CN110781482A - Login method, login device, computer equipment and storage medium - Google Patents

Abstract

The application relates to a login method, a login device, computer equipment and a storage medium. The method comprises the following steps: after receiving a second login request and a session identifier sent by a first service server and used for requesting to login a second service server by a terminal of a logged-in user, generating a verification token of the second service server corresponding to the session identifier; generating a redirection address of the second service server according to the verification token of the second service server and the address of the second service server, and returning the generated redirection address to the terminal through the first service server; and receiving a verification request which is sent by the second service server and carries a verification token of the second service server, and when the verification token is verified to be valid, acquiring account information of the logged-in user according to the verification token of the second service server and returning the account information to the second service server, wherein the second service server completes terminal login to the second service server through the second login request according to the account information. The method can improve the safety.

Description

Login method, login device, computer equipment and storage medium

Technical Field

The present application relates to the field of computer technologies, and in particular, to a login method, an apparatus, a computer device, and a storage medium.

Background

With the rapid development of information technology and network technology, more and more application systems are available in enterprises. For example, in the e-commerce industry, common application systems include a customer service system, an operation management system, a data system, a content management system, a financial system, and the like. Because the systems are independent, a user must log in according to the corresponding system identity before using each application system, and the user must remember the user name and the password of each system, so that the use feeling of the user is reduced. For such a situation, concepts such as unified user authentication and single sign-on have been developed.

However, the existing authentication schemes for both unified authentication and single sign-on are implemented based on cookies, and the authentication schemes need to be stored in the same top domain name, thereby reducing security.

Disclosure of Invention

In view of the foregoing, it is desirable to provide a login method, device, computer device, and storage medium capable of improving security.

A method of login, the method comprising:

receiving a second login request and a session identifier sent by a first service server, wherein the second login request is used for requesting a terminal of a logged-in user to log in a second service server, and the session identifier is a session identifier of a login session generated when the first login request of the terminal user is responded; the first login request is used for requesting to login the first service server;

generating a verification token of a second service server corresponding to the session identifier according to the second login request;

generating a redirection address of the second service server according to the verification token of the second service server and the address of the second service server, and returning the redirection address of the second service server to the terminal through the first service server;

receiving a verification request which is sent by the second service server and carries a verification token of the second service server; the verification request carrying the verification token of the second service server is generated when the second service server receives the second login request which is retransmitted by the terminal according to the redirection address of the second service server;

when the verification token of the second service server is verified to be valid, acquiring the account information of the logged-in user according to the verification token of the second service server and returning the account information to the second service server; and the second service server enables the terminal of the logged-in user to log in the second service server through the second login request according to the account information.

In one embodiment, the method further comprises:

receiving a first login request and account information which are sent by a terminal of a user and request for logging in a first service server;

generating a login session and an authentication token of the first service server according to the first login request;

generating a redirection address of the first service server according to the verification token of the first service server and the address of the first service server, and returning the redirection address of the first service server to the terminal;

receiving a verification request which is sent by the first service server and carries a verification token of the first service server; the verification request carrying the verification token of the first service server is generated when the first service server receives the first login request which is retransmitted by the terminal according to the redirection address of the first service server;

when the verification token of the first business server is verified to be valid, returning the account information to the first business server; and the first service server enables a terminal of a user to log in the first service server through the first login request according to the account information.

In one embodiment, the method further comprises:

receiving a heartbeat detection instruction sent by the first service server;

and feeding back a heartbeat signal to the first service server according to the heartbeat detection instruction, and sending a second login request and account information of a terminal request of a logged-in user to log in a second service server by the first service server according to the heartbeat signal.

In one embodiment, the obtaining account information of the end user according to the verification token of the second service server includes:

determining a session identifier corresponding to the verification token of the second service server;

and acquiring account information of the terminal user from the login session corresponding to the session identifier.

In one embodiment, the method further comprises:

adding a valid time to a verification token when the verification token is generated;

storing the verification token added with the valid time into a database;

and deleting the verification token from the database after the valid time of the verification token is expired.

In one embodiment, the method for generating the redirection address includes:

and splicing the address of the service server with the verification token of the service server to obtain a redirection address corresponding to the service server.

In one embodiment, a method for verifying whether a token is valid comprises:

when an authentication request is responded, and it is determined that the same authentication token as the authentication token carried by the authentication request does not exist in a database, it is determined that the authentication token carried by the authentication request is invalid;

when an authentication request is responded, and an authentication token which is the same as the authentication token carried by the authentication request is determined to exist in a database, the authentication token carried by the authentication request is determined to be valid.

A login device, the device comprising:

the receiving module is used for receiving a second login request and a session identifier, which are sent by a first service server and used for requesting the terminal of a logged-in user to log in a second service server, wherein the session identifier is a session identifier of a login session generated when the first login request of the terminal user is responded; the first login request is used for requesting to login the first service server;

the generating module is used for generating a verification token of the second service server corresponding to the session identifier according to the second login request;

the generating module is further configured to generate a redirection address of the second service server according to the validation token of the second service server and the address of the second service server, and return the redirection address of the second service server to the terminal through the first service server;

the receiving module is further configured to receive a verification request sent by the second service server and carrying a verification token of the second service server; the verification request carrying the verification token of the second service server is generated when the second service server receives the second login request which is retransmitted by the terminal according to the redirection address of the second service server;

the verification module is used for acquiring the account information of the logged-in user according to the verification token of the second service server and returning the account information to the second service server when the verification token of the second service server is verified to be valid; and the second service server enables the terminal of the logged-in user to log in the second service server through the second login request according to the account information.

A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the steps of any of the above-described login methods when executing the computer program.

A computer-readable storage medium, on which a computer program is stored, wherein the computer program, when executed by a processor, implements the steps of any of the above-mentioned login methods.

