CN111949959B - Authorization authentication method and device in Oauth protocol - Google Patents

Authorization authentication method and device in Oauth protocol Download PDF

Info

Publication number
CN111949959B
CN111949959B CN202010817992.2A CN202010817992A CN111949959B CN 111949959 B CN111949959 B CN 111949959B CN 202010817992 A CN202010817992 A CN 202010817992A CN 111949959 B CN111949959 B CN 111949959B
Authority
CN
China
Prior art keywords
party server
authorization
information
server
signature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010817992.2A
Other languages
Chinese (zh)
Other versions
CN111949959A (en
Inventor
冯宇东
马思雨
李伟仁
李瑾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202010817992.2A priority Critical patent/CN111949959B/en
Publication of CN111949959A publication Critical patent/CN111949959A/en
Application granted granted Critical
Publication of CN111949959B publication Critical patent/CN111949959B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2115Third party
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The application provides an authorization authentication method and device in Oauth protocol, the method includes: according to the server information of the third party server initiating the access request, carrying out identity verification on the current third party server; when the identity verification is passed, the pre-authorization signature information is returned to the third party server; and receiving an authorization authentication request with pre-authorization signature information initiated by a third-party server, and performing authorization authentication processing in an Oauth protocol. The authorization authentication method and the authorization authentication device in the Oauth protocol disclosed by the application can be used in the field of information security and also can be used in the information security technology in the financial field, and the mechanism of pre-authorization signature is introduced, so that the validity and the reliability of the APP of a third party can be further ensured, the security of a current information transmission link can be ensured before the user performs information authentication, and the tamper attack of a hacker can be effectively refused.

