request obtains, then terminal meeting The first application of starting simultaneously authorizes login interface using shown in display diagram 1d first, for example, authorization shown in Fig. 1 d logs in boundary The pet name, head portrait, particulars and basic document in face are all the content for including in api list, when the user clicks in Fig. 1 d After authorizing and logging in, it is close to indicate that user permits that the second application access user registers on the service server 21 of the first application The information such as title, head portrait, particulars and basic document.

It should be noted that showing that the premise of authorization login interface is that user currently logged first answers to user With, it, can be first using the upper login interface occurred as shown in fig. le if user applies currently without login first, prompt is used Family is logged in using pre-registered subscriber identity information.

Preferably, some applications can attend to anything else or user has multiple cell-phone numbers, then user can be upper in the first application More than one account information is had registered, then when user is when the first application above has registered multiple account informations, user can awarded " the switching account " that the upper right corner is clicked on login interface is weighed, the switching command of the first application response user is shown to user as schemed Interface shown in 1f, user can arbitrarily switch the account of oneself, so that the account after the second application access user switching is the The information registered on the service server 21 of one application.For example, being illustrated so that the first application is enterprise's point application as an example, Yong Hu Two account informations are had registered on enterprise's point, one of account information is that user is commonly used, and exists based on the account information Describe more customer data on the corresponding service server 21 of enterprise's point, and another account information on service server 21 only The data of common customer is had recorded, in order to avoid the loss of some important customer datas, user may switch another account Number information executes subsequent authenticated login process, not only can allow the second application access that can also keep away to the data of needs Exempt from the case where some Very Important Person data are lost.

S17, the first application obtain the license confirmation that user logs in the second application.

Wherein, the subscriber identity information that the license confirmation is used to indicate that user allows to apply using described first logs in institute State the second application.

Specifically, if user allows its business number for recording on the service server 21 of the first application of the second application access According to then user can click " log in and authorize " in authorization login interface shown in Fig. 1 d, and thus the first application can detect The license confirmation of user's triggering.

S18, the first application send certification request to certificate server 11.

The certification request carries the authenticated encryption information of the identification information of second application.

Preferably, subscriber identity information includes account information and encrypted message, in order to improve the peace of data in transmission process Quan Xing, the encrypted message in subscriber identity information registered when using the first application in this step using user are applied to second Identification information be encrypted, by the authenticated encryption information and subscriber identity information that are obtained after encryption account believe Breath carries and is sent to certificate server 11 in certification request, even if in this way, the certification request is ravesdropping in transmission process, by The Encryption Algorithm used by eavesdropping side does not know that this is transmitted, therefore the identification information of the second application can not be decrypted, thus anti- Stop eavesdropping side and carries out illegal operation using the identification information of the second application；In addition, even if eavesdropping is known Encryption Algorithm, but because eavesdropping side can not obtain the encrypted message of the application of user's registration first, eavesdropping side can not also decrypt described Identification information, and then also just illegal operation can not be carried out using the identification information, not only prevent the mark letter of the second application The leakage of the sensitive datas such as breath prevents user in the leakage of the subscriber identity information of the first upper registration of application, ensure that use The safety of family identity information.

Preferably, the data that certificate server 11 returns in order to prevent are due to unencryption monitored, Present invention proposition is during obtaining authenticated encryption information, the public key of the first available first key centering of application, then The public key of identification information and first key centering that described second applies is encrypted together using encrypted message, is obtained Authenticated encryption information, so that certificate server 11 utilizes first decrypted after to the authenticated encryption information successful decryption The data that the public key encryption of cipher key pair returns can guarantee the safety of the downlink data of transmission in this way.

After obtaining authenticated encryption information, the authenticated encryption information and account information carrying are being recognized in the first application Certificate server 11 is sent in card request.Specifically, although the first application is to transmit the account information with the mode of plaintext, It, still can not decrypted authentication encryption due to not knowing enciphering and deciphering algorithm and encrypted message even if eavesdropping side obtains account information Information, therefore the safety of subscriber identity information is also available guarantee.

S19, certificate server 11 are after receiving certification request, to the mark of the second application carried in the certification request Know information to be authenticated.

S110, certificate server 11 apply return authentication result to described first.

Encryption information comprising the legitimacy authentication result of the second application in terminal in the authentication result.

In step S19 and S110 of the present invention, certificate server 11, can be according to shown in Fig. 2 after receiving certification request Method obtain authentication result, may comprise steps of:

S21, certificate server 11 determine in certification request according to the account information of storage and the corresponding relationship of encrypted message The corresponding encrypted message of the account information of carrying.

In this step, certificate server 11 can be according to the account information carried in certification request, from the account being locally stored In the corresponding relationship of number information and encrypted message, the corresponding encrypted message of the account information carried in the certification request is determined. It should be noted that account information and encrypted message of the user based on multiple applications may be stored on certificate server 11, and Each to apply when user registers, respectively the account format of user's distribution or digit are different.Such as authentication service Device 11 stores the subscriber identity information that user is registered in the applications such as wechat, QQ and enterprise's point respectively, authentication authorization and accounting server 11 maintain multiple different account informations and the list of encrypted message corresponding relationship, for the ease of accelerating to test user identity The speed of card, when registering on these are applied, server is user for the format or digit of the account information of its distribution It is distinguishing, in this way, when obtaining account information from certification request, it is easy to determine this according to the format of account information Account information belongs to the account information of which application, then is determining to recognize using searching in corresponding corresponding relationship list again The corresponding encrypted message of account information in card request, it is possible thereby to quickly find the corresponding encrypted message of account information.

S22, certificate server 11 are according to the encrypted message, if to the authenticated encryption information successful decryption, it is determined that Subscriber identity information certification is passed through.

Specifically, certificate server 11, can be according to the decipherment algorithm pair set in advance after determining the encrypted message Authenticated encryption information is decrypted.The encrypted message of authenticated encryption information and the password determined are indicated if successful decryption Information is consistent, to pass through to user in the subscriber identity information certification of the first upper registration of application.

The identification information of decrypt second application is sent to open platform by S23, certificate server 11.

In this step, based on the decrypting process of step S22, it can be obtained from authenticated encryption information when successful decryption The identification information of second application.In order to verify the legitimacy of second application, then the identification information can be sent to open It is laid flat platform.

S24, open platform verify the legitimacy of second application, and legitimacy authentication result are sent to and is recognized Demonstrate,prove server 11.

In this step, open platform distributes an appid for its opposite application applied for the registration of, and the appid is used for Unique identification application.Therefore when the identification information for the second application that the first application carries is appid, then open platform is to the mark Know information to be verified, specifically: if open platform finds the appid from the appid list distributed, then it represents that second Using being registered on an open platform, so show the second application be it is legal, that is, indicate to second application Certification passes through.