According to the login method, the login device, the calculation and equipment and the storage medium, after a second login request and a session identifier sent by the first service server and used for requesting the terminal of the logged-in user to login the second service server are received, the authentication token corresponding to the second service server is generated, and therefore the user can automatically login other service servers through the logged-in service server after logging in one service server. And then, before the second service server responds to the login request, the authentication token is verified in advance according to the authentication request sent by the second service server, and the account information of the terminal user is returned to the second service server to complete login after the authentication token is valid, so that the legality of the terminal user can be confirmed conveniently, and the login safety is ensured. The method not only improves the use feeling of the user, but also reduces the risk compared with the traditional method that the authentication scheme is stored on the same top-level domain name, thereby improving the login safety.

Drawings

FIG. 1 is a diagram of an application environment for a login method in one embodiment;

FIG. 2 is a schematic flow chart diagram illustrating a method of login in one embodiment;

FIG. 3 is a schematic flow chart of a login method in another embodiment;

FIG. 4 is a timing diagram of a log-in method in one embodiment;

FIG. 5 is a block diagram of a login device in one embodiment;

FIG. 6 is a diagram illustrating an internal structure of a computer device according to an embodiment.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.

The login method provided by the application can be applied to the application environment shown in fig. 1. The application environment relates to a terminal 110, a unified authentication server 120, a first service server 130 and a second service server 140. The terminal 110 communicates with the unified authentication server 120, the first service server 130 and the second service server 140 through a network, and the unified authentication server 120 communicates with the first service server 130 and the second service server 140 through a network.

Specifically, when the first service server 130 receives a second login request that the terminal 110 of the logged-in user requests to login the second service server 140, the session identifier is obtained; and sends the second login request and the session identification to unified authentication server 120. After receiving a second login request and a session identifier sent by the first service server 130 and requesting to login the second service server 140 by the terminal 110 of the logged-in user, the unified authentication server 120 generates a verification token of the second service server 140 corresponding to the session identifier according to the second login request. The unified authentication server 120 generates a redirection address of the second service server 140 according to the verification token of the second service server 140 and the address of the second service server 140, and returns the redirection address of the second service server 140 to the first service server 130. The first service server 130 returns the received redirection address of the second service server 140 to the terminal 110. After receiving the redirection address of the second service server 140, the terminal 110 resends the second login request to the second service server 140 according to the redirection address of the second service server 140. When the second service server 140 receives the second login request retransmitted by the terminal 110 according to the redirection address of the second service server 140, a verification request carrying the verification token of the second service server 140 is generated and sent to the unified authentication server 120. When the unified authentication server 120 verifies that the verification token of the second service server 140 is valid, the account information of the user of the terminal 110 is obtained according to the verification token of the second service server 140 and returned to the second service server 140. The second service server 140 makes the terminal 110 user log in the second service server 140 through the second login request according to the account information. The terminal 110 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices, and the unified authentication server 120, the first service server 130, and the second service server 140 may be implemented by independent servers or a server cluster formed by a plurality of servers.

In one embodiment, as shown in fig. 2, a login method is provided, which is described by taking the method as an example applied to the unified authentication server 120 in fig. 1, and includes the following steps:

step S202, receiving a second login request and a session identifier sent by the first service server and used for the terminal of the logged-in user to request to log in the second service server.

The service server is a server in which a corresponding service system is deployed, and the service system refers to an application system developed for a specific service. For example, in the e-commerce industry, common application systems include a customer service system, an operation management system, a data system, a content management system, a financial system, and the like. The first service system server and the second service system server may be understood as servers that deploy different service systems, for example, an application system deployed by the first service server is a client system, and an application system deployed by the second service server is a financial system. The logged-in user refers to the terminal user who has logged in the first service server.

The session identification (session ID) is a unique identifier for representing a corresponding session (session). In this embodiment, the session identifier refers to a session identifier of a login session, where the login session is a session created by the unified authentication server when a user of the terminal requests to log in the first service server. The login session stores account information of the user of the terminal and the like. That is, when a terminal user sends a first login request for requesting to login a first service server to the unified authentication server through the terminal, the unified authentication server responds to a session generated by the first login request. The first login request can be understood as a request instruction for requesting to login to the first service server, and correspondingly, the second login request is a request instruction for requesting to login to the second service server. It should be understood that since the corresponding service system is deployed in the service server, logging in the service server is equivalent to logging in the service system deployed in the service server.

Specifically, when a user sends a first login request requesting to log in a first service server to a unified authentication server through a terminal and completes the login of the first service server based on the first login request, the user is a logged-in user, that is, the user is a user who has logged in the first service server. After the user becomes a logged-in user, other service systems can be selected on a front-end interface of the first service system provided by the first service server, and the selected service system is the second service system. When the terminal detects the selection operation of the user, a corresponding login request can be generated according to the service system selected by the user and sent to the first service system server, namely, a generated second login request is sent to the first service server. For example, after the user completes the login of the first service server through the terminal, the first service server returns the front-end interface of the first service system to be displayed on the display device of the terminal. The user selects the front-end interface including the service system from the front-end interfaces through the input device connected with the terminal, and selects the corresponding second service system from the front-end interface including the service system. Once the user performs the selection operation through the input device connected with the terminal, the terminal can detect the selection operation of the user, generate a login request corresponding to the selected service system and send the login request to the first service server.