Description

Authorization authentication method and device in Oauth protocol
Technical Field
The application relates to the technical field of information security, in particular to an authorization authentication method and device in an Oauth protocol.
Background
The unified pass has a huge user system and a wide access channel, and is very suitable for being used as an authentication platform for connecting a third party application and a bank headquarter user system. On the other hand, the construction of the API open platform of the bank is very mature, and the API open platform is already cooperated with a plurality of institutions and merchants, so that the unified pass realizes the butt joint and communication with the third party application by utilizing the API open platform according to the OAuth2.0 protocol standard, and an OAuth authorization authentication platform of the bank facing the third party application is established.
The current industry commonly used reference protocol for authorized login is the oauth2.0 protocol. The bank designs an authorized login system applicable to the bank on the basis of the protocol. For the third party APP, the API open platform of the bank can be used as a unified access point for authorization and data access in the OAuth protocol, and the unified pass provides a specific flow and mechanism for user login and authentication and provides protected user information for the third party application.
The prior art authorization login system does not fully consider the security and reliability in the process of transmitting authorization information, and can be attacked by hackers in the process of authorizing login.
Disclosure of Invention
In order to solve the security problem existing in the authorized login in the Oauth2.0 protocol in the prior art and improve the security in the authorized authentication process, the application provides an authorized authentication method in the Oauth protocol, which comprises the following steps:
according to the server information of the third party server initiating the access request, carrying out identity verification on the current third party server;
if the identity verification is passed, the pre-authorization signature information is returned to the third party server;
and receiving an authorization authentication request with the pre-authorization signature information initiated by the third party server, and performing authorization authentication processing in an Oauth protocol.
In the embodiment of the present application, the performing the authentication on the current third party server according to the server information of the third party server initiating the access request includes:
receiving an access request initiated by a third party server and obtaining server information of the third party server by using an API gateway;
and carrying out identity verification on the current third-party server according to the acquired server information of the third-party server.
In the embodiment of the present application, the performing the authentication on the current third party server according to the server information of the third party server initiating the access request includes:
storing third party server information which is allowed to be accessed in advance;
and carrying out identity verification on the current third-party server according to the stored information of the third-party server which is allowed to be accessed and the server information of the third-party server which initiates the access request.
In the embodiment of the present application, the receiving the authorization authentication request with the pre-authorization signature information initiated by the third party server, and performing the authorization authentication processing in the Oauth protocol includes:
receiving an authorization authentication request with the pre-authorization signature information initiated by the third party server;
and carrying out signature verification processing on the pre-authorized signature information, and carrying out authorization authentication processing in an Oauth protocol when the signature verification passes.
Meanwhile, the application also provides an authorization authentication device in the Oauth protocol, which comprises:
the server information verification module is used for carrying out identity verification on the current third party server according to the server information of the third party server initiating the access request;
the pre-authorization signature module is used for returning pre-authorization signature information to the third party server when the identity verification passes;
and the authentication module is used for receiving an authorization authentication request with the pre-authorization signature information initiated by the third party server and carrying out authorization authentication processing in an Oauth protocol.
In the embodiment of the present application, the server information verification module includes:
the server information acquisition unit is used for receiving the access request initiated by the third party server by using the API gateway and acquiring the server information of the third party server;
and the verification unit is used for carrying out identity verification on the current third-party server according to the acquired server information of the third-party server.
In the embodiment of the present application, the server information verification module further includes:
a storage unit for storing in advance third-party server information that is permitted to be accessed;
and the verification unit performs identity verification on the current third-party server according to the stored information of the third-party server which is allowed to access and the server information of the third-party server which initiates the access request.
In an embodiment of the present application, the authentication module includes:
a request receiving unit, configured to receive an authorization authentication request with the pre-authorization signature information, initiated by the third party server;
and the signature verification unit is used for carrying out signature verification processing on the pre-authorized signature information, and if the signature verification passes, the authorization authentication processing in the Oauth protocol is carried out.
The application also provides a computer device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the computer program to realize the method.
Meanwhile, the application also provides a computer readable storage medium which stores a computer program for executing the method.
The application can further ensure the validity and reliability of the third party APP by introducing a pre-authorization signature mechanism aiming at the security problem in the current authorization login system, and can ensure the security of the current information transmission link before the user performs information authentication, thereby effectively rejecting the tamper attack of hackers.
The foregoing and other objects, features and advantages of the application will be apparent from the following more particular description of preferred embodiments, as illustrated in the accompanying drawings.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an authorization authentication method in Oauth protocol provided by the application;
FIG. 2 is a flowchart illustrating the operation of the authorization code scheme according to an embodiment of the present application;
FIG. 3 is a schematic diagram of an interaction architecture of an authorization authentication platform for a third party application in the implementation of the present application;
FIG. 4 is a block diagram of an authorization authentication device in Oauth protocol provided by the application;
fig. 5 is a schematic diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
As shown in fig. 1, the present application provides an authorization authentication method in Oauth protocol, including:
step S101, carrying out identity verification on a current third party server according to server information of the third party server initiating the access request;