Further, in order to guarantee open platform to second application legitimate verification result reliability, second application Multiple information for verifying its legitimacy, which can be carried, can also carry title, application time such as other than carrying appid It is sent to certificate server 11 etc. as identification information, so certificate server 11 can be sent multiple to open platform For authenticating the identification information of the legitimacy of the second application, so that open platform can comprehensively authenticate the second application, Only when the multiple information received stored to open platform with it is described second application relevant information it is all consistent when, ability table It is bright second application be it is legal, which thereby enhance the reliability of verification result, when second application legitimate verification confidence level When increase, subsequent license the second application access first, which is applied, can also reduce business information in the business information of service server 21 The risk of leakage.

S25, certificate server 11 are legal to what is obtained from open platform using the public key of the first key centering decrypted Property authentication result is encrypted, and obtains authentication result.

In order to guarantee the safety of data in downlink transfer link between the application of certificate server 11 to the first, authentication service The legitimacy authentication result of the second application is encrypted in the public key that device 11 can use the first key centering decrypted Authentication result is obtained, steals authentication result even if existing and forging application, due to not knowing decipherment algorithm and decruption key, forgery is answered Be also can not be to authentication result successful decryption, to increase the safety of data in transmission process.

When S111, the first application are legal according to legitimacy authentication result confirmation second application of second application, Access token acquisition request is sent to service server 21.

In this step, after the first application receives authentication result, since authentication result is sent to using the first application What the public key of the first key centering of certificate server 11 was encrypted, therefore can use the private key of first key centering to certification As a result it is decrypted, the legitimacy authentication result of the second application can be obtained.

A kind of possible embodiment is, if determining that the second application is legal according to the legitimacy authentication result of the second application , then the first application directly can send access token acquisition request to the service server 21 of the first application, i.e. execution step S112, this embodiment, though the simple safety of process is ensured.

Alternatively possible embodiment is that, in order to increase the safety for the process for logging in application, the embodiment of the present invention mentions Intermediate server is set in the system for logging in application out, and certificate server 11 is applying return authentication result to first When, access permission voucher can be carried in authentication result, which is used to indicate first and applies accessible centre Server.It is further authenticated by intermediate server and issues license ticket to the first application, the first application could carry The license ticket sends access token acquisition request to its corresponding service server 21, may further ensure that login is answered in this way The safety of process, being discussed in detail can be with reference to shown in Fig. 4 a and 4b.

After receiving access token acquisition request, the application of Xiang Suoshu first sends access and enables for S112, service server 21 Board.

Service server 21 is after receiving the access token acquisition request that the first application is sent, you can learn that authentication service Device 11 passes through the legitimacy certification that subscriber identity information and second are applied, and then can send access to the first application and enable Board.

It further, can also will be described when the first application sends access token acquisition request to service server 21 The identification information of second application is transmitted to service server 21 with the license ticket together, and such service server 21 is being the When two application distribution access tokens, it is known that for which the second application distribution.Because there may be multiple second application benefits With user it is same first application service server 21 on information the case where, in this way in order to distinguish it is each second application, The identification information of second application can be sent to service server 21.In this way, service server 21 can recorde its distribution The corresponding relationship of access token and the identification information of the second application, to receive the access request of the second application in terminal next time When, quickly the access token of the second application is verified.

Preferably, service server 21 can also send identification access token when sending access token to the first application Openid, access token and openid are corresponded.For example, the access token 1 for 1 distribution of the second application is corresponding Openid1, for the corresponding openid2 of access token 2 etc. of 2 distribution of the second application.When the second application is to service server 21 When sending access request acquisition business datum, by carrying the openid of access token, service server 21 can be from local express The corresponding access token of openid is found in quick checking, and the access for then comparing the access token found and the second application transmission again enables Whether board is consistent, business datum required for returning if consistent to the second application.

The access token that S113, the first application will acquire is sent to the second application.

It, can also be to getting preferably, second applies when its identification information is encrypted in step S13 The public key of the 5th cipher key pair be encrypted, obtain information to be verified；And obtained information to be verified is sent to One application, first applies the public key that the 5th cipher key pair can be also decrypted when executing the decrypting process of step S15.In order to guarantee First application sends the safety of access token to the second application, and the first application can enable access according to process shown in Fig. 3 The information such as board are sent to the second application, with first application from service server 21 obtain access token, openid and It is illustrated, may comprise steps of for encrytoken:

S1131, the first application are using the public key of the 5th cipher key pair to the access token, openid and encrytoken It is encrypted to obtain password information.

Specifically, the 5th key pair can be locally generated by the application of second in terminal and be carried out in terminal local Storage can also be generated by service side, be locally generated, need to claim to the safety of storage.When raw in server side At, since server side safety is relatively high, therefore can be not concerned about key pair leakage the problems such as.

Preferably, when executing step S1131, access token that the first application can will acquire, openid and Encrytoken is written in pasting boards pasteBoard, then carries out storage name, then need to only visit being stored in this step It asks that the title of the pasteBoard of the information such as token is encrypted, obtains password information, then send obtained password information To the second application, it is possible thereby to which important data is avoided directly to transmit.

The password information is sent to the second application by S1132, the first application.

In this step, it equally can use scheme and jump the application interface that mode jumps to the second application.Specifically, base When the second application sends logging request to the first application in step S14 in addition to carrying identification code, second can also be carried and answered The address information of login interface, the first application can generate a new identification code based on the identification code, then establish new Identification code and login interface address information corresponding relationship, when need to second application send password information when, by new Identification code determine the address of login interface, the address that login interface then can be jumped in such a way that scheme is jumped is corresponding The second application login interface, it is thus achieved that password information is sent to the second application, not only fast but also conveniently.

S1133, the second application are decrypted the password information using the private key of the 5th cipher key pair, must visit Ask token, openid and encrytoken.

It, can be from being locally extracted out if the 5th key pair is being locally stored after the second application receives password information The password information is decrypted in the private key of 5th cipher key pair, so as to decrypt the information such as access token.If 5th key pair is generated and is stored in server side, then password information can be sent to server by the second application, by server The password information is decrypted to obtain the information such as access token and is sent to the second application.

Preferably, what is decrypted when the password information that receive is the title for being stored with the pasting boards of the information such as access token When, then the second application can find corresponding pasting boards according to the title, then obtain access token from the pasting boards Etc. information.

Specifically, when access token is taken in the second application, that is, the service server 21 of the first application is represented to described the Two application authorizations are completed, and second applies and needing to obtain user in the business datum on service server 21, carries the visit Ask that token can be got.

Preferably, can use rivest, shamir, adelman RSA Algorithm generates the 5th key pair, increases and crack difficulty, mention The high safety of data transmission.

S114, the second application send business datum acquisition request to the service server 21, and the business datum obtains Access token is carried in request.

In this step, the second application can use the access token access user and apply using first in its business service The business datum stored in device 21.