And when the first service server receives a second login request sent by the terminal of the logged-in user, acquiring the session identifier of the login session from the session corresponding to the terminal of the logged-in user. The session is a session generated by the first service server and corresponding to the terminal of the logged-in user, and is not a login session created by the unified authentication server. When the first service server creates a session corresponding to the terminal of the logged-in user, the session identifier of the logged-in session returned by the unified authentication server is stored in the session. That is, although the session corresponding to the terminal of the logged-in user by the first service server also includes a unique session identifier, the session identifier obtained from the session in this embodiment is the session identifier of the logged-in session stored in the session. And after the first service server acquires the session identifier of the login session, sending a second login request and the session identifier to the unified authentication server. At this time, the unified authentication server receives a second login request and a session identifier, which are sent by the first service server and used for requesting the terminal of the logged-in user to log in the second service server.

And step S204, generating a verification token of the second service server corresponding to the session identifier according to the second login request.

The authentication token refers to a token (token) for authenticating the identity of a user, and the token can be understood as a string generated by a server and can be guaranteed to be unique to all machines.

Specifically, when the unified authentication server receives a second login request sent by the first service server, a corresponding method is called to generate a verification token. And after the verification token is generated, the verification token is associated with the received session identifier, and subsequently, the login session corresponding to the session identifier can be queried through the verification token. If JAVA is taken as an example, the uuid.

Step S206, generating the redirection address of the second service server according to the verification token of the second service server and the address of the second service server, and returning the redirection address of the second service server to the terminal through the first service server.

The address of the second service server refers to an access address of the second service server, that is, a Uniform Resource Locator (URL) address of the second service server. The redirection address is an address for redirection, and the redirection is to redirect the request to other locations, such as web page redirection, domain name redirection, etc.

Specifically, after the unified authentication server generates the verification token of the second service server, since the URL addresses corresponding to the respective service systems are stored in the unified authentication server, the URL address of the second service system is obtained from the database in which the URL addresses are stored. It should be understood that the URL address of the second service system is the URL address of the second service server. And then, splicing and combining the URL address of the second service server and the verification token of the second service server to obtain the redirection address of the second service server. Wherein, the address of the URL can be obtained through the system identifier of the service system. When the terminal of the user generates the second login request according to the selection operation of the user, the system identifier of the service system selected by the user is obtained, and the system identifier and the generated second login request are subjected to associated mapping. Therefore, the unified authentication server can acquire the corresponding URL address according to the system identifier associated with the second login request.

And after the unified authentication server generates the redirection address of the second service server, returning the generated redirection address of the second service server to the first service server. And then, the first service server returns the received redirection address of the second service server to the terminal of the logged-in user. And after the terminal of the logged-in user receives the redirection address of the second service server, automatically redirecting to the second service server according to the redirection address. The automatic redirection may be understood as that the terminal retransmits the second login request to the second service server according to the redirection address. And when the second service server receives a second login request sent by the terminal, generating an authentication request. And meanwhile, obtaining the verification token of the second service server from the redirection address, and sending the verification token of the second service server to the unified authentication server along with the verification request.

Step S208, receiving a verification request carrying the verification token of the second service server sent by the second service server.

Step S210, when the verification token of the second service server is verified to be valid, acquiring the account information of the logged-in user according to the verification token of the second service server and returning the account information to the second service server; and the second service server enables the terminal of the logged-in user to log in the second service server through a second login request according to the account information.

The authentication request is a request instruction used for authenticating the identity of the logged-in user of the terminal, and the authentication request is generated when the second service server receives a second login request retransmitted by the terminal. And the verification request carries a verification token of the second service server, which is acquired by the second service server from the redirection address of the second service server. The account information of the logged-in user comprises an account and a password used by the logged-in user for logging in the second service system.

Specifically, when the unified authentication server receives a verification request which is sent by the second service server and carries a verification token of the second service server, whether the verification token of the second service server is valid is verified in response to the verification request. Namely, whether the verification token is the same as the verification token of the second service server carried by the verification request is inquired from the database in which the verification token is stored. When it is determined that the database has the same authentication token as the authentication token of the second service server carried in the authentication request, it may be determined that the authentication token of the second service server has not failed, that is, the authentication token of the second service server is valid. On the contrary, when it is determined that the database does not have the authentication token identical to the authentication token of the second service server carried by the authentication request, it can be determined that the authentication token of the second service server has failed. And when the verification token of the second service server is determined to be not invalid, acquiring the account information of the logged-in user according to the verification token of the second service server. The method comprises the steps of firstly obtaining a session identifier which is mapped in association with an authentication token of a second service server, then obtaining a corresponding login session through the session identifier, obtaining account information of a logged-in user from the login session, and returning the account information to the second service server. Once the second service server receives the account information returned by the unified authentication server, the second login request sent by the logged-in user can be determined to be valid and safe, and the second login request sent by the logged-in user through the terminal of the logged-in user can be resent according to the received account information, namely, according to the fact that the terminal of the logged-in user logs in the second service server, the terminal of the logged-in user can receive, display and operate the front-end interface of the second service system to perform corresponding service processing.

In addition, after the validation token of the second service server is confirmed to be valid, the validation token identical to the validation token of the second service server is deleted from the database, so that the single-time validation of the validation token is ensured. And when the second service server passes the second login request, the second service server also creates a corresponding session between the second service server and the terminal of the logged-in user, so as to maintain login information, right information and the like between the logged-in user and the second service server.

According to the login method, the authentication token corresponding to the second service server can be generated after the second login request and the session identifier sent by the first service server and used for the terminal of the logged-in user to log in the second service server are received, so that the user can automatically log in other service servers through the logged-in service server after logging in one service server. And then, before the second service server responds to the login request, the authentication token is verified in advance according to the authentication request sent by the second service server, and the account information of the terminal user is returned to the second service server to complete login after the authentication token is valid, so that the legality of the terminal user can be confirmed conveniently, and the login safety is ensured. The method not only improves the use feeling of the user, but also reduces the risk compared with the traditional method that the authentication scheme is stored on the same top-level domain name, thereby improving the login safety.