step S102, when the identity verification passes, pre-authorization signature information is returned to the third party server;
step S103, receiving an authorization authentication request with the pre-authorization signature information initiated by the third party server, and performing authorization authentication processing in an Oauth protocol.
Before authorization authentication, the authentication method of the Oauth protocol provided by the application uses the server information of the third party server to carry out identity verification on the third party server which initiates the access request so as to judge whether the current third party server is a third party server which allows access, judges that the current third party server is a third party server which does not allow access, directly refuses the access of the illegal third party server to the authorization authentication server, determines the third party server which allows access to the authorization authentication server, returns pre-authorization signature information to the third party server, and carries out signature processing on the authorization authentication request initiated by the third party server by utilizing the pre-authorization signature information, namely, by introducing a pre-authorization signature mechanism, the legitimacy and reliability of the terminals such as the third party server, the APP are further ensured, and before information authorization authentication, the security of the current information transmission link is ensured, and the falsification attack of hackers can be effectively refused.
In the embodiment of the application, an API gateway is utilized to receive the server information of the third party server, which is obtained by the third party server and used for initiating the access request; and carrying out identity verification on the current third-party server according to the acquired server information of the third-party server. The method comprises the steps that the API gateway is arranged to execute pre-authorization on the third-party server, the third-party server accesses the API gateway to obtain a pre-authorization signature, the API gateway returns the pre-authorization signature after verifying that basic information of the third-party server is legal, the API gateway is used to execute pre-authorization processing on the third-party server, the unauthorized authentication third-party server is prevented from directly accessing the authorization authentication server, attack of rejecting hackers is further prevented, and therefore security of the authorization authentication server is further provided.
The authentication of the current third party server according to the server information of the third party server initiating the access request comprises the following steps:
storing third party server information which is allowed to be accessed in advance;
and carrying out identity verification on the current third-party server according to the stored information of the third-party server which is allowed to be accessed and the server information of the third-party server which initiates the access request.
In an embodiment of the present application, by storing the server information allowing access in advance, after receiving the server information of the server that initiates the access request currently, it is determined whether the pre-stored server information has the current third party information, if so, it is determined that the current third party server is the server allowing access, and then the subsequent authorized authentication operation in the Oauth protocol is allowed to be executed.
In an embodiment of the present application, according to receiving an authorization authentication request initiated by the third party server and having the pre-authorization signature information;
and carrying out signature verification processing on the pre-authorized signature information, and carrying out authorization authentication processing in an Oauth protocol when the signature verification passes.
In the embodiment of the application, the pre-authorized signature is transmitted to the pass authentication server through the third party application, and the pass authentication server verifies the signature string. If the signature string verification is successful, it is stated that the pre-authorization signature has not been tampered with during the transfer of the third party server application to the pass authentication server, and that the network link from the third party application to the pass authentication server is secure.
The technical scheme of the application is further described in detail below with reference to specific embodiments, and terms related to the embodiments of the application are explained as follows:
oauth2.0 protocol, second generation open authorization (Open Authorization, OAuth) protocol. The protocol allows a user to have a third party application access to private resources (e.g., photos, videos, contacts, etc. information) that they store on a website without providing the third party application with a user name and password.
Resource owner (resource owner): an entity, which can be a person, called an end user, that can grant access to a protected resource;
resource server (resource server): storing the protected resource, wherein the client requests the resource through an authorization Token (Access Token), and the resource server responds to the protected resource to the client;
authentication server (authorization server): after successfully verifying the resource owner and obtaining authorization, the authentication server issues an authorization Token (Access Token) to the client.
Client (client): third party applications such as a new wave microblog client, a Jingdong app and the like; the resource owner does not store the resource itself, but uses the authorization token to access the protected resource after authorization passes, and the client then exposes or submits the corresponding data to the server.
Personal pass (epass): a bank personal electronic bank unified pass (hereinafter referred to as "unified pass").
Authorization Code: the authorization code parameter in the Oauth2.0 protocol authorization code mode is the most critical parameter in the authorization authentication process.
In the embodiment of the application, the OAuth2.0 authorization protocol has 4 authorization modes:
authorization code (authorization code) mode, implicit (Implicit) mode, resource owner password credentials (account password) mode, client credentials (client) mode. The authorization code mode is the mode with the most perfect function and the most strict flow in the current OAuth2.0, so the authorization code mode is widely used. The authorization scheme adopted in this embodiment is also Authorization code (authorization code) mode. A specific workflow of the authorization code mode is shown in fig. 2, and is specifically as follows:
(A) The user accesses a client, which directs the user to an authentication server.
(B) The user determines to give authorization to the client.
(C) The authentication server directs the user to the client-specified redirect URL, along with an authorization code Authorization Code (abbreviated Authcode).
(D) The client receives the authorization code, attaches the redirect URL, and applies for a Token (Access Token) to the authentication server. This is done at the client's backend server, with no user feel.
(E) After checking the authorization code, the authentication server confirms the correctness, issues or updates a token to the client, and delivers the user identification.
In the oauth2.0 protocol of the prior art, the most important interaction information between the end-to-end is the authorization code. In the authorization code mode, the authorization code is the Authcode that the personal pass application server obtains from the API open platform. The Authcode is associated with user identity information, and specifically, the Authcode is data obtained by encrypting and deforming the user ID of the user, and is important information capable of identifying the user identity.