Second applies when obtaining business datum using the access token, can by the mark of information for needing obtain and Access token and openid are encrypted using encrytoken, and the information after encryption is sent to service server 21。

After service server 21 receives encrypted information, it is decrypted using the private key of encrytoken, i.e., The mark and access token of available second information obtained using needs.Service server 21 is decrypting the letter such as access token After breath, first with openid from the local access token for searching storage, however, it is determined that go out the access token and the visit that decrypts It asks that token is consistent, then recycles openid to search the corresponding expire_in of the access token, according to the expire_in to visit Ask that the validity of token is verified, if before the deadline, service server 21 is identified further according to the identifier lookup decrypted Corresponding information.Service server 21 also needs to utilize when returning to the corresponding information of mark to the second application The private key of encrytoken is encrypted, and can guarantee the safety of information when transmitted in both directions in this way, avoid user and exist The leakage of the business datum stored on service server 21.After second application receives the business datum of return, need to utilize The information of return is decrypted in the public key of encrytoken, so that the business datum of needs can be obtained.

S115, service server 21 return to the business datum of user to the second application and user are allowed to carry out described second The business datum is used when the business of application.

By implementing the method provided by the invention for logging in application, first using the utilization terminal according to the second applications trigger The logging request that user is logged in first using upper subscriber identity information shows authorization login interface to terminal user； After detecting terminal user for the license confirmation of logging request triggering, in order to guarantee the safety of information in transmission process Property, the identification information of the second application is encrypted, it then will be in obtained authenticated encryption information and subscriber identity information Account information carrying certificate server 11 is sent in certification request, by certificate server 11 to it is described second application conjunction Method is authenticated, and authentication result is sent to the first application so that first apply according to second application legitimacy recognize When card result determines that the second application is legal, access token, and the access that will acquire are obtained to the service server 21 of the first application Token is sent to the second application, obtains the business of user from the service server 21 using the access token by second Data simultaneously allow user when carrying out the business of second application using the business datum, due to when certified transmission is requested Encryption is carried out to sensitive data, to ensure that the safety of data in transmission process.

Preferably, the system of login application further includes intermediate server 31, with reference to shown in Fig. 4 a.The system of Fig. 4 a be Intermediate server 31 is extended in the system of Fig. 1 a.Wherein, led between user terminal and intermediate server 31 by network Letter connection, the network can be local area network, wide area network etc..User terminal can for portable equipment (such as: mobile phone, plate, notes This computer etc.), or PC (PC, Personal Computer).Based on the system for logging in application shown in Fig. 4 a In the interaction of each equipment room realize that the method for logging in application can be with reference to shown in Fig. 4 b.It should be noted that intermediate server 31 It participates in compared with realizing the process for logging in application process shown in Fig. 1 b, difference is the authentication result that certificate server 11 obtains Content it is different, therefore the process of subsequent execution is also corresponding different.Only different processes is illustrated in Fig. 4 b, as identical The process that can implement with reference to step S11~S19 in Fig. 1 b of part.

Preferably, it further includes the legitimacy of subscriber identity information that certificate server 11, which applies the authentication result returned to first, The encryption information of the public key of authentication result, access permission instruction and the second cipher key pair, wherein the access permission instruction is used for It indicates that the user is allowed to access intermediate server 31 using the subscriber identity information of the first application.

In this step, certificate server 11 is after determining that the subscriber identity information and the second application authorization pass through, then Sending user to the first application can use the instruction of the first application access intermediate server 31, which can be equivalent to one Bill evidence, the first application may have access to intermediate server 31 after taking this bill evidence.In order to avoid number in transmission process According to leakage, certificate server 11 can use the public key of the first key centering that step S22 is decrypted and indicates access permission It is encrypted, obtains authentication result, when certified transmission result, even if being stolen, since stolen party does not know that decryption is calculated The private key that method and decryption need is also illegal to obtain access permission instruction information etc., and then also avoids stolen party and be intended to steal use The generation of the case where information registered on the service server 21 that family is applied first.

Further, indicate it is that its is accessible for informing the first application due to being sent to the access permission of the first application Intermediate server 31.So, the first application permits the second application access to record thereon to take service server 21 Business datum when, it is necessary to intermediate server 31 send request, and this transmission process be also it is very likely monitored, Therefore the safety in order to guarantee the first application with transmit data between intermediate server 31, certificate server 11 are applied to first When sending the information such as authentication result, the public key that can use first key centering carries out at encryption the public key of the second cipher key pair Reason, and carry and be sent to the first application in authentication result.

Due to transmitting the data of encryption between certificate server 11 and the first application, and the public key of encryption is legal The public key for the first key centering that first application obtains, therefore application is forged even if existing, do not know that decryption is calculated due to forging application Method and the private key that can not get first key centering steal the authentication result that certificate server 11 returns when forging application, It is also not decrypt, therefore increase the safety of data in transmission process.Further, since visit can not be decrypted by forging application It asks license ticket, also can not just carry out follow-up process, and then also avoid the letter that user stores on service server 21 The leakage of breath.

S31, the first application are decrypted the authentication result received using the private key of first key centering, obtain Access permission instruction.

First applies after the authentication result issued to certificate server 11 is decrypted, available user identity The legitimacy authentication result of information, the legitimacy authentication result of the second application, the public affairs of access permission instruction and the second cipher key pair Key, however, it is determined that the legitimacy authentication result of the legitimacy authentication result and the second application that go out subscriber identity information is that certification is logical It crosses, then can use access permission and indicate the license ticket for obtaining access service server 21 to intermediate server 31.

S32, the first application encrypt access permission instruction using the public key of the second cipher key pair decrypted Processing, obtains credentials encryption information.

In this step, first in terminal is applied after obtaining access permission instruction, is accessed in transmission process in order to prevent License instruction is stolen, then indicates to carry out to the access permission using the public key of step S31 the second cipher key pair decrypted Encryption obtains credentials encryption information, even if in this way, being stolen in transmission process, since the side of stealing does not know that decryption is calculated Method and decrypted private key, then can not successful decryption, ensure that the safety of data in transmission process.

S33, the first application send the acquisition of credentials request of access service server 21, the voucher to intermediate server 31 The credentials encryption information is carried in acquisition request.

S34, intermediate server 31 receive the second key pair that certificate server 11 issues.

S35, intermediate server 31 are using the private key of second cipher key pair to carrying in the acquisition of credentials request received Credentials encryption information is decrypted, and verifies to the access permission instruction decrypted.