In one embodiment, before the first service server sends a second login request and a session identifier for the terminal of the logged-in user to request to log in the second service server, the method further comprises the step of detecting whether the unified authentication server is available. The method specifically comprises the following steps: receiving a heartbeat detection instruction sent by a first service server; and feeding back a heartbeat signal to the first service server according to the heartbeat detection instruction, and sending a second login request and account information of a terminal request of a logged-in user to log in a second service server by the first service server according to the heartbeat signal.

The heartbeat detection instruction is a detection instruction sent by a heartbeat mechanism of the service server to the unified authentication server at regular time, and the heartbeat mechanism is used for detecting whether the service server and the unified authentication server are in an effective connection state. The heartbeat signal can be understood as a response signal which is responded by the unified authentication server according to the heartbeat detection instruction.

Specifically, when the first service server receives a second login request that a terminal of a logged-in user requests to log in a second service server, a heartbeat detection instruction is generated and sent to the unified authentication server, and the current time for sending the heartbeat detection instruction is recorded. And when the unified authentication server feeds back the heartbeat signal and the time difference between the time for feeding back the heartbeat signal and the time for sending the heartbeat detection instruction is smaller than a time threshold, acquiring a session identifier, and sending a second login request for requesting to login a second service server by receiving a terminal of a logged-in user and the session identifier to the unified authentication server. When the unified authentication server does not feed back the heartbeat signal in a fixed time, the first service server can feed back information of authentication response failure to the terminal. When the time difference between the time of the unified authentication server for feeding back the signal and the time of the heartbeat detection instruction is greater than or equal to the time threshold, the first service server can feed back information with slow authentication response to the terminal and further determine whether the logged-in user continues to send the second login request, so that corresponding operation is performed according to the selection of the logged-in user. Both the fixed time and the time threshold can be set according to actual conditions, and it should be noted that the set fixed time should be larger than the set time threshold. In addition, when the unified authentication server does not feed back a heartbeat signal within a fixed time or the user selects to continue sending the second login request, the first service server may forward the second login request to the standby unified authentication server.

Or, the first service server may also maintain a heartbeat relationship with the unified authentication server all the time, that is, the first service server periodically sends a heartbeat detection instruction to the unified authentication server. And when the unified authentication server responds to the heartbeat detection instruction and returns a heartbeat signal, the first service server records the current time, namely the heartbeat success time. The heartbeat success time can be understood as the time when the first service server receives the feedback heartbeat signal. And further, when the first service server receives a second login request that the terminal of the logged-in user requests to log in the second service server, acquiring heartbeat success time corresponding to the unified authentication server and acquiring current system time. And determining whether the unified authentication server is in an available state or not according to the time difference between the current system time and the heartbeat success time, if the time difference is smaller than a preset time threshold, determining that the unified authentication server is in the available state, acquiring a session identifier of a login session, and then sending a second login request and the session identifier of a terminal of a logged-in user requesting to login a second service server to the unified authentication server. And if the time difference is greater than or equal to the time threshold, determining that the unified authentication server is in an unavailable state, namely feeding back a message of response failure of the authentication server to the terminal of the logged-in user. The time threshold may be set according to actual conditions, for example, if the service system needs a fast response, the time threshold may be set to be smaller, and if there is no requirement for the response speed, the time threshold may be set to be larger.

In the embodiment, when the unified authentication server performs authentication login, whether unified authentication is in an available state is detected in advance, and a corresponding login request is sent only when the unified authentication server is in the available state, so that the login request is prevented from waiting for a long time without receiving a response after being sent to the unified authentication server, and the login efficiency is improved.

In one embodiment, as shown in fig. 3, another login method is provided, which is described by taking the unified authentication server 120 in fig. 1 as an example, and includes the following steps:

step S302, a first login request and account information which are sent by a terminal of a user and request for logging in a first service server are received.

Specifically, when a user needs to log in a first service system for service processing, account information can be input through a login interface provided by the unified authentication server, that is, an account and a password are input in a corresponding input box in the login interface. And then selecting a first service system needing to be logged in. When the terminal detects the login operation of the user, a first login request is generated, and the first login request and the account information input by the user are sent to the unified authentication server. At this time, the unified authentication server receives a first login request and account information of a first service server requesting login, which are sent by a terminal of a user.

In addition, when the terminal generates the first login request, the first login request can be sent to the unified authentication server through the reverse proxy server, namely, the first login request is sent to the unified authentication server after the reverse proxy server detects that the unified authentication server is available. That is, after the terminal generates the first login request, the first login request and the account information of the user are sent to the reverse proxy server. And when the reverse proxy server receives a first login request and account information sent by the terminal, generating a heartbeat detection instruction and sending the heartbeat detection instruction to the unified authentication server for heartbeat detection. The heartbeat detection method in this embodiment is the same as the method for sending the heartbeat detection instruction by the first service server, and is not described herein again.

Step S304, according to the first login request, generating a login session and an authentication token of the first service server.

Specifically, after receiving the first login request and the account information, the unified authentication server responds to the first login request, creates a login session corresponding to the terminal of the user, and invokes a corresponding method to generate the verification token of the first service server. And after the login session is established, storing the received account information of the user into the login session. And the authentication token of the first service server is mapped with the session identifier of the login session, so that the corresponding login session can be conveniently inquired subsequently according to the authentication token of the first service server, and the account information of the corresponding user can be acquired.

Step S306, generating the redirection address of the first service server according to the verification token of the first service server and the address of the first service server, and returning the redirection address of the first service server to the terminal.