Aiming at the security problem in the OAuth2.0 protocol authorized login system in the prior art, the application can further ensure the validity and reliability of the third party APP by introducing a pre-authorized signature mechanism, and ensure the security of the current information transmission link before the user performs information authentication, thereby effectively rejecting the tamper attack of a hacker.
The improved system architecture in the embodiment of the application is shown in fig. 3, and is an OAuth authorization authentication platform architecture for third party applications.
The specific implementation of this example is divided into the following two parts:
a first part: and the end is in butt joint with the end to finish the acquisition of the authorization code. The method comprises the following specific steps:
1. the third party back end (third party server, APP) acquires a pre-authorization signature;
the third party server accesses the API gateway to acquire the pre-authorization signature, and the API gateway returns the pre-authorization signature after verifying that the basic information of the third party server is legal.
2. The authorization authentication server is evoked by the pre-authorization signature;
the third party APP carries the pre-authorization signature and transmits the pre-authorization signature to the unified pass authentication server;
3. and decrypting and verifying the pre-authorization signature, and displaying a login page after the unified pass authentication server verifies the pre-authorization signature to verify whether the user name and the password are correct.
4. User authorization; and after the user name password passes the verification, calling an authorization page, displaying related information of the third party application, and waiting for user operation on the authorization page.
5. Returning the feedback weight code; the user determines authorization, and the unified pass authentication server obtains the authorization code from the API platform and returns the authorization code to the third party application according to the redirection URL.
A second part: the third party application requests user information that is allowed to be obtained within the scope of the authorization. The method comprises the following specific steps:
6. applying for a token using an authorization code; the background server of the third party application uses the authorization code to request the token from the API gateway, and judges whether to call the API interface to refresh the token according to the validity period of the token.
7. The third party application requests user information from the API gateway according to the token.
8. Calling an API interface to acquire user data, checking the legality of the uploading parameters by an OAuth management cluster of the API gateway, and returning current user information after checking the legality. The third party application gets the user information exposed through the API gateway.
Meanwhile, as shown in fig. 4, the present application also provides an authorization authentication device in the Oauth protocol, including:
the server information verification module 401 is configured to perform identity verification on a current third party server according to server information of the third party server that initiates an access request;
the pre-authorization signature module 402 is configured to return pre-authorization signature information to the third party server when the identity verification passes;
and the authentication module 403 is configured to receive an authorization authentication request with the pre-authorization signature information, which is initiated by the third party server, and perform authorization authentication processing in the Oauth protocol.
In the embodiment of the present application, the server information verification module includes:
the server information acquisition unit is used for receiving the access request initiated by the third party server by using the API gateway and acquiring the server information of the third party server;
and the verification unit is used for carrying out identity verification on the current third-party server according to the acquired server information of the third-party server.
In the embodiment of the present application, the server information verification module further includes:
a storage unit for storing in advance third-party server information that is permitted to be accessed;
and the verification unit performs identity verification on the current third-party server according to the stored information of the third-party server which is allowed to access and the server information of the third-party server which initiates the access request.
In an embodiment of the present application, the authentication module includes:
a request receiving unit, configured to receive an authorization authentication request with the pre-authorization signature information, initiated by the third party server;
and the signature verification unit is used for carrying out signature verification processing on the pre-authorized signature information, and if the signature verification passes, the authorization authentication processing in the Oauth protocol is carried out.
From the foregoing description of the embodiments, it is clear to those skilled in the art that the implementation of the authorization authentication device in the Oauth protocol of the present application is not described herein.
It should be noted that the authorization authentication method and device in the Oauth protocol disclosed by the application can be used in the field of information security, can also be used in the information security technology in the financial field, and can also be used in any field except the financial field, and the application field of the authorization authentication method and device in the Oauth protocol disclosed by the application is not limited.
In the transmission process of the authorization code in the Oauth2.0 protocol, if the authorization code is not signed, mechanisms such as face brushing, short message verification and the like can be added in the user identity verification process, and characteristic security verification can be added according to different authorizers. However, it is known to those skilled in the art that this increases the operation steps and difficulty of the user, which is not beneficial to improving the user experience. The application effectively improves the security and reliability in the authorization authentication process by introducing the mechanism of the pre-authorization signature.
First, a pre-authorization signature needs to be obtained from the API open platform before a third party server or application interacts with the authentication server of the personal pass. If the pre-authorization signature can be successfully obtained, the third party application passes through the basic information verification of the API gateway, and the capability of calling the API platform interface is provided.
Second, the third party server or application communicates the pre-authorization signature to the pass authentication server, which verifies the signature string. If the signature string verification is successful, it is stated that the pre-authorization signature has not been tampered with during the transfer of the third party application to the pass authentication server, and that the network link from the third party application to the pass authentication server is secure and reliable.
The present embodiment also provides an electronic device, which may be a desktop computer, a tablet computer, a mobile terminal, or the like, and the present embodiment is not limited thereto. In this embodiment, the electronic device may refer to the embodiments of the foregoing method and apparatus, and the content thereof is incorporated herein, and the repetition is not repeated.
Fig. 5 is a schematic block diagram of a system configuration of an electronic device 600 according to an embodiment of the present application. As shown in fig. 5, the electronic device 600 may include a central processor 100 and a memory 140; memory 140 is coupled to central processor 100. Notably, the diagram is exemplary; other types of structures may also be used in addition to or in place of the structures to implement telecommunications functions or other functions.