In step S33~S35, the first application in terminal needs to obtain the license ticket for accessing service server 21 Credentials encryption information is sent to intermediate server 31, intermediate server 31 is encrypted information due to what is received, is needed The information of encryption is decrypted.Specifically, the second password clock synchronization is got in certificate server 11, in addition to first Outside using the public key for sending the second cipher key pair, it is also necessary to be indicated by the second key pair and to the access permission that the first application is sent It is sent to intermediate server 31, so that intermediate server 31 solves credentials encryption information using the private key of the second cipher key pair Thus close processing can obtain access permission instruction.Intermediate server 31 can will be decrypted after getting access permission instruction Access permission instruction out is compared with the access permission instruction that certificate server 11 issues, and determines if consistent to the visit Ask that license instruction is verified.

Further, it first applies when sending access permission instruction to intermediate server 31, certification clothes can also be carried The legitimacy authentication result that business device 11 applies the subscriber identity information of user and second, when intermediate server 31 is determined to authenticate As a result pass through for certification, then access permission instruction is verified.

It is worth noting that, transmission network belongs to Intranet, safety phase between certificate server 11 and intermediate server 31 To higher, therefore certificate server 11 is when sending the second key pair to intermediate server 31 and access permission indicates, do not need into Row encryption also can guarantee the safety of data.

If S36, intermediate server 31 are verified access permission instruction, the private key of the second cipher key pair is utilized The public key of the third cipher key pair of license ticket and acquisition is encrypted to obtain allowed results encryption information.

Wherein, it is that the first application issues that the license ticket, which is intermediate server 31,.

It is worth noting that, the first application is different, intermediate server 31 is also different for the license ticket that it is issued.Example Such as, if the first application is applied for enterprise's point, intermediate server 31 is that enterprise's point application issues its accessible enterprise point using corresponding The license ticket of service server；If the first application is wechat application, intermediate server 31 be wechat application issue it can be with Access the license ticket that wechat applies corresponding service server.

It can be the after intermediate server 31, which is based on step S35, to be determined to indicate to be verified to the access permission One application determines the license ticket of its accessible corresponding service server 21.

In order to guarantee that downlink transfer to the safety of the license ticket of the first application, then can use under certificate server 11 License ticket is encrypted in the private key of second cipher key pair of hair, is then sent to the first application.

Further, it first applies after obtaining license ticket and can send access to its corresponding service server 21 and enable Board acquisition request, for the safety for guaranteeing the first application with transmitting data between service server 21, service server 21 can It is encrypted jointly with the public key and license ticket for the third cipher key pair that will locally generate, it is possible thereby to guarantee subsequent One application and the transmission safety between service server 21.

The carrying of allowed results encryption information is sent to the first application by S37, intermediate server 31 in acquisition of credentials result.

S38, first, which are applied, is permitted in the public key using the second cipher key pair what is carried in the acquisition of credentials result received License ticket can be encrypted using the public key of the third cipher key pair decrypted after result encryption information successful decryption Obtain access permission encryption information；

In this step, first is applied after obtaining allowed results encryption information, can use step S31 is decrypted second Allowed results encryption information is decrypted in the public key of cipher key pair, thus can be obtained for accessing service server 21 License ticket.In order to guarantee to be transferred to service server 21 license ticket safety, first application can use decryption License ticket is encrypted in the public key of third cipher key pair out, obtains access permission encryption information, even if being transmitted across Access permission encryption information is stolen in journey, stolen party due to do not know decipherment algorithm conciliate Migong key, also can not successful decryption, To ensure that the safety of license ticket.

S39, the first application carry the access permission encryption information in the access token acquisition request, to business Server 21 sends access token acquisition request.

In this step, the access permission encryption information encrypted is sent to the first corresponding business of application and taken by the first application Business device 21, can be to avoid the leakage of information in transmission process.

S310, service server 21 are issued after receiving the access token acquisition request using intermediate server 31 The private key of third cipher key pair the access permission encryption information in the access token acquisition request is decrypted, obtain To license ticket.

In this step, since access permission encryption information is the public affairs of the third cipher key pair generated using intermediate server 31 What key encrypted, while the public key of third cipher key pair is sent to the first application in step S36 by intermediate server 31, Third key pair and the license ticket determined can be sent to service server 21, since transmission belongs to Intranet biography between server Defeated, Intranet transmission security is relatively high, therefore the license ticket for not needing encrypted transmission third key pair and determining, can also protect Demonstrate,prove its safety.

After service server 21 receives the third key pair that intermediate server 31 issues, the private of third cipher key pair is utilized Access permission encryption information is decrypted in key, available license ticket.

It is unique for the second application distribution if S311, service server 21 are verified the license ticket Access token.

Specifically, service server 21 is after obtaining license ticket, can according to method shown in fig. 5 to the license with Card is verified, and may comprise steps of:

S41, determine whether the license ticket that intermediate server 31 issues is consistent with the license ticket decrypted, if consistent Execute step S42；It is no to then follow the steps S45.

The license ticket for the first application that service server 21 is issued according to intermediate server 31, determines itself and the first application Whether the license ticket of transmission is identical, then shows that license ticket is legal true, i.e. execution step S42 if they are the same.

Timestamp in S42, the extraction license ticket.

In order to protect the safety of subscriber identity information, requirement is proposed to the timeliness of license ticket, therefore is being received perhaps It can be after voucher, even if license ticket is legal, it is also desirable to be verified to the timeliness of license ticket, it is therefore desirable to from license Extraction time stabs in voucher, which is the generation time of the license ticket.

S43, whether before the deadline the timestamp is determined, if so then execute step S44；It is no to then follow the steps S45.

After the generation time for obtaining license ticket in step S42, whether before the deadline the timestamp can be determined, have Body, it can be determined that whether the timestamp is less than present system time, and the timestamp and current system are further determined that if being less than The time difference of system time, judge whether the time difference determined is less than preset timestamp, if then determining that the timestamp exists In validity period, otherwise determine that timestamp has failed.If license ticket continuously effective, undesirable spends the time to crack and take After the license ticket, also its accessible service server 21, equally exists the risk of information leakage, when provided with validity period Afterwards, even if undesirable, which cracks, has taken license ticket, but when may take license ticket, license ticket is no longer valid, this Sample also can guarantee the safety for the business datum that user records on service server 21.

S44, determination are verified the license ticket.

When the license ticket that terminal is sent is consistent with the license ticket that intermediate server 31 issues, and time of license ticket Stamp is before the deadline, it is determined that is verified to the license ticket.

S45, determining verify to the license ticket do not pass through.

If step S41 or any judging result of step S43 be it is no, i.e., characterization to the license ticket verifying do not pass through.

Further, after the license ticket that service server 21 sends the first application is verified, it can permit the Two application access users apply the information stored on its service server 21 based on first, are needed thus for the second application distribution One access token.In this way, the second application may have access to the information recorded on service server 21 after taking the access token.

It should be noted that first applies when sending access token acquisition request to service server, can equally take Identification information with the second application, particular use can refer to the description of step 112, and details are not described herein.Similarly, business service Device can also send the openid of identification access token, as the purposes of openid when to the first application backward reference token With reference also to step S112, also it is not described in detail herein.