Specifically, after the unified authentication server generates the verification token of the first service server, since the URL addresses corresponding to the respective service systems are stored in the unified authentication server, the URL address of the first service system is obtained from the database in which the URL addresses are stored. It should be understood that the URL address of the first service system is the URL address of the first service server. And then, splicing and combining the URL address of the first service server and the verification token of the first service server to obtain the redirection address of the first service server. Wherein, the address of the URL can be obtained through the system identifier of the service system. When the terminal of the user generates the first login request according to the selection operation of the user, the system identifier of the service system selected by the user is also obtained, and the system identifier and the generated first login request are subjected to associated mapping. Therefore, the unified authentication server can acquire the corresponding URL address according to the system identifier associated with the first login request. In addition, the system identifier acquired by the terminal can also be sent to the unified authentication server along with the login request.

And after the unified authentication server generates the redirection address of the first service server, returning the generated redirection address of the first service server to the terminal. And after the terminal of the user receives the redirection address of the first service server, automatically redirecting to the first service server according to the redirection address. It can be understood that the terminal retransmits the first login request to the first service server according to the redirection address. And when the first service server receives a first login request sent by the terminal, generating an authentication request. And meanwhile, obtaining the verification token of the first service server from the redirection address, and sending the verification token of the first service server to the unified authentication server along with the verification request.

In addition, it should be understood that, if the terminal sends the first login request to the unified authentication server through the reverse proxy server, when the unified authentication server feeds back the redirection address of the first service server, the redirection address of the first service server should be fed back to the reverse proxy server first, and then the redirection address of the first service server is fed back to the terminal through the reverse proxy server. Likewise, the terminal should be redirected to the first service server again through the reverse proxy server, i.e., the first login request should be retransmitted to the first service server through the reverse proxy server. That is, the terminal's interaction with the first service server and the unified authentication server should be implemented by the reverse proxy server.

Step S308, receiving an authentication request carrying the authentication token of the first service server sent by the first service server.

Step S310, when the verification token of the first service server is verified to be valid, returning the account information to the first service server; and the first service server enables the terminal of the user to log in the first service server through the first login request according to the account information.

Specifically, when the first service server receives the first login request sent by the terminal, the first service server generates an authentication request. And meanwhile, acquiring the verification token of the first service server from the redirection address, and sending the verification token of the first service server to the unified authentication server along with the verification request. Therefore, when the unified authentication server receives a verification request which is sent by the first service server and carries the verification token of the first service server, whether the verification token of the first service server is valid is verified in response to the verification request. That is, whether the same authentication token as the authentication token of the first service server carried by the authentication request exists is inquired from the database in which the authentication token is stored. And when the verification token which is the same as the verification token of the first service server carried by the verification request is determined to exist in the database, determining that the verification token of the first service server is not invalid, and determining that the verification token of the first service server is valid. On the contrary, when it is determined that the database does not have the authentication token identical to the authentication token of the second service server carried by the authentication request, it can be determined that the authentication token of the first service server has failed. And determining that the verification token of the second service server is not invalid, and acquiring the account information of the user according to the verification token of the first service server. The method comprises the steps of firstly obtaining a session identifier of a login session which is associated and mapped with an authentication token of a first service server, then obtaining a corresponding login session through the session identifier, obtaining account information of a user from the login session, and returning the account information to the first service server. Once the first service server receives the account information returned by the unified authentication server, it can be determined that the first login request sent by the user is valid and safe, and the first login request can be resent through the terminal of the user according to the received account information, that is, the terminal of the user logs in the first service server according to the account and the password, and the terminal of the user can receive, display and operate the front-end interface of the first service system to perform corresponding service processing.

In addition, after the validation token of the first service server is confirmed to be valid, the validation token identical to the validation token of the first service server is deleted from the database, so that the single-time validation of the validation token is ensured. And when the first service server passes the first login request, the first service server simultaneously creates a corresponding session between the first service server and the terminal of the logged-in user, so as to maintain login information, authority information and the like between the user and the first service server.

In this embodiment, before the first service server responds to the first login request, valid verification is performed in advance according to the generated verification token of the first service server, so that the validity of the terminal user is convenient to confirm, and after the verification token of the first service server is valid, account information of the terminal user is returned to the first service server to complete login, so that the login safety is improved.

In one embodiment, after generating the verification token, the method further comprises the steps of: adding a valid time to the authentication token; storing the verification token added with the valid time into a database; when the validity time of the authentication token has expired, the authentication token is deleted from the database.

Specifically, after the unified authentication server generates the verification token of the first service server or the verification token of the second service server, the valid time of the verification token is generated according to the preset valid time. For example, assuming that the preset valid time is 5 minutes, the valid time of the generated verification token is 5 minutes. The authentication token is then stored in a corresponding database, such as a Redis database or the like. When the validity time of the authentication token expires, it indicates that the authentication token has expired, i.e. the expired authentication token is deleted from the database. For example, if the generation time of the authentication token is greater than or equal to 5 minutes from the current time, the authentication token is determined to be invalid. In this embodiment, the validity period of the token is ensured by setting a validity time for the authentication token.

In one embodiment, the generation method of the redirection address comprises the following steps: and splicing the address of the service server with the verification token of the service server to obtain a redirection address corresponding to the service server.

Specifically, when the unified authentication server generates the redirection address, the address of the corresponding service server is obtained according to the system identifier. Then, by a delimiter "? And splicing the verification tokens of the service servers of the addresses of the service servers. For example, assuming that the address of the first service server is www.aaaa.com and the authentication token of the first service server is bbbb, the concatenated redirection address of the first service server is www.aaaa.com? bbbb.

Therefore, when the service server needs to obtain the corresponding authentication token, it can obtain the corresponding authentication token according to the delimiter "? "split the redirect address to get the authentication token. When the redirection address comprises a plurality of parameters, the verification token can be determined from the parameters according to the names of the parameters. For example, the address of the first service server includes the parameter cccc, i.e. the address of the first service server is www.aaaa.com? cccc. That is, www.aaaa.com? cccc? bbbb. When based on the delimiter "? When the redirection address is divided, the parameters cccc and bbbb can be obtained, and at the moment, the authentication token can be determined according to the parameter names of the parameters cccc and bbbb. For example, if the name when the authentication token is generated is the token, and the name of bbbb in the cccc and bbbb parameters is the token, the service server can determine that bbbb is the authentication token according to the name.

In the implementation, the verification token of the business server is spliced with the address of the business service for redirection, so that the logged-in business server can be ensured to safely obtain the verification token for verification.

In one embodiment, as shown in fig. 4, a timing diagram of a login method is provided, and the login method is explained in detail with reference to fig. 4.

Specifically, a user sends a first login request and account information for requesting to login a first service server to a unified authentication server through a terminal. When the unified authentication server receives a first login request and account information which are sent by a terminal of a user and request for logging in a first service server, a login session corresponding to the terminal of the user is created in response to the first login request, and a corresponding method is called to generate a verification token of the first service server. And after the login session is established, storing the received account information of the user into the login session. And mapping the authentication token of the first traffic server with the session identification of the login session. Then, a first system identifier of the first service system is obtained, and an address of the first service server is obtained according to the first system identifier. And splicing and combining the address of the first service server and the verification token of the first service server to obtain a redirection address of the first service server, and returning the generated redirection address of the first service server to the terminal. And after the terminal of the user receives the redirection address of the first service server, the terminal resends the first login request to the first service server according to the redirection address. And when the first service server receives a first login request sent by the terminal, generating a verification request. And meanwhile, obtaining the verification token of the first service server from the redirection address, and sending the verification token of the first service server to the unified authentication server along with the verification request. And when the unified authentication server receives a verification request which is sent by the first service server and carries the verification token of the first service server, responding to the verification request to verify whether the verification token of the first service server is valid. That is, whether the verification token identical to the verification token of the first service server carried by the verification request exists is inquired from the database in which the verification token is stored. And when the verification token which is the same as the verification token of the first service server carried by the verification request is determined to exist in the database, determining that the verification token of the first service server has not failed, namely determining that the verification token of the first service server is valid. The session identifier of the login session mapped in association with the authentication token of the first service server can be obtained, then the corresponding login session is obtained through the session identifier, and the account information of the user is obtained from the login session and returned to the first service server. Once the first service server receives the account information returned by the unified authentication server, it can be determined that the first login request sent by the user is valid and safe, and the first login request can be resent through the terminal of the user according to the received account information, that is, the terminal of the user logs in the first service server according to the account and the password, that is, the terminal has successfully logged in the first service server.

Then, the user selects a second service system to be logged in through a front-end interface of the first service system provided by the first service server. When the terminal of the user detects the selection operation of the user, a corresponding second login request can be generated according to the second service system selected by the user and is sent to the first service system server. When the first service server receives a second login request sent by the terminal of the user, the session identifier of the login session is obtained from the session corresponding to the terminal of the user, and the second login request and the session identifier are sent to the unified authentication server. And when the unified authentication server receives a second login request sent by the first service server, calling a corresponding method to generate a verification token of the second service server. And after generating the authentication token of the second service server, associating the generated authentication token of the second service server with the received session identification. And acquiring a first system identifier of a second service system, and acquiring an address of a second service server according to the second system identifier. And splicing and combining the address of the second service server and the verification token of the second service server to obtain a redirection address of the second service server, returning the generated redirection address of the second service server to the first service server, and feeding back the redirection address of the second service server to the terminal of the user through the first service server. And after the terminal of the user receives the redirection address of the second service server, the terminal resends the second login request to the second service server according to the redirection address. And the second service server generates a verification request when receiving a second login request sent by the terminal. And meanwhile, acquiring the verification token of the second service server from the redirection address, and sending the verification token of the second service server to the unified authentication server along with the generated verification request. And when the unified authentication server receives a verification request which is sent by the second service server and carries the verification token of the second service server, responding to the verification request to verify whether the verification token of the second service server is valid. That is, whether the verification token identical to the verification token of the second service server carried by the verification request exists is inquired from the database in which the verification token is stored. And when the verification token which is the same as the verification token of the second service server carried by the verification request is determined to exist in the database, determining that the verification token of the second service server has not failed, namely determining that the verification token of the second service server is valid. The session identifier of the login session mapped in association with the authentication token of the second service server can be obtained, then the corresponding login session is obtained through the session identifier, and the account information of the user is obtained from the login session and returned to the second service server. Once the second service server receives the account information returned by the unified authentication server, the first login request sent by the user can be determined to be valid and safe, and the second login request sent by the user through the terminal of the user can be resent according to the received account information, that is, the terminal of the user logs in the second service server according to the account and the password, that is, the terminal logs in the second service server successfully.

It should be understood that although the various steps in the flow charts of fig. 2-3 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 2-3 may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternating with other steps or at least some of the sub-steps or stages of other steps.

In one embodiment, as shown in fig. 5, there is provided a login apparatus, including: a receiving module 502, a generating module 504, and a verifying module 506, wherein:

a receiving module 502, configured to receive a second login request and a session identifier, sent by a first service server, that a terminal of a logged-in user requests to log in a second service server.

A generating module 504, configured to generate, according to the second login request, an authentication token of the second service server corresponding to the session identifier.

The generating module 504 is further configured to generate a redirection address of the second service server according to the validation token of the second service server and the address of the second service server, and return the redirection address of the second service server to the terminal through the first service server.

The receiving module 502 is further configured to receive an authentication request sent by the second service server and carrying an authentication token of the second service server.

The verification module 506 is configured to, when verifying that the verification token of the second service server is valid, obtain account information of the logged-in user according to the verification token of the second service server and return the account information to the second service server; and the second service server enables the terminal of the logged-in user to log in the second service server through a second login request according to the account information.

In an embodiment, the receiving module 502 is further configured to receive a first login request and account information, which are sent by a terminal of a user and request to log in a first service server.

The generating module 504 is further configured to generate a login session and an authentication token of the first service server according to the first login request.

The generating module 504 is further configured to generate a redirection address of the first service server according to the validation token of the first service server and the address of the first service server, and return the redirection address of the first service server to the terminal.

The receiving module 502 is further configured to receive an authentication request sent by the first service server and carrying the authentication token of the first service server.

The verification module 506 is further configured to return account information to the first service server when the verification token of the first service server is verified to be valid; and the first service server enables the terminal of the user to log in the first service server through the first login request according to the account information.

In one embodiment, the receiving module 502 is further configured to receive a heartbeat detection instruction sent by the first service server; and feeding back a heartbeat signal to the first service server according to the heartbeat detection instruction, and sending a second login request and account information of a terminal request of a logged-in user to log in a second service server by the first service server according to the heartbeat signal.

In one embodiment, the verification module 506 is further configured to determine a session identifier corresponding to the verification token of the second service server; and acquiring account information of the terminal user from the login session corresponding to the session identifier.

In one embodiment, the generation module 504 is further configured to add a validity time to the validation token when generating the validation token; storing the verification token added with the valid time into a database; and deleting the verification token from the database after the valid time of the verification token is expired.

In an embodiment, the generating module 504 is further configured to splice the address of the service server with the verification token of the service server to obtain a redirection address corresponding to the service server.

In one embodiment, the verification module 506 is further configured to determine that the verification token carried by the verification request is invalid when it is determined that the same verification token as the verification token carried by the verification request does not exist in the database in response to the verification request; and when the verification request is responded, and the verification token which is the same as the verification token carried by the verification request exists in the database, determining that the verification token carried by the verification request is valid.

For specific limitations of the login device, reference may be made to the above limitations on the login method, which is not described herein again. The modules in the login device can be wholly or partially realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.

In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 6. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing data such as authentication tokens. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a login method.

Those skilled in the art will appreciate that the architecture shown in fig. 6 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.

In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:

receiving a second login request and a session identifier sent by a first service server and used for requesting a terminal of a logged-in user to log in a second service server;

generating a verification token of a second service server corresponding to the session identifier according to the second login request;

generating a redirection address of the second service server according to the verification token of the second service server and the address of the second service server, and returning the redirection address of the second service server to the terminal through the first service server;

receiving a verification request which is sent by a second service server and carries a verification token of the second service server;

when the verification token of the second service server is verified to be valid, acquiring account information of the logged-in user according to the verification token of the second service server and returning the account information to the second service server; and the second service server enables the terminal of the logged-in user to log in the second service server through a second login request according to the account information.

In one embodiment, the processor, when executing the computer program, further performs the steps of:

receiving a first login request and account information which are sent by a terminal of a user and request for logging in a first service server;

generating a login session and an authentication token of the first service server according to the first login request;

generating a redirection address of the first service server according to the verification token of the first service server and the address of the first service server, and returning the redirection address of the first service server to the terminal;

receiving a verification request which is sent by a first service server and carries a verification token of the first service server;

when the verification token of the first service server is verified to be valid, returning account information to the first service server; and the first service server enables the terminal of the user to log in the first service server through the first login request according to the account information.

In one embodiment, the processor, when executing the computer program, further performs the steps of:

receiving a heartbeat detection instruction sent by a first service server; and feeding back a heartbeat signal to the first service server according to the heartbeat detection instruction, and sending a second login request and account information of a terminal request of a logged-in user to log in a second service server by the first service server according to the heartbeat signal.

In one embodiment, the processor, when executing the computer program, further performs the steps of: determining a session identifier corresponding to a verification token of a second service server; and acquiring account information of the terminal user from the login session corresponding to the session identifier.

In one embodiment, the processor, when executing the computer program, further performs the steps of: adding valid time to the verification token when the verification token is generated; storing the verification token added with the valid time into a database; and deleting the verification token from the database after the valid time of the verification token is expired.

In one embodiment, the processor, when executing the computer program, further performs the steps of:

and splicing the address of the service server with the verification token of the service server to obtain a redirection address corresponding to the service server.

In one embodiment, the processor, when executing the computer program, further performs the steps of:

when the verification request is responded, and the verification token which is the same as the verification token carried by the verification request does not exist in the database, determining that the verification token carried by the verification request is invalid; and when the verification request is responded, and the verification token which is the same as the verification token carried by the verification request exists in the database, determining that the verification token carried by the verification request is valid.

In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:

receiving a second login request and a session identifier sent by a first service server and used for requesting a terminal of a logged-in user to log in a second service server;

generating a verification token of a second service server corresponding to the session identifier according to the second login request;

generating a redirection address of the second service server according to the verification token of the second service server and the address of the second service server, and returning the redirection address of the second service server to the terminal through the first service server;

receiving a verification request which is sent by a second service server and carries a verification token of the second service server;

when the verification token of the second service server is verified to be valid, acquiring account information of the logged-in user according to the verification token of the second service server and returning the account information to the second service server; and the second service server enables the terminal of the logged-in user to log in the second service server through a second login request according to the account information.

In one embodiment, the computer program when executed by the processor further performs the steps of:

receiving a first login request and account information which are sent by a terminal of a user and request for logging in a first service server;

generating a login session and an authentication token of the first service server according to the first login request;

generating a redirection address of the first service server according to the verification token of the first service server and the address of the first service server, and returning the redirection address of the first service server to the terminal;

receiving a verification request which is sent by a first service server and carries a verification token of the first service server;

when the verification token of the first service server is verified to be valid, returning account information to the first service server; and the first service server enables the terminal of the user to log in the first service server through the first login request according to the account information.

In one embodiment, the computer program when executed by the processor further performs the steps of:

receiving a heartbeat detection instruction sent by a first service server; and feeding back a heartbeat signal to the first service server according to the heartbeat detection instruction, and sending a second login request and account information of a terminal request of a logged-in user to log in a second service server by the first service server according to the heartbeat signal.

In one embodiment, the computer program when executed by the processor further performs the steps of: determining a session identifier corresponding to a verification token of a second service server; and acquiring account information of the terminal user from the login session corresponding to the session identifier.

In one embodiment, the computer program when executed by the processor further performs the steps of: adding valid time to the verification token when the verification token is generated; storing the verification token added with the valid time into a database; and deleting the verification token from the database after the valid time of the verification token is expired.

In one embodiment, the computer program when executed by the processor further performs the steps of:

and splicing the address of the service server with the verification token of the service server to obtain a redirection address corresponding to the service server.

In one embodiment, the computer program when executed by the processor further performs the steps of:

when the verification request is responded, and the verification token which is the same as the verification token carried by the verification request does not exist in the database, determining that the verification token carried by the verification request is invalid; and when the verification request is responded, and the verification token which is the same as the verification token carried by the verification request exists in the database, determining that the verification token carried by the verification request is valid.

It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).

The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.

The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A method of login, the method comprising:

receiving a second login request and a session identifier sent by a first service server, wherein the second login request is used for requesting a terminal of a logged-in user to log in a second service server, and the session identifier is a session identifier of a login session generated when the first login request of the terminal user is responded; the first login request is used for requesting to login the first service server;

generating a verification token of a second service server corresponding to the session identifier according to the second login request;

generating a redirection address of the second service server according to the verification token of the second service server and the address of the second service server, and returning the redirection address of the second service server to the terminal through the first service server;

receiving a verification request which is sent by the second service server and carries a verification token of the second service server; the verification request carrying the verification token of the second service server is generated when the second service server receives the second login request which is retransmitted by the terminal according to the redirection address of the second service server;

when the verification token of the second service server is verified to be valid, acquiring the account information of the logged-in user according to the verification token of the second service server and returning the account information to the second service server; and the second service server enables the terminal of the logged-in user to log in the second service server through the second login request according to the account information.

2. The method of claim 1, further comprising:

receiving a first login request and account information which are sent by a terminal of a user and request for logging in a first service server;

generating a login session and an authentication token of the first service server according to the first login request;

generating a redirection address of the first service server according to the verification token of the first service server and the address of the first service server, and returning the redirection address of the first service server to the terminal;

receiving a verification request which is sent by the first service server and carries a verification token of the first service server; the verification request carrying the verification token of the first service server is generated when the first service server receives the first login request which is retransmitted by the terminal according to the redirection address of the first service server;

when the verification token of the first business server is verified to be valid, returning the account information to the first business server; and the first service server enables a terminal of a user to log in the first service server through the first login request according to the account information.

3. The method of claim 1, further comprising:

receiving a heartbeat detection instruction sent by the first service server;

and feeding back a heartbeat signal to the first service server according to the heartbeat detection instruction, and sending a second login request and account information of a terminal request of a logged-in user to log in a second service server by the first service server according to the heartbeat signal.

4. The method of claim 1, wherein the obtaining account information of the end user according to the authentication token of the second service server comprises:

determining a session identifier corresponding to the verification token of the second service server;

and acquiring account information of the terminal user from the login session corresponding to the session identifier.

5. The method according to claim 1 or 2, characterized in that the method further comprises:

adding a valid time to a verification token when the verification token is generated;

storing the verification token added with the valid time into a database;

and deleting the verification token from the database after the valid time of the verification token is expired.

6. The method according to claim 1 or 2, wherein the generation method of the redirection address comprises:

and splicing the address of the service server with the verification token of the service server to obtain a redirection address corresponding to the service server.

7. The method of claim 1 or 2, wherein verifying whether the token is valid comprises:

when an authentication request is responded, and it is determined that the same authentication token as the authentication token carried by the authentication request does not exist in a database, it is determined that the authentication token carried by the authentication request is invalid;

when an authentication request is responded, and an authentication token which is the same as the authentication token carried by the authentication request is determined to exist in a database, the authentication token carried by the authentication request is determined to be valid.

8. A login apparatus, the apparatus comprising:

the receiving module is used for receiving a second login request and a session identifier, which are sent by a first service server and used for requesting the terminal of a logged-in user to log in a second service server, wherein the session identifier is a session identifier of a login session generated when the first login request of the terminal user is responded; the first login request is used for requesting to login the first service server;

the generating module is used for generating a verification token of the second service server corresponding to the session identifier according to the second login request;

the generating module is further configured to generate a redirection address of the second service server according to the validation token of the second service server and the address of the second service server, and return the redirection address of the second service server to the terminal through the first service server;

the receiving module is further configured to receive a verification request sent by the second service server and carrying a verification token of the second service server; the verification request carrying the verification token of the second service server is generated when the second service server receives the second login request which is retransmitted by the terminal according to the redirection address of the second service server;

the verification module is used for acquiring the account information of the logged-in user according to the verification token of the second service server and returning the account information to the second service server when the verification token of the second service server is verified to be valid; and the second service server enables the terminal of the logged-in user to log in the second service server through the second login request according to the account information.

9. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the steps of the method of any one of claims 1 to 7 when executing the computer program.

10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.

Images