In one embodiment, the authorization authentication method functions in the Oauth protocol may be integrated into the central processor 100. Wherein the central processor 100 may be configured to control as follows:
according to the server information of the third party server initiating the access request, carrying out identity verification on the current third party server;
if the identity verification is passed, the pre-authorization signature information is returned to the third party server;
and receiving an authorization authentication request with the pre-authorization signature information initiated by the third party server, and performing authorization authentication processing in an Oauth protocol.
In this embodiment of the present application, the performing authentication on the current third party server according to the server information of the third party server that initiates the access request includes:
receiving an access request initiated by a third party server and obtaining server information of the third party server by using an API gateway;
and carrying out identity verification on the current third-party server according to the acquired server information of the third-party server.
In the embodiment of the present application, the performing the authentication on the current third party server according to the server information of the third party server initiating the access request includes:
storing third party server information which is allowed to be accessed in advance;
and carrying out identity verification on the current third-party server according to the stored information of the third-party server which is allowed to be accessed and the server information of the third-party server which initiates the access request.
In the embodiment of the present application, the receiving the authorization authentication request with the pre-authorization signature information initiated by the third party server, and performing the authorization authentication processing in the Oauth protocol includes:
receiving an authorization authentication request with the pre-authorization signature information initiated by the third party server;
and carrying out signature verification processing on the pre-authorized signature information, and carrying out authorization authentication processing in an Oauth protocol when the signature verification passes.
In another embodiment, the authorization authentication device in the Oauth protocol may be configured separately from the central processor 100, for example, the authorization authentication device in the Oauth protocol may be configured as a chip connected to the central processor 100, and the authorization authentication function in the Oauth protocol is implemented under the control of the central processor.
As shown in fig. 5, the electronic device 600 may further include: a communication module 110, an input unit 120, an audio processing unit 130, a display 160, a power supply 170. It is noted that the electronic device 600 need not include all of the components shown in fig. 5; in addition, the electronic device 600 may further include components not shown in fig. 5, to which reference is made to the prior art.
As shown in fig. 5, the central processor 100, sometimes also referred to as a controller or operational control, may include a microprocessor or other processor device and/or logic device, which central processor 100 receives inputs and controls the operation of the various components of the electronic device 600.
The memory 140 may be, for example, one or more of a buffer, a flash memory, a hard drive, a removable media, a volatile memory, a non-volatile memory, or other suitable device. The information about failure may be stored, and a program for executing the information may be stored. And the central processor 100 can execute the program stored in the memory 140 to realize information storage or processing, etc.
The input unit 120 provides an input to the central processor 100. The input unit 120 is, for example, a key or a touch input device. The power supply 170 is used to provide power to the electronic device 600. The display 160 is used for displaying display objects such as images and characters. The display may be, for example, but not limited to, an LCD display.
The memory 140 may be a solid state memory such as Read Only Memory (ROM), random Access Memory (RAM), SIM card, or the like. But also a memory which holds information even when powered down, can be selectively erased and provided with further data, an example of which is sometimes referred to as EPROM or the like. Memory 140 may also be some other type of device. Memory 140 includes a buffer memory 141 (sometimes referred to as a buffer). The memory 140 may include an application/function storage 142, the application/function storage 142 for storing application programs and function programs or a flow for executing operations of the electronic device 600 by the central processor 100.
The memory 140 may also include a data store 143, the data store 143 for storing data, such as contacts, digital data, pictures, sounds, and/or any other data used by the electronic device. The driver storage 144 of the memory 140 may include various drivers of the electronic device for communication functions and/or for performing other functions of the electronic device (e.g., messaging applications, address book applications, etc.).
The communication module 110 is a transmitter/receiver 110 that transmits and receives signals via an antenna 111. A communication module (transmitter/receiver) 110 is coupled to the central processor 100 to provide an input signal and receive an output signal, which may be the same as in the case of a conventional mobile communication terminal.
Based on different communication technologies, a plurality of communication modules 110, such as a cellular network module, a bluetooth module, and/or a wireless local area network module, etc., may be provided in the same electronic device. The communication module (transmitter/receiver) 110 is also coupled to a speaker 131 and a microphone 132 via an audio processor 130 to provide audio output via the speaker 131 and to receive audio input from the microphone 132 to implement usual telecommunication functions. The audio processor 130 may include any suitable buffers, decoders, amplifiers and so forth. In addition, the audio processor 130 is also coupled to the central processor 100 so that sound can be recorded locally through the microphone 132 and so that sound stored locally can be played through the speaker 131.
The embodiment of the present application also provides a computer-readable program, wherein the program, when executed in an electronic device, causes the computer to execute the authorization authentication method in the Oauth protocol as described in the above embodiment in the electronic device.
The embodiment of the present application also provides a storage medium storing a computer-readable program, wherein the computer-readable program causes a computer to perform authorization authentication in the Oauth protocol described in the above embodiment in an electronic device.
Preferred embodiments of the present application are described above with reference to the accompanying drawings. The many features and advantages of the embodiments are apparent from the detailed specification, and thus, it is intended by the appended claims to cover all such features and advantages of the embodiments which fall within the true spirit and scope thereof. Further, since numerous modifications and changes will readily occur to those skilled in the art, it is not desired to limit the embodiments of the application to the exact construction and operation illustrated and described, and accordingly, all suitable modifications and equivalents may be resorted to, falling within the scope thereof.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The principles and embodiments of the present application have been described in detail with reference to specific examples, which are provided to facilitate understanding of the method and core ideas of the present application; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.