S312, service server 21 are encrypted to obtain using the private key of third cipher key pair to the access token Access permission result information.

In this step, in order to guarantee the safety of downlink transmission data between the application of service server 21 to the first, When sending access token, the private key of the third cipher key pair obtained from intermediate server 31 can use to the access token It is encrypted to obtain access permission result information.Even if thus access permission result information is stolen in transmission process, surreptitiously The side of taking also is impossible to occur utilizing access due to not knowing that decipherment algorithm conciliates Migong key, also illegal successful decryption Token obtains user the business datum stored on service server 21 the case where, to also can not just lead to the business number of user According to leakage.

Further, if service server 21 to second application have sent openid, can also by the openid with Access token is encrypted together.

Further, in order to guarantee second application and transmission link between service server 21 safety, business service Device 21 can send crypto token encrytoken to the second application by the first application, by the crypto token with openid and Access token carries out encryption jointly and is sent to the second application, when so that the second application sending data to service server 21, utilizes The crypto token is encrypted the data and transmits again, thereby may be ensured that the safety of data.

Preferably, access token also has a validity period, i.e. service server 21 when for the second application distribution access token, Also to the access token be provided with validity period evaluation parameter expire_in, so as to it is subsequent second application carry the access token to When service server 21 obtains business datum, verified using validity of the expire_in to access token.Can specifically it join The process of test card license ticket, details are not described herein.In addition, existing validation verification method also can use the present invention In embodiment, the invention does not limit this.

The access permission result information is sent to the first application by S313, service server 21.

In this step, the access permission result information encrypted in step S312 is sent to first by service server 21 Using even if access permission result information is stolen, since stolen party can not obtain decipherment algorithm reconciliation Migong key, also just not Possible successful decryption ensure that the safety of information in transmission process.

S314, the first application are decrypted the access permission result information received using the public key of third cipher key pair Processing, obtains access token.

First applies after getting access permission result information, can use the third key pair that step S38 is decrypted In public key the access permission result information is decrypted, access token can be extracted after successful decryption.If Encryption is also performed to openid and encrytoken in step S312, then can be decrypted in this step openid and encrytoken。

S315, the first application will decrypt access token and be sent to the second application.

The implementation process for implementing to refer to step S113 of this step, is not described in detail herein.

S316, the second application obtain the business number of the user according to the access token to the service server 21 According to.

Specifically, remember on service server 21 if the second application obtains user and apply using first to service server 21 When the buddy list of record, if the buddy list is identified as " 1 ", mark " 1 ", access token and openid are utilized The public key of encrytoken, which is encrypted, is sent to service server 21, after service server 21 receives above- mentioned information, It is decrypted first with the private key of encrytoken, after successful decryption, using openid according to the description pair of step S114 Access token is verified, and determines that user records good on service server 21 further according to mark " 1 " after being verified Friendly list；It recycles the private key of encrytoken that buddy list is encrypted, encrypted buddy list is sent to Second application.

S317, the second application log in the server of second application using the access token and the business datum 41。

In this step, when the second application logs in its corresponding server 41 using access token and business datum, it can adjust Logging request is sent to server 41 with the third party login interface of the second application, access is carried in the logging request and is enabled The information such as board, openid and business datum.Server 41 can use third party application interface API and obtain the first application Then subscriber identity information automatically creates an account, which meets requirement of second application to account, and uses business number According to come the account that initializes creation, the business datum be can be, but not limited to as head portrait and pet name etc., while returning to second and answering With a subscriber identity information comprising information such as the pet name and head portraits, it can indicate that the second application success has logged in the service of oneself Device 41.

Step S317 is only an exemplary embodiment, and the second application can also utilize the industry obtained from service server 21 Data of being engaged in execute other operations, will not enumerate herein.

In addition, the present invention is separated certificate server, service server and intermediate server, only need in the terminal Second application SDK in increase corresponding permission, it will be able to the second application and development first application it is more multi-functional, scalability compared with By force.

Preferably, first application can be, but not limited to as wechat, QQ and enterprise's point application etc..

Preferably, the first, second, third key pair in the embodiment of the present invention, can use asymmetric RSA Algorithm or benefit It is obtained with md5 algorithm.

It is provided in an embodiment of the present invention log in application method, first application with certificate server, intermediate server and The data of encryption are transmitted between service server by way of encryption, though stolen party after obtaining encryption data, due to nothing Method knows that decipherment algorithm reconciliation Migong key can not then be decrypted encryption data, which thereby enhances the safety of transmission link, And then also ensure that the safety of subscriber identity information.

Based on the same inventive concept, a kind of device of the login application of terminal side is additionally provided in the embodiment of the present invention, by It is similar to the method for login application that terminal side provides in the principle that above-mentioned apparatus solves the problems, such as, therefore the implementation of above-mentioned apparatus can With referring to the implementation of method, overlaps will not be repeated.

As shown in fig. 6, the structural schematic diagram of the device for the login application of terminal side provided in an embodiment of the present invention, packet It includes:

Acquiring unit 51, the license confirmation of the second application is logged in for obtaining user, and the license confirmation is used to indicate use The subscriber identity information that family allows to apply using described first logs in second application；

First transmission unit 52, for sending certification request to certificate server, the certification request carries described second The authenticated encryption information of the identification information of application；

First receiving unit 53 wraps in the authentication result for receiving the authentication result of the certificate server return The encryption information of legitimacy authentication result containing second application；

Second transmission unit 54 is closed for legitimacy authentication result confirmation second application according to second application When method, access token acquisition request is sent to service server, and the access token that will acquire is sent to the second application, so that institute Second is stated to obtain the business datum of user from the service server using the access token and user is allowed to carry out The business datum is used when the business of second application.

Preferably, the authentication result also includes the encryption information of the public key of access permission instruction and the second cipher key pair, The access permission instruction, which is used to indicate, allows the user to access intermediate server using the subscriber identity information of the first application； And described device, further includes:

Optionally, described device, further includes:

Preferably, described device, further includes:

For convenience of description, above each section is divided by function describes respectively for each module (or unit).Certainly, exist Implement to realize the function of each module (or unit) in same or multiple softwares or hardware when the present invention.

As shown in fig. 7, the structural representation of the device for the login application of certificate server side provided in an embodiment of the present invention Figure, comprising:

Authentication unit 61, after the certification request of the first application transmission in receiving terminal, to the certification request The identification information of the second application is authenticated in the terminal of middle carrying；

Transmission unit 62, for the first application return authentication as a result, including in terminal the in the authentication result The encryption information of the legitimacy authentication result of two applications, so that first application is authenticated according to the legitimacy of second application When as a result confirming that second application is legal, the access that sends access token acquisition request to service server, and will acquire is enabled Board is sent to the second application, so that described second obtains the industry of user using the access token from the service server Business data simultaneously allow user to use the business datum when carrying out the business of second application；Wherein the certification request is Described first applies and sends after the license confirmation for getting user and logging in the second application, and the license confirmation is used to indicate use The subscriber identity information that family allows to apply using described first logs in second application.