Claims (8)

1. An authorization authentication method in Oauth protocol, which is characterized in that the method comprises:
according to the server information of the third party server initiating the access request, carrying out identity verification on the current third party server;
when the identity verification is passed, the pre-authorization signature information is returned to the third party server;
receiving an authorization authentication request with the pre-authorization signature information initiated by the third party server, and performing authorization authentication processing in an Oauth protocol;
the step of verifying the identity of the current third party server according to the server information of the third party server initiating the access request comprises the following steps:
receiving an access request initiated by a third party server and obtaining server information of the third party server by using an API gateway;
and carrying out identity verification on the current third-party server according to the acquired server information of the third-party server.
2. The authentication method according to claim 1, wherein the authenticating the current third party server according to the server information of the third party server that initiated the access request comprises:
storing third party server information which is allowed to be accessed in advance;
and carrying out identity verification on the current third-party server according to the stored information of the third-party server which is allowed to be accessed and the server information of the third-party server which initiates the access request.
3. The method for authenticating authorization in the Oauth protocol according to claim 1, wherein said receiving an authorization authentication request with the pre-authorization signature initiated by the third party server, performing the authorization authentication process in the Oauth protocol comprises:
receiving an authorization authentication request with the pre-authorization signature information initiated by the third party server;
and carrying out signature verification processing on the pre-authorized signature information, and carrying out authorization authentication processing in an Oauth protocol when the signature verification passes.
4. An authorization authentication device in Oauth protocol, said device comprising:
the server information verification module is used for carrying out identity verification on the current third party server according to the server information of the third party server initiating the access request;
the pre-authorization signature module is used for returning pre-authorization signature information to the third party server when the identity verification passes;
the authentication module is used for receiving an authorization authentication request with the pre-authorization signature information initiated by the third party server and carrying out authorization authentication processing in an Oauth protocol;
the server information verification module comprises:
the server information acquisition unit is used for receiving the access request initiated by the third party server by using the API gateway and acquiring the server information of the third party server;
and the verification unit is used for carrying out identity verification on the current third-party server according to the acquired server information of the third-party server.
5. The authentication device according to claim 4, wherein the server information verification module further comprises:
a storage unit for storing in advance third-party server information that is permitted to be accessed;
and the verification unit performs identity verification on the current third-party server according to the stored information of the third-party server which is allowed to access and the server information of the third-party server which initiates the access request.
6. The authorized authentication device in the Oauth protocol of claim 4, wherein said authentication module comprises:
a request receiving unit, configured to receive an authorization authentication request with the pre-authorization signature information, initiated by the third party server;
and the signature verification unit is used for carrying out signature verification processing on the pre-authorized signature information, and if the signature verification passes, the authorization authentication processing in the Oauth protocol is carried out.
7. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1 to 3 when executing the computer program.
8. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program for implementing the method of any one of claims 1 to 3, which is executed by a computer.
CN202010817992.2A 2020-08-14 2020-08-14 Authorization authentication method and device in Oauth protocol Active CN111949959B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010817992.2A CN111949959B (en) 2020-08-14 2020-08-14 Authorization authentication method and device in Oauth protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010817992.2A CN111949959B (en) 2020-08-14 2020-08-14 Authorization authentication method and device in Oauth protocol