Optionally, the subscriber identity information includes account information and encrypted message, and the authenticated encryption information further includes The encryption information of the public key of the first key centering of acquisition；And

The transmission unit 62, specifically for according to the account information of storage and the corresponding relationship of encrypted message, determination is recognized The corresponding encrypted message of account information carried in card request；According to the encrypted message, if to the authenticated encryption information solution Close success, it is determined that subscriber identity information certification is passed through；And the identification information of the decrypt second application is sent to Open platform；And the open platform is received to the legitimacy authentication result of second application；Utilize first decrypted Legitimacy authentication result, the authentication result of the subscriber identity information, access of the public key of cipher key pair to second application The public key of license instruction and the second cipher key pair is encrypted, and obtains authentication result.

As shown in figure 8, the structural representation of the device for the login application of service server side provided in an embodiment of the present invention Figure, comprising:

Receiving unit 71, for receiving the access token acquisition request that the first application is sent in terminal；

Transmission unit 72, for sending access token to first application, so that the visit that first application will acquire It asks that token is sent to the second application, obtains user's from the service server using the access token by described second Business datum simultaneously allows user when carrying out the business of second application using the business datum, wherein the access token Acquisition request confirms institute for the legitimacy authentication result for second application that first application is returned according to certificate server State the second application it is legal when send.

Optionally, license ticket is carried in the access token acquisition request；And described device, further includes:

Further, timestamp is carried in the license ticket, the timestamp is used to indicate the license ticket Generate the time；And

Based on the same inventive concept, the embodiment of the present invention provides a kind of user terminal, and structural schematic diagram can refer to Fig. 9 It is shown, user terminal provided by the invention can be but be not limited to mobile phone, tablet computer etc..The user terminal may include: to deposit Reservoir 81, input module 82, sending module 83, receiving module 84, output module 85, wireless communication module 86 and processor 87 Deng.Specifically:

Memory 81 may include read-only memory (ROM) and random access memory (RAM), and provide to processor 87 The program instruction and data stored in memory 81 can also store operating system, the application program of user terminal Various data used in (Application, APP) (for example, reading APP), module and user terminal etc..

Input module 82 may include keyboard, mouse, touch screen etc., for receiving number, the character information of user's input Or touch operation, and the input etc. of key signals related with the user setting of user terminal and function control is generated, for example, In the embodiment of the present invention, input module 82 can receive the point that user executes on the login interface that the first application is shown to user Hit operation etc..

Sending module 83 can provide the interface between user terminal and server.

Receiving module 84 equally provides the interface between user terminal and server.

Output module 85 may include display module, as liquid crystal display (Liquid Crystal Display, LCD), Cathode-ray tube (Cathode Ray Tube, CRT) etc., wherein display module is displayed for information input by user Or it is supplied to the information or various user terminals or menu, the user interface of payment platform etc. of user.For example, the present invention is implemented In example, it can be used for showing the login interface of the first application and the authorization login interface etc. of the second application to user.

Wireless communication module 86 includes but is not limited to Wireless Fidelity (wireless fidelity, WiFi) module, bluetooth mould Block, infrared communication module etc..

Processor 87 is the control centre of user terminal, utilizes each of various interfaces and the entire user terminal of connection Part by running or execute the software program and/or module that are stored in memory 81, and calls and is stored in memory 81 Interior data execute the various functions and processing data of user terminal, to carry out integral monitoring to user terminal.

Certainly, the structure of user terminal shown in Fig. 9, only one of example, may include more than illustrating Or less component, perhaps combine certain components or different component layouts.

After the method, system and relevant apparatus for the login application for describing exemplary embodiment of the invention, connect down Come, introduces the computing device of another exemplary embodiment according to the present invention.

Person of ordinary skill in the field it is understood that various aspects of the invention can be implemented as system, method or Program product.Therefore, various aspects of the invention can be embodied in the following forms, it may be assumed that complete hardware embodiment, complete The embodiment combined in terms of full Software Implementation (including firmware, microcode etc.) or hardware and software, can unite here Referred to as circuit, " module " or " system ".

In some possible embodiments, it is single can to include at least at least one processing for computing device according to the present invention Member and at least one storage unit.Wherein, the storage unit is stored with program code, when said program code is described When processing unit executes, so that the processing unit executes the exemplary implementations various according to the present invention of this specification foregoing description Step in the method for the login application of mode.For example, the processing unit can execute step S11 as shown in Figure 1 b~ The process or execute the process that service server 21 is implemented in step S11~S115 that certificate server 11 is implemented in S115, Or execute certificate server 11 is implemented in step S31~S317 shown in Fig. 4 b process or execute step S31~S317 The process that middle service server 21 is implemented.

The computing device 91 of this embodiment according to the present invention is described referring to Figure 10.The calculating that Figure 10 is shown Device 91 is only an example, should not function to the embodiment of the present invention and use scope bring any restrictions.

As shown in Figure 10, computing device 91 is showed in the form of universal computing device.The component of computing device 91 can wrap It includes but is not limited to: at least one above-mentioned processing unit 911, at least one above-mentioned storage unit 912, the different system components of connection The bus 913 of (including storage unit 912 and processing unit 911).

Bus 913 indicates one of a few class bus structures or a variety of, including memory bus or Memory Controller, Peripheral bus, processor or the local bus using any bus structures in a variety of bus structures.

Storage unit 912 may include the readable medium of form of volatile memory, such as random access memory (RAM) 9121 and/or cache memory 9122, it can further include read-only memory (ROM) 9123.

Storage unit 912 can also include program/utility with one group of (at least one) program module 9124 9125, such program module 9124 includes but is not limited to: operating system, one or more application program, other program moulds It may include the realization of network environment in block and program data, each of these examples or certain combination.

Computing device 91 can also be communicated with one or more external equipments 914 (such as keyboard, sensing equipment etc.), may be used also Enable a user to the equipment interacted with computing device 91 communication with one or more, and/or with enable the computing device 91 Any equipment (such as router, modem etc.) communicated with one or more of the other calculating equipment communicates.This Kind communication can be carried out by input/output (I/O) interface 915.Also, computing device 91 can also pass through network adapter 916 is logical with one or more network (such as local area network (LAN), wide area network (WAN) and/or public network, such as internet) Letter.As shown, network adapter 916 is communicated by bus 913 with other modules for computing device 91.It should be appreciated that Although not shown in the drawings, other hardware and/or software module can be used in conjunction with computing device 91, including but not limited to: micro- generation Code, device driver, redundant processing unit, external disk drive array, RAID system, tape drive and data backup are deposited Storage system etc..

In some possible embodiments, the various aspects of the method provided by the invention for logging in application can also be realized For a kind of form of program product comprising program code, when described program product is run on a computing device, the journey The illustrative embodiments various according to the present invention that sequence code is used to that the computer equipment to be made to execute this specification foregoing description Login application method in step, for example, the computer equipment can execute step S11~S115 as shown in Figure 1 b The process or execute the process that service server 21 is implemented in step S11~S115 that middle certificate server 11 is implemented, or Execute the process or execute industry in step S31~S317 that certificate server 11 is implemented in step S31~S317 shown in Fig. 4 b The process that business server 21 is implemented.

Described program product can be using any combination of one or more readable mediums.Readable medium can be readable letter Number medium or readable storage medium storing program for executing.Readable storage medium storing program for executing for example may be-but not limited to-electricity, magnetic, optical, electromagnetic, red The system of outside line or semiconductor, device or device, or any above combination.The more specific example of readable storage medium storing program for executing (non exhaustive list) includes: the electrical connection with one or more conducting wires, portable disc, hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disc Read memory (CD-ROM), light storage device, magnetic memory device or above-mentioned any appropriate combination.

The program product of the method for logging in application of embodiments of the present invention can be using portable compact disc only It reads memory (CD-ROM) and including program code, and can run on the computing device.However, program product of the invention is not It is limited to this, in this document, it includes or the tangible medium of storage program that the program can be by that readable storage medium storing program for executing, which can be any, Instruction execution system, device or device use or in connection.

Readable signal medium may include in a base band or as the data-signal that carrier wave a part is propagated, wherein carrying Readable program code.The data-signal of this propagation can take various forms, including --- but being not limited to --- electromagnetism letter Number, optical signal or above-mentioned any appropriate combination.Readable signal medium can also be other than readable storage medium storing program for executing it is any can Read medium, the readable medium can send, propagate or transmit for by instruction execution system, device or device use or Program in connection.

The program code for including on readable medium can transmit with any suitable medium, including --- but being not limited to --- Wirelessly, wired, optical cable, RF etc. or above-mentioned any appropriate combination.

The program for executing operation of the present invention can be write with any combination of one or more programming languages Code, described program design language include object oriented program language-Java, C++ etc., further include conventional Procedural programming language-such as " C " language or similar programming language.Program code can be fully in user It calculates and executes in equipment, partly executes on a user device, being executed as an independent software package, partially in user's calculating Upper side point is executed on a remote computing or is executed in remote computing device or server completely.It is being related to far Journey calculates in the situation of equipment, and remote computing device can pass through the network of any kind --- including local area network (LAN) or extensively Domain net (WAN)-be connected to user calculating equipment, or, it may be connected to external computing device (such as utilize Internet service Provider is connected by internet).

It should be noted that although being referred to several unit or sub-units of device in the above detailed description, this stroke It point is only exemplary not enforceable.In fact, embodiment according to the present invention, it is above-described two or more The feature and function of unit can embody in a unit.Conversely, the feature and function of an above-described unit can It is to be embodied by multiple units with further division.

In addition, although describing the operation of the method for the present invention in the accompanying drawings with particular order, this do not require that or Hint must execute these operations in this particular order, or have to carry out shown in whole operation be just able to achieve it is desired As a result.Additionally or alternatively, it is convenient to omit multiple steps are merged into a step and executed by certain steps, and/or by one Step is decomposed into execution of multiple steps.

It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more, The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces The form of product.

The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.

These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.

Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic Property concept, then additional changes and modifications can be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as It selects embodiment and falls into all change and modification of the scope of the invention.

Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to include these modifications and variations.

Claims

1. a kind of method for logging in application characterized by comprising

First application obtains the license confirmation that user logs in the second application, and the license confirmation, which is used to indicate user, to be allowed using institute The subscriber identity information for stating the first application logs in second application；

First application sends certification request to certificate server and receives the authentication result that the certificate server returns, described to recognize Card request carries the authenticated encryption information of the identification information of second application, includes second application in the authentication result Legitimacy authentication result encryption information；

When first application is legal according to legitimacy authentication result confirmation second application of second application, to business service Device sends access token acquisition request, and the access token that will acquire is sent to the second application so that described second using The access token obtains the business datum of user from the service server and user is allowed to carry out second application The business datum is used when business.

2. the method as described in claim 1, which is characterized in that the subscriber identity information includes account information and message in cipher Breath；And

The authenticated encryption information are as follows: identification information and first key centering using the encrypted message to second application The encryption information that is encrypted of public key.

3. method according to claim 2, which is characterized in that the authentication result also includes that access permission instruction and second are close The encryption information of the public key of key centering, the access permission instruction are used to indicate the user for allowing the user to utilize the first application Identity information accesses intermediate server；And

First application sends the acquisition of credentials request of access service server to intermediate server, takes in the acquisition of credentials request With credentials encryption information, the credentials encryption information is to be indicated using the second cipher key pair public key the access permission It is encrypted, the public key of second cipher key pair and access permission instruction are to utilize the first key The private key of centering decrypts what the authentication result obtained；And

First application receives the acquisition of credentials of the intermediate server transmission as a result, carrying license in the acquisition of credentials result As a result encryption information, the allowed results encryption information are that intermediate server utilizes the second key pair obtained from certificate server In private key decrypt the credentials encryption information and to decrypt access permission instruction be verified after, utilize the second key pair In private key the public key of license ticket and third cipher key pair is encrypted；

First application is decrypted the allowed results encryption information using the public key of second cipher key pair, and utilizes solution The public key of close third cipher key pair out is encrypted the license ticket to obtain access permission encryption information；And

First application, which carries the access permission encryption information, is sent to business service in the access token acquisition request Device, so as to utilize the third obtained from intermediate server after the service server receives the access token acquisition request The access permission encryption information is decrypted in the private key of cipher key pair, and is verified to the license ticket Afterwards, the access token is distributed for second application, and the access token is carried out using the private key of third cipher key pair Encryption obtains access permission result information, and the access permission result information is sent to the first application.

4. method as claimed in claim 3, which is characterized in that before the access token is sent to the second application, also Include:

First applies after receiving the access permission result information, using the public key of the third cipher key pair to the visit It asks that allowed results information is decrypted, obtains the access token.

5. the method as described in Claims 1 to 4 is any, which is characterized in that the first application obtains user and logs in the second application Before license confirmation, further includes:

The public key of the 4th cipher key pair is sent to second application, so that second application utilizes the 4th cipher key pair Public key to it is described second application identification information be encrypted, and by obtained information to be verified carry in logging request In be sent to it is described first application；

After receiving logging request, the information to be verified is decrypted using the private key of the 4th cipher key pair, is obtained To the identification information of second application.

6. method as claimed in claim 5, which is characterized in that the information to be verified further includes the public key of the 5th cipher key pair Encryption information；And the access token is sent to the second application, it specifically includes:

The access token is encrypted using the public key of the 5th cipher key pair decrypted, obtains password information；And

The password information is sent to second application.

7. method as claimed in claim 6, which is characterized in that the 4th key pair is the first application generation, or Person is that the service server of the first application generates；5th key pair is the second application generation, or is second What the service server of application generated.

8. a kind of system for logging in application characterized by comprising certificate server and service server, in which:

Certificate server, for after the first application is sent in receiving terminal certification request, to being taken in the certification request The identification information of the second application is authenticated in the terminal of band, and to the first application return authentication as a result, the certification is tied Encryption information comprising the legitimacy authentication result of the second application in terminal in fruit, wherein the certification request is answered for described first Sent after the license confirmation for getting user and logging in the second application, the license confirmation be used to indicate user allow using The subscriber identity information of first application logs in second application；

Service server, for after receiving the access token acquisition request that first application is sent, Xiang Suoshu first to be answered With access token is sent, so that the access token that first application will acquire is sent to the second application, applied by described second The business datum of user is obtained from the service server using the access token and user is allowed to answer in progress described second The business datum is used when business, wherein the access token acquisition request is first application according to the certification The legitimacy authentication result for second application that server returns confirms to be sent when second application is legal.

9. system as claimed in claim 8, which is characterized in that the system also includes intermediate servers；And the certification As a result the encryption information of the public key in also comprising access permission instruction and the second cipher key pair, the access permission instruction is for referring to Showing allows the user to access intermediate server using the subscriber identity information of the first application；And

The intermediate server, in the acquisition of credentials request for receiving the access service server that first application is sent Afterwards, the credentials encryption information is decrypted and the visit to decrypting using the private key of the second cipher key pair obtained from certificate server After asking that license instruction is verified, the public key of license ticket and third cipher key pair is carried out using the private key of the second cipher key pair Encryption obtains allowed results encryption information；And the allowed results encryption information is carried and is sent in acquisition of credentials result To the first application, wherein the public key of second cipher key pair and access permission instruction are described in first application utilizes The private key of first key centering decrypts what the authentication result obtained；

The service server, specifically for being obtained using from intermediate server after receiving the access token acquisition request The access permission encryption information carried in the access token acquisition request is decrypted in the private key of the third cipher key pair obtained Processing distributes the access token for second application and after being verified to the license ticket decrypted, and utilizes the The private key of three cipher key pairs is encrypted the access token to obtain access permission result information, by the access permission Result information is sent to the first application, wherein the access permission encryption information is that first application utilizes second key The allowed results encryption information carried in the acquisition of credentials result is decrypted in the public key of centering, and utilizes the decrypted The public key of three cipher key pairs is encrypted to obtain to the license ticket.

10. system as claimed in claim 9, which is characterized in that carry timestamp, the timestamp in the license ticket It is used to indicate the generation time of the license ticket；And

The service server, the license ticket obtained specifically for determination from intermediate server are with the license ticket decrypted It is no consistent；If consistent, the timestamp in the license ticket is extracted, however, it is determined that go out the timestamp before the deadline, then really It is fixed that the license ticket is verified.

11. the system as described in claim 9 or 10, which is characterized in that the subscriber identity information includes account information and close Code information；And the authenticated encryption information further includes the encryption information of the public key of the first key centering obtained；And

The certificate server, specifically for after receiving the certification request, according to the account information and message in cipher of storage The corresponding relationship of breath determines the corresponding encrypted message of the account information carried in certification request；And according to the encrypted message, if To the authenticated encryption information successful decryption, it is determined that pass through to subscriber identity information certification；And second will decrypted The identification information of application is sent to open platform；And it receives the open platform and knot is authenticated to the legitimacy of second application Fruit；And the legitimacy authentication result using the public key of first key centering decrypted to second application, the user Authentication result, the access permission of identity information indicate and the public key of the second cipher key pair is encrypted；And recognize what is obtained Card result is sent to first application.

12. a kind of terminal for logging in application characterized by comprising

Acquiring unit, the license confirmation of the second application is logged in for obtaining user, and the license confirmation is used to indicate user's permission The subscriber identity information applied using described first logs in second application；

First transmission unit, for sending certification request to certificate server, the certification request carries second application The authenticated encryption information of identification information；

First receiving unit includes described in the authentication result for receiving the authentication result of the certificate server return The encryption information of the legitimacy authentication result of second application；

Second transmission unit, when legal for legitimacy authentication result confirmation second application according to second application, Access token acquisition request is sent to service server, and the access token that will acquire is sent to the second application, so that described the Two obtain the business datum of user from the service server using the access token and allow user described in the progress The business datum is used when the business of the second application.

13. terminal as claimed in claim 12, which is characterized in that the authentication result also includes access permission instruction and second The encryption information of the public key of cipher key pair, the access permission instruction are used to indicate the use for allowing the user to utilize the first application Family identity information accesses intermediate server；And further include:

Third transmission unit is used for before second transmission unit sends access token acquisition request to service server, The acquisition of credentials request of access service server is sent to intermediate server, carries credentials encryption in the acquisition of credentials request Information, the credentials encryption information are that access permission instruction is encrypted using the second cipher key pair public key It obtains, the public key of second cipher key pair and access permission instruction are to utilize the private key solution of the first key centering What the close authentication result obtained；

Second receiving unit, for receiving the acquisition of credentials of the intermediate server transmission as a result, in the acquisition of credentials result Carry allowed results encryption information, the allowed results encryption information is that intermediate server is utilized and obtained from certificate server After the private key of second cipher key pair is decrypted the credentials encryption information and is verified to the access permission instruction decrypted, utilize The public key of license ticket and third cipher key pair is encrypted in the private key of second cipher key pair；

First processing units solve the allowed results encryption information for the public key using second cipher key pair It is close, and the license ticket is encrypted using the public key of the third cipher key pair decrypted to obtain access permission encryption Information；

4th transmission unit is sent in the access token acquisition request for carrying the access permission encryption information Service server, so as to be obtained after the service server receives the access token acquisition request using from intermediate server The access permission encryption information is decrypted in the private key of the third cipher key pair obtained, and tests to the license ticket After card passes through, the access token is distributed for second application, and enable to the access using the private key of third cipher key pair Board is encrypted to obtain access permission result information, and the access permission result information is sent to the first application.

14. terminal as claimed in claim 13, which is characterized in that further include:

The second processing unit, for connecing before the access token is sent to the second application by second transmission unit After receiving the access permission result information, using the third cipher key pair public key to the access permission result information into Row decryption processing obtains the access token.

15. a kind of electronic equipment characterized by comprising

At least one processor；And

The memory is stored with the instruction that can be executed by least one described processor, and described instruction is by described at least one It manages device to execute, so that at least one described processor is able to carry out the method as described in claim 1 to 7 any claim.