Publications (2)

Publication Number Publication Date
CN111949959A CN111949959A (en) 2020-11-17
CN111949959B true CN111949959B (en) 2023-09-15

Family

ID=73343755

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010817992.2A Active CN111949959B (en) 2020-08-14 2020-08-14 Authorization authentication method and device in Oauth protocol

Country Status (1)

Country Link
CN (1) CN111949959B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114598490B (en) * 2021-04-09 2024-03-29 亚信科技(南京)有限公司 Method, device, equipment and storage medium for redirecting page based on API gateway
CN113079175A (en) * 2021-04-14 2021-07-06 上海浦东发展银行股份有限公司 Authorization system and method based on oauth2 protocol enhancement
CN114124407A (en) * 2021-11-25 2022-03-01 中国银行股份有限公司 Backend authorization authentication method and system based on Oauth2.0 protocol

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014032543A1 (en) * 2012-08-30 2014-03-06 中兴通讯股份有限公司 Authentication and authorization processing method and apparatus
WO2016088087A1 (en) * 2014-12-04 2016-06-09 Visa Cape Town (Pty) Ltd Third party access to a financial account
CN105976171A (en) * 2016-05-23 2016-09-28 胡纪文 Bank card consumption cycled pre-authorization method and pre-authorization system
CN106341234A (en) * 2015-07-17 2017-01-18 华为技术有限公司 Authorization method and device
CN106714075A (en) * 2015-08-10 2017-05-24 华为技术有限公司 Authorization processing method and equipment
CN108322416A (en) * 2017-01-16 2018-07-24 腾讯科技(深圳)有限公司 A kind of safety certification implementation method, apparatus and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014032543A1 (en) * 2012-08-30 2014-03-06 中兴通讯股份有限公司 Authentication and authorization processing method and apparatus
WO2016088087A1 (en) * 2014-12-04 2016-06-09 Visa Cape Town (Pty) Ltd Third party access to a financial account
CN106341234A (en) * 2015-07-17 2017-01-18 华为技术有限公司 Authorization method and device
CN106714075A (en) * 2015-08-10 2017-05-24 华为技术有限公司 Authorization processing method and equipment
CN105976171A (en) * 2016-05-23 2016-09-28 胡纪文 Bank card consumption cycled pre-authorization method and pre-authorization system
CN108322416A (en) * 2017-01-16 2018-07-24 腾讯科技(深圳)有限公司 A kind of safety certification implementation method, apparatus and system

Also Published As

Publication number Publication date
CN111949959A (en) 2020-11-17

Similar Documents

Publication Publication Date Title
US11704393B2 (en) Self-owned authentication and identity framework
US11764966B2 (en) Systems and methods for single-step out-of-band authentication
CN111949959B (en) Authorization authentication method and device in Oauth protocol
EP2859488B1 (en) Enterprise triggered 2chk association
US9038138B2 (en) Device token protocol for authorization and persistent authentication shared across applications
KR101574838B1 (en) Personal portable secured network access system
WO2018113437A1 (en) Authentication device-based electronic identity card authentication service system
CN111949958B (en) Authorization authentication method and device in Oauth protocol
US10805083B1 (en) Systems and methods for authenticated communication sessions
US9294474B1 (en) Verification based on input comprising captured images, captured audio and tracked eye movement
CN106161475B (en) Method and device for realizing user authentication
WO2017076216A1 (en) Server, mobile terminal, and internet real name authentication system and method
KR101696571B1 (en) Personal portable secured network access system
JP2010506312A (en) Reliable multi-channel authentication
WO2019056971A1 (en) Authentication method and device
CN112235294B (en) Block chain cooperative authority control method and device
US8479272B2 (en) Identity assertion
CN112039878A (en) Equipment registration method and device, computer equipment and storage medium
AU2018101656A4 (en) A System and Method for Facilitating the Delivery of Secure Hyperlinked Content via Mobile Messaging
CN105656856A (en) Resource management method and device
KR100639992B1 (en) Security apparatus for distributing client module and method thereof
KR101331575B1 (en) Method and system blocking for detour hacking of telephone certification
CN114139121A (en) Identity verification method and device, electronic equipment and computer readable storage medium
CN112970017A (en) Secure linking of devices to cloud storage
CN114090996A (en) Multi-party system mutual trust authentication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant