CN112861089A - Method, resource server, resource user side, device and medium for authorization authentication - Google Patents
Method, resource server, resource user side, device and medium for authorization authentication Download PDFInfo
- Publication number
- CN112861089A CN112861089A CN202110288236.XA CN202110288236A CN112861089A CN 112861089 A CN112861089 A CN 112861089A CN 202110288236 A CN202110288236 A CN 202110288236A CN 112861089 A CN112861089 A CN 112861089A
- Authority
- CN
- China
- Prior art keywords
- resource
- server
- information
- user side
- response message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 177
- 238000000034 method Methods 0.000 title claims abstract description 97
- 230000008569 process Effects 0.000 claims abstract description 45
- 230000004044 response Effects 0.000 claims description 99
- 238000012545 processing Methods 0.000 claims description 21
- 230000006870 function Effects 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 8
- 238000004891 communication Methods 0.000 description 13
- 238000010586 diagram Methods 0.000 description 7
- 238000012795 verification Methods 0.000 description 6
- 230000003993 interaction Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000001550 time effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The embodiment of the application provides an authorization authentication method, a resource server, a resource user side, equipment and a medium, wherein the method comprises the steps of obtaining signature information to be verified and identification information of an authorization request sent by the resource user side, wherein the authorization request is used for a third-party server to apply for accessing protected user resource information in the resource server; performing signature authentication on the signature information to be verified to generate an authentication result, wherein the authentication result is used for representing whether the identity of the resource user side is legal or not; and when the resource user side is legal, executing an authentication process that the resource server authorizes the user resource information to the third-party server. The method of the embodiment of the application carries out identity authentication on the resource user side in the authorization authentication process based on the digital certificate, can strengthen the security of user identity authentication, and further ensures the security of user information opening.
Description
Technical Field
The present application relates to the field of authorization and authentication technologies, and in particular, to a method, a resource server, a resource client, a device, and a medium for authorization and authentication.
Background
With the popularity of internet applications, a large amount of user resource information is deposited by each huge internet application, and in order to improve the influence of the platform ecological circle, the user information is opened on the premise that the user authorization is allowed based on the oauth2.0 protocol. The 'opening and sharing' is a main characteristic of the current internet, integrates different services of internet service providers into a necessary trend of internet development, integrates services of different manufacturers, and solves the problems of identity authentication, information sharing and the like.
Specifically, prior to accessing the protected resource in the oauth2.0 protocol, a third party needs to obtain authorization from the user, exchange the authorization for an authorization server for an access credential, exchange the access credential for an authorization server for an access token, and finally obtain the protected resource by presenting the access token to the resource server. In the process, no matter the data packet is intercepted or the authorization server is maliciously attacked, the identity information of the user is possibly leaked, and therefore the legality of the identity of the user cannot be guaranteed. Therefore, it is an urgent problem to enhance the security of identity authentication in the authorization authentication process of oauth2.0 protocol.
Disclosure of Invention
Embodiments of the present application provide an authorization authentication method, a resource server, a resource client, a device, and a medium, so as to enhance security of identity authentication in an oauth2.0 protocol authorization authentication process.
In a first aspect, an embodiment of the present application provides an authorization authentication method, where the method is applied to a resource server, and the method includes: acquiring signature information to be verified and identification information of an authorization request sent by a resource user side, wherein the authorization request is used for a third-party server to apply for accessing protected user resource information in the resource server; performing signature authentication on the signature information to be verified to generate an authentication result, wherein the authentication result is used for representing whether the identity of the resource user side is legal or not; and when the resource user side is legal, executing an authentication process that the resource server authorizes the user resource information to the third-party server.
In the implementation process, in the authorization authentication process, the signature authentication is performed on the signature information to be authenticated sent by the resource user side, so that the identity authentication can be effectively performed on the resource user side, and further, under the condition that the account and the password of the user are not provided for the third-party client side, the third-party client side can access the resource of the user on the open platform through the user authorization, so that the security of the user identity authentication can be enhanced, and the security of the opening of the user information is further ensured.
With reference to the first aspect, in an implementation manner, before acquiring the signature information to be verified and the identification information of the authorization request, the method further includes: acquiring the authorization request sent by the third-party server; and sending a response message to the third-party server according to the authorization request, wherein the response message comprises the identification information of the authorization request and a random number, and the random number is used for the resource user side to carry out digital signature.
In the implementation process, the response message is sent to the third-party server according to the authorization request, so that the resource user side can conveniently carry out digital signature on the random number in the response message by using the personal digital certificate, the identity authentication of the resource user side is further facilitated, and the leakage of the identity information of the user is effectively avoided.
With reference to the first aspect, in another implementation manner, after the sending a response message to the third-party server according to the authorization request, the method further includes: judging whether the resource user side receives the response message within preset time; if not, sending an updated response message to the third-party server according to the authorization request, wherein the updated response message comprises the identification information of the authorization request and the updated random number; and repeating the process until the resource user side receives the response message, wherein the signature information to be verified is obtained by the resource user side performing digital signature on the random number in the received response message.
In the implementation process, the response message is further updated by judging whether the resource user side receives the response message within the preset time, so that the safety protection of the response message is realized.
With reference to the first aspect, in another implementation manner, the performing signature authentication on the signature information to be verified to generate an authentication result includes: decrypting the signature information to be verified by using the public key of the resource user side to obtain a decrypted abstract; performing function operation on the random number in the response message received by the resource user side to generate a random number abstract; and verifying whether the identity of the resource user side is legal or not according to the decryption abstract and the random number abstract.
In the implementation process, the signature information to be verified is decrypted through the public key of the resource user side to obtain a decryption abstract, the random number in the response message received by the resource user side is subjected to function operation to obtain a random number abstract, and the validity of the identity of the resource user side is judged by comparing the decryption abstract with the random number abstract, so that the identity authentication of the resource user side is realized.
With reference to the first aspect, in another implementation, the performing, when the resource user side is a legal identity, an authentication process in which the resource server authorizes the user resource information to the third-party server includes: when the resource user side is legal, generating a temporary certificate and sending the temporary certificate to a third party client side, wherein the temporary certificate is used for the third party server to exchange an authorization token for the resource server; generating the authorization token according to first feedback information sent by the third-party server, wherein the first feedback information is generated by the third-party server according to the temporary certificate sent by the third-party client; sending the authorization token to the third-party server, wherein the authorization token is used for the third-party server to exchange the user resource information for the resource server; and generating the user resource information according to second feedback information sent by the third-party server, wherein the second feedback information carries the authorization token.
In the implementation process, under the condition that the identity of the resource user side is legal, the resource server generates a temporary certificate and sends the temporary certificate to the third-party client side; the third-party server acquires the temporary certificate from the third-party client, exchanges the authorization token for the resource server by using the temporary certificate, and further acquires the user resource information through the authorization token, thereby realizing the authentication process that the resource server authorizes the user resource information to the third-party server.
In a second aspect, an embodiment of the present application provides an authorization authentication method, where the method is applied to a resource user side, and the method includes: acquiring a response message, wherein the response message comprises identification information of the authorization request and a random number; performing digital signature on the random number based on the digital certificate of the resource user side to generate signature information to be verified; and sending the signature information to be verified and the identification information of the authorization request to a resource server.
In the implementation process, the random number in the response message is digitally signed based on the digital certificate, so that the identity authentication of the resource user side is facilitated, the problem of user information leakage caused by account password authentication in the authorization authentication process is effectively avoided, and the safety of the user identity information is further improved.
With reference to the second aspect, in an embodiment, the digitally signing the random number based on a digital certificate of the resource user side, and generating signature information to be verified includes: performing function operation on the random number to generate an encrypted abstract; and encrypting the encrypted abstract based on a private key of the digital certificate of the resource user side to generate the signature information to be verified.
In the implementation process, the random number is operated through the function to generate the encrypted digest, the encrypted digest is encrypted by using the private key of the digital certificate to generate the signature information to be verified, and the resource server is further convenient to perform identity authentication on the signature information to be verified.
In a third aspect, an embodiment of the present application provides a resource server for authorization authentication, where the resource server includes: the system comprises a first acquisition unit, a second acquisition unit and a third party server, wherein the first acquisition unit is used for acquiring signature information to be verified and identification information of an authorization request sent by a resource user side, and the authorization request is used for the third party server to apply for accessing protected user resource information in the resource server; the first processing unit is used for performing signature authentication on the signature information to be verified to generate an authentication result, wherein the authentication result is used for representing whether the identity of the resource user side is legal or not; the first processing unit is further configured to execute an authentication process in which the resource server authorizes the user resource information to the third-party server when the resource user side is a legal identity.
With reference to the third aspect, in an implementation manner, before the first obtaining unit is configured to obtain the signature information to be verified and the identification information of the authorization request sent by the resource user side, the first obtaining unit is further configured to: acquiring the authorization request sent by the third-party server; and sending a response message to the third-party server according to the authorization request, wherein the response message comprises the identification information of the authorization request and a random number, and the random number is used for the resource user side to carry out digital signature.
With reference to the third aspect, in another embodiment, the first processing unit is further configured to: judging whether the resource user side receives the response message within preset time; if not, sending an updated response message to the third-party server according to the authorization request, wherein the updated response message comprises the identification information of the authorization request and the updated random number; and repeating the process until the resource user side receives the response message, wherein the signature information to be verified is obtained by the resource user side performing digital signature on the random number in the received response message.
With reference to the third aspect, in another embodiment, the first processing unit is specifically configured to: decrypting the signature information to be verified by using the public key of the resource user side to obtain a decrypted abstract; performing function operation on the random number in the response message received by the resource user side to generate a random number abstract; and verifying whether the identity of the resource user side is legal or not according to the decryption abstract and the random number abstract.
With reference to the third aspect, in another embodiment, the first processing unit is specifically configured to: when the resource user side is legal, generating a temporary certificate and sending the temporary certificate to a third party client side, wherein the temporary certificate is used for the third party server to exchange an authorization token for the resource server; generating the authorization token according to first feedback information sent by the third-party server, wherein the first feedback information is generated by the third-party server according to the temporary certificate sent by the third-party client; sending the authorization token to the third-party server, wherein the authorization token is used for the third-party server to exchange the user resource information for the resource server; and generating the user resource information according to second feedback information sent by the third-party server, wherein the second feedback information carries the authorization token.
In a fourth aspect, an embodiment of the present application provides a resource client for authorization authentication, where the resource client includes: a second obtaining unit, configured to obtain a response message, where the response message includes identification information of the authorization request and a random number; the second processing unit is used for carrying out digital signature on the random number based on the digital certificate of the resource user side and generating signature information to be verified; and the second sending unit is used for sending the signature information to be verified and the identification information of the authorization request to a resource server.
With reference to the fourth aspect, in an embodiment, the second processing unit is specifically configured to: performing function operation on the random number to generate an encrypted abstract; and encrypting the encrypted abstract based on a private key of the digital certificate of the resource user side to generate the signature information to be verified.
In a fifth aspect, an embodiment of the present application provides an apparatus, including:
a processor, a memory and a bus, wherein the processor is connected to the memory through the bus, and the memory stores computer readable instructions, which when executed by the processor, are used to implement the method as provided in any of the embodiments of the first aspect and the first aspect.
In a sixth aspect, the present application provides a readable storage medium, on which a computer program is stored, where the computer program, when executed by a server, implements the steps in the method as provided in any implementation manner of the first aspect and the first aspect.
In a seventh aspect, an embodiment of the present application provides an apparatus, including: a processor, a memory and a bus, the processor being connected to the memory via the bus, the memory storing computer readable instructions for implementing the steps of the method as provided by any of the embodiments of the second aspect and the first aspect when the computer readable instructions are executed by the processor.
In an eighth aspect, the present application provides a readable storage medium, on which a computer program is stored, where the computer program, when executed by a server, implements the steps in the method provided in any one of the embodiments of the second aspect and the second aspect.
Additional features and advantages of the present application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the embodiments of the present application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of a system for authorization authentication according to an embodiment of the present application;
fig. 2 is an interaction flowchart of a method for authorization authentication according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a resource server for authorization authentication according to an embodiment of the present application;
fig. 4 is a schematic diagram of a resource user side structure for authorization authentication according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an apparatus according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present application without making any creative effort, shall fall within the protection scope of the present application.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.
Referring to fig. 1, fig. 1 is a schematic structural diagram of an authorization authentication system according to an embodiment of the present application, where the system 100 includes: resource clients 110, third party clients 120, third party servers 130, and resource servers 140.
In order for the third party client 120 to access the protected user resource in the resource server 140, the third party client 120 sends an authorization request to the resource server 140 through the third party server 130; the resource server 140 obtains the authorization from the resource client 110, verifies the authorization, generates a temporary credential after the verification is passed, and then sends the temporary credential to the third-party client 120; the third party client 120 uses the temporary credential to obtain the authorization token from the resource server 140 through the third party server 130, and the third party server 130 obtains the protected user resource from the resource server 140 by using the authorization token, thereby completing the authentication process of authorizing the protected user resource to the third party server 130 by the resource server 140. The processing procedure is consistent with the flow of the OAuth2.0 protocol, so that the technical scheme of the application has compatibility with the OAuth2.0 protocol.
It should be noted that, in the embodiment of the present application, the resource user end 110 may have a right to grant a user end for protecting the resource access right, and may be a mobile phone, a tablet computer, a notebook computer, a palm computer, and a wearable device, but the present application is not limited thereto; resource server 140 may be a server that hosts protected resources, capable of receiving requests for protected resources using access tokens and responding, or an authorization server, i.e., a server that a service provider specializes in handling authentication authorization; the third party client 120 may be a resource owner and an application or browser that it authorizes to issue a request for a protected resource; the third party server 130 may be a backend server to which the third party client 120 corresponds.
As an embodiment, the resource client 110 is a client of the internet protocol (internet protocol APP), the resource server 140 is a background server of the internet protocol, and is also an authorization server of the open platform of the internet protocol, the third-party client 120 is a browser that wants to access the protected resource in the resource server 140, and the third-party server 130 is a corresponding background server of the third-party client 120.
Fig. 2 is a flowchart illustrating a specific process of an authorization authentication method, and please refer to fig. 2, where fig. 2 is an interaction flowchart of an authorization authentication method according to an embodiment of the present application, specifically, the method shown in fig. 2 includes:
201, authorizing the request.
As an embodiment, the third-party client sends an authorization request to the third-party server to request to access the user resource information stored in the resource server;
it should be noted that the resource server may be a medical network communication server, and the user resource information may be a user account name, an account password, an image, a video, a text, and an audio stored in the medical network communication server, but the application is not limited thereto.
202, authorizing the request.
The third-party server acquires the authorization request and sends the authorization request to the resource server;
203, response message.
Obtaining an authorization request sent by a third-party server;
and sending a response message to the third-party server according to the authorization request, wherein the response message comprises the identification information of the authorization request and a random number, and the random number is used for the resource user side to carry out digital signature.
As an embodiment, the resource server obtains an authorization request sent by a third-party server, and sends a response message to the third-party server according to the authorization request, where the response message includes identification information of the authorization request and a random number, and the random number is used for the resource client to perform digital signature.
It should be noted that, in the embodiment of the present application, the presentation form of the response message may be a two-dimensional code, a barcode, or a link, but the present application is not limited thereto; the identification information of the authorization request 202 may be an ID of the authorization request, a Uniform Resource Locator (URL), or an IP address of a third-party server, but the application is not limited thereto.
In the implementation process, the response message is sent to the third-party server according to the authorization request, so that the resource user side can conveniently carry out digital signature on the random number in the response message by using the personal digital certificate, the identity authentication of the resource user side is further facilitated, and the leakage of the identity information of the user is effectively avoided.
204, response message.
205, presenting the response message.
As an embodiment, the third-party server sends the response message to the third-party client, and the third-party client presents the received response message to the resource user side in the form of a two-dimensional code, and the response message includes the ID of the authorization request and the random number for the resource user side to perform digital signature.
After sending the response message to the third party server according to the authorization request, the method further comprises:
judging whether the resource user side receives a response message within preset time;
if not, sending an updated response message to the third-party server according to the authorization request, wherein the updated response message comprises the identification information of the authorization request and the updated random number;
and repeating the process until the resource user side receives the response message, wherein the signature information to be verified is obtained by the resource user side performing digital signature on the random number in the received response message.
As an embodiment, after the resource server sends a response message to the third-party server according to the authorization request, whether the resource user side receives the response message within a preset time is also judged in a polling manner;
if not, the resource server sends an updated response message to the third-party server according to the authorization request, wherein the updated response message comprises the identification information of the authorization request and the updated random number; and repeating the judging process until the resource user side receives the response message, wherein the response message sent each time comprises the identification information of the authorization request and the random number, and the identification information of the authorization request in the response message sent each time is the same, but the random number is different.
In the embodiment of the present application, the preset time may be 60 seconds, 90 seconds, or 120 seconds, but the present application is not limited thereto.
If yes, executing the subsequent authentication operation flow.
In the implementation process, whether the resource user side receives the response message within the preset time is judged, if not, the response message is retransmitted, and the judgment process is repeated until the resource user side receives the response message, and the response message sent each time comprises the identification information of the authorization request and the random number, wherein the identification information of the authorization request in the response message sent each time is the same, and the random numbers are different, so that the random number in the response message can be effectively protected, and an attacker can be prevented from attacking or intercepting the random number.
And 206, acquiring the response message, and performing digital signature on the random number in the response message to generate signature information to be verified.
207, the signature information to be verified is sent to the resource server.
Acquiring a response message, wherein the response message comprises identification information of the authorization request and a random number;
performing digital signature on the random number based on a digital certificate of a resource user side to generate signature information to be verified;
and sending the signature information to be verified and the identification information of the authorization request to the resource server.
As an embodiment, the resource user side obtains a response message by scanning a two-dimensional code presented at the third-party client side, where the response message includes an ID and a random number of the authorization request;
the resource user side carries out digital signature on the random number in the received response message by using the personal digital certificate to generate signature information to be verified;
performing function operation on the random number to generate an encrypted abstract;
and encrypting the encrypted abstract based on a private key of a digital certificate of the resource user side to generate signature information to be verified.
Specifically, a hash algorithm is used for performing function operation on the random number to generate an encrypted digest, and then a private key of a digital certificate of the resource user side is used for encrypting the encrypted digest to generate signature information to be verified.
It should be noted that the digital certificate of the resource user side is an authoritative and fair certificate issued by the certificate authority, and the certificate contains personal information of the user and public key information of the user, and is accompanied by signature information of the certificate authority, so that the security and integrity of the user identity information can be guaranteed.
In one embodiment, the resource client sends the verification signature information and the identification information of the authorization request in the response message to the resource server.
As another embodiment, the resource user sends the signature information to be verified, the identification information of the authorization request in the response message, the random number in the response message, and the personal digital certificate to the resource server.
In the implementation process, the random number in the response message is digitally signed based on the digital certificate, so that the identity authentication of the resource user side is facilitated, the problem of user information leakage caused by account password authentication in the authorization authentication process is effectively avoided, and the safety of the user identity information is further improved.
And 208, performing digital verification.
Acquiring signature information to be verified and identification information of an authorization request sent by a resource user side, wherein the authorization request is used for a third-party server to apply for accessing protected user resource information in a resource server;
carrying out signature authentication on the signature information to be verified to generate an authentication result, wherein the authentication result is used for representing whether the identity of the resource user side is legal or not;
and when the resource user side is legal, executing an authentication process that the resource server authorizes the user resource information to the third-party server.
As an embodiment, a resource server obtains signature information to be verified and identification information of an authorization request sent by a resource user side;
as another embodiment, the resource server obtains signature information to be verified, identification information of an authorization request in a response message, a random number in the response message, and a personal digital certificate, which are sent by a resource user side;
carrying out signature authentication on the signature information to be verified to generate an authentication result, wherein the authentication result is used for representing whether the identity of the resource user side is legal or not;
and when the resource user side is legal, executing an authentication process that the resource server authorizes the user resource information to the third-party server.
Decrypting the signature information to be verified by using a public key of the resource user side to obtain a decrypted abstract;
performing function operation on the random number in the response message received by the resource user side to generate a random number abstract;
and verifying whether the identity of the resource user side is legal or not according to the decryption abstract and the random number abstract.
As an embodiment, performing signature authentication on the acquired information to be verified to generate an authentication result;
specifically, the public key of the resource user side in the digital certificate is used for decrypting the signature information to be verified to obtain a decrypted abstract;
further, performing function operation on the random number in the response message received by the resource user side by using a Hash algorithm to generate a random number abstract;
it should be noted that the random number in the response message may be sent by the resource client, or may be generated by the resource server and stored locally.
Comparing the decrypted abstract with the random number abstract, and judging whether the identity of the resource user side is legal or not;
if the decryption abstract is the same as the random number abstract, the identity of the resource user end is legal, the certificate holder operator agrees to the authorization, the content sent by the resource user end is not tampered, the identity of the resource user end is authenticated, and the certificate holder operator agrees to the authorization, namely the user of the resource user end agrees to authorize the resource stored in the resource server to the third-party server.
If the decryption abstract is different from the random number abstract, the identity of the resource user side is illegal, which indicates that the user resource information which the third-party server wants to access is not authorized by the user, and the authorization authentication process is ended.
In the implementation process, the identity of the authorized user is confirmed in a digital certificate signature and signature verification mode, the identity of the resource user side can be effectively authenticated, the authorization of the user can be safely and effectively obtained, and the risk that user information is leaked due to the fact that the identity authentication authorization is carried out in a user name password mode is further avoided.
And 209, generating the temporary certificate after the verification is passed.
210, poll to the temporary credential.
When the resource user side is legal, the resource server generates a temporary certificate;
and meanwhile, the resource server polls the temporary certificate to indicate that the resource user side agrees to authorize the protected user resource information to the third-party client side served by the third-party server.
The resource server sends the temporary voucher to the third-party client, wherein the temporary voucher is used for the third-party server to exchange the authorization token for the resource server;
as an embodiment, when the resource user side passes the identity authentication, that is, the identity of the resource user side is legal, the resource server generates a temporary credential and sends the temporary credential to the third-party client;
the temporary voucher in the embodiment of the present application is disposable and has a time effect, and the time effect of the temporary voucher may be valid for 30 seconds, 45 seconds, or 60 seconds, but the present application is not limited thereto. After the time period is exceeded, the resource server generates a new temporary voucher, wherein the new temporary voucher has the same action and effect as the original temporary voucher, but has different specific contents. And the third party server uses the temporary certificate to exchange the authorization token for the resource server, and then the third party server becomes invalid.
211, sending the temporary credential to the third party server.
212, the temporary credential is sent to the resource server.
In one embodiment, the third-party client sends a temporary certificate to the third-party server, wherein the temporary certificate is used for the third-party server to exchange an authorization token for the resource server;
after the third-party server obtains the temporary voucher, the temporary voucher is sent to the resource server in an encryption mode, the encryption mode can be that a safety label and the temporary voucher are stored in a communication message, the safety label and the temporary voucher are encrypted to generate the encrypted temporary voucher, and after the resource server receives the encrypted temporary voucher, whether the communication message is tampered or intercepted is judged through a mode of checking the safety label, so that the communication safety of the third-party server and the resource server is guaranteed.
In the implementation process, the third-party server communicates with the resource server, the communication message is transmitted in an encrypted mode, the communication message is further verified, illegal calling can be effectively shielded, and the safety of user authorization information is further ensured.
213, the temporary credential is verified and an authorization token is generated.
214, feeding back the authorization token.
215, the authorization token is exchanged for user resource information.
Generating an authorization token according to first feedback information sent by a third-party server, wherein the first feedback information is generated by the third-party server according to a temporary certificate sent by a third-party client;
sending the authorization token to a third-party server, wherein the authorization token is used for the third-party server to exchange user resource information for the resource server;
and generating user resource information according to second feedback information sent by the third-party server, wherein the second feedback information carries the authorization token.
As an embodiment, the resource server verifies the received temporary certificate, generates an authorization token after the verification is passed, and feeds back the generated authorization token to the third-party server;
it should be noted that, in the embodiment of the present application, the first feedback information is generated by the third-party server according to the temporary credential sent by the third-party client, that is, the first feedback information may include the temporary credential.
And after receiving the authorization token, the third-party server sends the authorization token to the resource server, and the user resource information is exchanged for the resource server through the authorization token.
It should be noted that, in the embodiment of the present application, the second feedback information is generated according to the authorization token, and it can also be understood that the second feedback information carries the authorization token.
And 216, generating user resource information according to the authorization token.
217, user resource information.
As an embodiment, after obtaining the authorization token, the resource server generates user resource information, and meanwhile, the authorization token is invalid; and then, the resource server sends the generated user resource information to a third-party server.
And 218, completing authorized access according to the user resource information.
219, the access is successful.
As an embodiment, after obtaining the user resource information, the third-party server performs self-service processing according to the user resource information, that is, performs access according to the user resource information, and after the access is successful, the third-party client completes authorized access and can perform corresponding access operation.
In the implementation process, identity authentication is carried out based on the digital certificate, after the identity authentication is passed, the user information is released under the premise that the user authorization is allowed according to the OAuth2.0 protocol, the identity of the user can be effectively authenticated, and the identity information of the user is ensured not to be cracked and stolen, so that the safe sharing of the user resource information is realized.
Referring to fig. 3, fig. 3 is a schematic structural diagram of a resource server for authorization and authentication provided in an embodiment of the present application, where the resource server 140 is applied to the method for authorization and authentication shown in fig. 2, specifically, as shown in fig. 3, the resource server 140 includes:
a first acquisition unit 141 and a first processing unit 142;
in one embodiment, the first obtaining unit is configured to obtain signature information to be verified and identification information of an authorization request sent by a resource user, where the authorization request is used for a third-party server to apply for accessing protected user resource information in a resource server; the first processing unit is used for performing signature authentication on the signature information to be verified to generate an authentication result, wherein the authentication result is used for representing whether the identity of the resource user side is legal or not; the first processing unit is further configured to execute an authentication process in which the resource server authorizes the user resource information to the third-party server when the resource user side is a legal identity.
In one embodiment, the first obtaining unit, before being configured to obtain the signature information to be verified and the identification information of the authorization request sent by the resource user side, is further configured to: obtaining an authorization request sent by a third-party server; and sending a response message to the third-party server according to the authorization request, wherein the response message comprises the identification information of the authorization request and a random number, and the random number is used for the resource user side to carry out digital signature.
In one embodiment, the first processing unit is further configured to: judging whether the resource user side receives a response message within preset time; if not, sending an updated response message to the third-party server according to the authorization request, wherein the updated response message comprises the identification information of the authorization request and the updated random number; and repeating the process until the resource user side receives the response message, wherein the signature information to be verified is obtained by the resource user side performing digital signature on the random number in the received response message.
In one embodiment, the first processing unit is specifically configured to: decrypting the signature information to be verified by using a public key of the resource user side to obtain a decrypted abstract; performing function operation on the random number in the response message received by the resource user side to generate a random number abstract; and verifying whether the identity of the resource user side is legal or not according to the decryption abstract and the random number abstract.
In one embodiment, the first processing unit is specifically configured to: when the resource user side is legal, generating a temporary certificate and sending the temporary certificate to a third party client side, wherein the temporary certificate is used for the third party server to exchange an authorization token for the resource server; generating an authorization token according to first feedback information sent by a third-party server, wherein the first feedback information is generated by the third-party server according to a temporary certificate sent by a third-party client; sending the authorization token to a third-party server, wherein the authorization token is used for the third-party server to exchange user resource information for the resource server; and generating user resource information according to second feedback information sent by the third-party server, wherein the second feedback information carries the authorization token.
It should be noted that the resource server 140 provided in fig. 3 can implement the processes of the method related to the authorization authentication of the resource server 140 in the embodiment of the method in fig. 2. The operations and/or functions of the respective modules in the resource server 140 are respectively for implementing the corresponding flows in the method embodiment in fig. 2. Reference may be made specifically to the description of the above method embodiments, and a detailed description is appropriately omitted herein to avoid redundancy.
Referring to fig. 4, fig. 4 is a schematic view of a resource client structure of authorization authentication provided in an embodiment of the present application, where the resource client 110 is applied to the authorization authentication method shown in fig. 2, specifically, as shown in fig. 4, the resource client 110 includes:
a second acquisition unit 111, a second processing unit 112, and a second transmission unit 113;
in one embodiment, the second obtaining unit is configured to obtain a response message, where the response message includes identification information of the authorization request and a random number; the second processing unit is used for carrying out digital signature on the random number based on the digital certificate of the resource user side and generating signature information to be verified; and the second sending unit is used for sending the signature information to be verified and the identification information of the authorization request to the resource server.
In one embodiment, the second processing unit is specifically configured to: performing function operation on the random number to generate an encrypted abstract; and encrypting the encrypted abstract based on a private key of a digital certificate of the resource user side to generate signature information to be verified.
It should be noted that the resource client 110 provided in fig. 4 can implement the processes of the method related to the authorization authentication of the resource client 110 in the embodiment of fig. 2. The operations and/or functions of the modules in the resource client 110 are respectively for implementing the corresponding flows in the method embodiment in fig. 2. Reference may be made specifically to the description of the above method embodiments, and a detailed description is appropriately omitted herein to avoid redundancy.
Referring to fig. 5, fig. 5 is a schematic structural diagram of an apparatus provided in an embodiment of the present application, where the apparatus may include: at least one processor 510, such as a CPU, at least one communication interface 520, at least one memory 530, and at least one communication bus 540. Wherein the communication bus 540 is used for realizing direct connection communication of these components. The communication interface 520 of the device in the embodiment of the present application is used for performing signaling or data communication with other node devices. Memory 530 may be a high-speed RAM memory or a non-volatile memory, such as at least one disk memory. Memory 530 may optionally be at least one memory device located remotely from the aforementioned processor. The memory 530 stores computer readable instructions which, when executed by the processor 510, cause the electronic device to perform the method processes of fig. 2.
An embodiment of the present application provides a readable storage medium, where a computer program is stored on the readable storage medium, and when the computer program is executed by a server, the computer program implements the method process shown in fig. 2 executed by a resource client or a resource server.
In the several embodiments provided in the present application, it should be understood that the disclosed system and method may be implemented in other ways. The above-described system embodiments are merely illustrative, and for example, the division of the system apparatus into only one logical functional division may be implemented in other ways, and for example, a plurality of apparatuses or components may be combined or integrated into another system, or some features may be omitted, or not implemented.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (11)
1. A method for authorization authentication, the method being applied to a resource server, the method comprising:
acquiring signature information to be verified and identification information of an authorization request sent by a resource user side, wherein the authorization request is used for a third-party server to apply for accessing protected user resource information in the resource server;
performing signature authentication on the signature information to be verified to generate an authentication result, wherein the authentication result is used for representing whether the identity of the resource user side is legal or not;
and when the resource user side is legal, executing an authentication process that the resource server authorizes the user resource information to the third-party server.
2. The method according to claim 1, wherein before the obtaining the signature information to be verified and the identification information of the authorization request sent by the resource user side, the method further comprises:
acquiring the authorization request sent by the third-party server;
and sending a response message to the third-party server according to the authorization request, wherein the response message comprises the identification information of the authorization request and a random number, and the random number is used for the resource user side to carry out digital signature.
3. The method of claim 2, wherein after the sending a response message to the third-party server in accordance with the authorization request, the method further comprises:
judging whether the resource user side receives the response message within preset time;
if not, sending an updated response message to the third-party server according to the authorization request, wherein the updated response message comprises the identification information of the authorization request and the updated random number;
and repeating the process until the resource user side receives the response message, wherein the signature information to be verified is obtained by the resource user side performing digital signature on the random number in the received response message.
4. The method according to claim 2 or 3, wherein the signature authentication of the signature information to be verified and the generation of the authentication result comprise:
decrypting the signature information to be verified by using the public key of the resource user side to obtain a decrypted abstract;
performing function operation on the random number in the response message received by the resource user side to generate a random number abstract;
and verifying whether the identity of the resource user side is legal or not according to the decryption abstract and the random number abstract.
5. The method according to any one of claims 1 to 3, wherein the performing, when the resource user side is a legal identity, an authentication process for the resource server to authorize the user resource information to the third-party server includes:
when the resource user side is legal, generating a temporary certificate and sending the temporary certificate to a third party client side, wherein the temporary certificate is used for the third party server to exchange an authorization token for the resource server;
generating the authorization token according to first feedback information sent by the third-party server, wherein the first feedback information is generated by the third-party server according to the temporary certificate sent by the third-party client;
sending the authorization token to the third-party server, wherein the authorization token is used for the third-party server to exchange the user resource information for the resource server;
and generating the user resource information according to second feedback information sent by the third-party server, wherein the second feedback information carries the authorization token.
6. A method for authorization authentication, the method being applied to a resource user side, the method comprising:
acquiring a response message, wherein the response message comprises identification information of the authorization request and a random number;
performing digital signature on the random number based on the digital certificate of the resource user side to generate signature information to be verified;
and sending the signature information to be verified and the identification information of the authorization request to a resource server.
7. The method according to claim 6, wherein the digitally signing the random number based on the digital certificate of the resource user side to generate the signature information to be verified comprises:
performing function operation on the random number to generate an encrypted abstract;
and encrypting the encrypted abstract based on a private key of the digital certificate of the resource user side to generate the signature information to be verified.
8. A resource server that authorizes authentication, the resource server comprising:
the system comprises a first acquisition unit, a second acquisition unit and a third party server, wherein the first acquisition unit is used for acquiring signature information to be verified and identification information of an authorization request sent by a resource user side, and the authorization request is used for the third party server to apply for accessing protected user resource information in the resource server;
the first processing unit is used for performing signature authentication on the signature information to be verified to generate an authentication result, wherein the authentication result is used for representing whether the identity of the resource user side is legal or not;
the first processing unit is further configured to execute an authentication process in which the resource server authorizes the user resource information to the third-party server when the resource user side is a legal identity.
9. A resource client for authorization authentication, the resource client comprising:
a second obtaining unit, configured to obtain a response message, where the response message includes identification information of the authorization request and a random number;
the second processing unit is used for carrying out digital signature on the random number based on the digital certificate of the resource user side and generating signature information to be verified;
and the second sending unit is used for sending the signature information to be verified and the identification information of the authorization request to a resource server.
10. An apparatus, comprising:
a processor, a memory, and a bus, the processor being connected to the memory through the bus, the memory storing computer readable instructions for implementing the method of any one of claims 1-7 when the computer readable instructions are executed by the processor.
11. A computer-readable storage medium, having stored thereon a computer program which, when executed by a server, implements the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110288236.XA CN112861089B (en) | 2021-03-17 | 2021-03-17 | Authorization authentication method, resource server, resource user, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110288236.XA CN112861089B (en) | 2021-03-17 | 2021-03-17 | Authorization authentication method, resource server, resource user, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112861089A true CN112861089A (en) | 2021-05-28 |
| CN112861089B CN112861089B (en) | 2024-02-20 |
Family
ID=75995201
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110288236.XA Active CN112861089B (en) | 2021-03-17 | 2021-03-17 | Authorization authentication method, resource server, resource user, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112861089B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113312653A (en) * | 2021-06-25 | 2021-08-27 | 中国农业银行股份有限公司 | Open platform authentication and authorization method, device and storage medium |
| CN113609528A (en) * | 2021-07-14 | 2021-11-05 | 洛阳小行家科技有限公司 | Data authorization circulation method and system based on digital pass |
| CN113656785A (en) * | 2021-07-30 | 2021-11-16 | 中金金融认证中心有限公司 | Method for identity authentication and authentication service of bank user and related product |
| CN113672884A (en) * | 2021-08-23 | 2021-11-19 | 浙江大华技术股份有限公司 | Identity authentication method, identity authentication device, storage medium and identity authentication equipment |
| CN114117551A (en) * | 2021-11-26 | 2022-03-01 | 深圳前海微众银行股份有限公司 | Access verification method and device |
| CN114244533A (en) * | 2021-12-21 | 2022-03-25 | 掌阅科技股份有限公司 | Resource transmission method, terminal and storage medium |
| CN114338031A (en) * | 2021-11-22 | 2022-04-12 | 珠海格力电器股份有限公司 | Data sharing method and device, electronic equipment and storage medium |
| WO2023087704A1 (en) * | 2021-11-16 | 2023-05-25 | 深圳前海微众银行股份有限公司 | Traceable picture authorization method and apparatus |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5926549A (en) * | 1996-02-12 | 1999-07-20 | Bull S.A. | Process for verifying the preservation of the integrity of an unprotected request sent by a client to a server by verifying the integrity of the response |
| US20070198848A1 (en) * | 2006-02-22 | 2007-08-23 | Bjorn Vance C | Method and apparatus for a token |
| WO2008122627A1 (en) * | 2007-04-05 | 2008-10-16 | Infineon Technologies Ag | Communication terminal device, communication device, electronic card, method for a communication terminal device and method for a communication device for providing a verification |
| CN101674304A (en) * | 2009-10-15 | 2010-03-17 | 浙江师范大学 | Network identity authentication system and method |
| US20140189808A1 (en) * | 2012-12-28 | 2014-07-03 | Lookout, Inc. | Multi-factor authentication and comprehensive login system for client-server networks |
| CN107454115A (en) * | 2017-10-10 | 2017-12-08 | 北京奇艺世纪科技有限公司 | A kind of abstract identification method and digest authentication system |
| CN109672537A (en) * | 2019-01-18 | 2019-04-23 | 如般量子科技有限公司 | Anti- quantum certificate acquisition system and acquisition methods based on public key pond |
| US10484372B1 (en) * | 2015-12-14 | 2019-11-19 | Amazon Technologies, Inc. | Automatic replacement of passwords with secure claims |
-
2021
- 2021-03-17 CN CN202110288236.XA patent/CN112861089B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5926549A (en) * | 1996-02-12 | 1999-07-20 | Bull S.A. | Process for verifying the preservation of the integrity of an unprotected request sent by a client to a server by verifying the integrity of the response |
| US20070198848A1 (en) * | 2006-02-22 | 2007-08-23 | Bjorn Vance C | Method and apparatus for a token |
| WO2008122627A1 (en) * | 2007-04-05 | 2008-10-16 | Infineon Technologies Ag | Communication terminal device, communication device, electronic card, method for a communication terminal device and method for a communication device for providing a verification |
| CN101674304A (en) * | 2009-10-15 | 2010-03-17 | 浙江师范大学 | Network identity authentication system and method |
| US20140189808A1 (en) * | 2012-12-28 | 2014-07-03 | Lookout, Inc. | Multi-factor authentication and comprehensive login system for client-server networks |
| US10484372B1 (en) * | 2015-12-14 | 2019-11-19 | Amazon Technologies, Inc. | Automatic replacement of passwords with secure claims |
| CN107454115A (en) * | 2017-10-10 | 2017-12-08 | 北京奇艺世纪科技有限公司 | A kind of abstract identification method and digest authentication system |
| CN109672537A (en) * | 2019-01-18 | 2019-04-23 | 如般量子科技有限公司 | Anti- quantum certificate acquisition system and acquisition methods based on public key pond |
Non-Patent Citations (1)
| Title |
|---|
| 李昊星: "云环境中外包数据安全访问关键技术研究", 信息科技, no. 1, pages 20 - 40 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113312653A (en) * | 2021-06-25 | 2021-08-27 | 中国农业银行股份有限公司 | Open platform authentication and authorization method, device and storage medium |
| CN113609528A (en) * | 2021-07-14 | 2021-11-05 | 洛阳小行家科技有限公司 | Data authorization circulation method and system based on digital pass |
| CN113656785A (en) * | 2021-07-30 | 2021-11-16 | 中金金融认证中心有限公司 | Method for identity authentication and authentication service of bank user and related product |
| CN113672884A (en) * | 2021-08-23 | 2021-11-19 | 浙江大华技术股份有限公司 | Identity authentication method, identity authentication device, storage medium and identity authentication equipment |
| WO2023087704A1 (en) * | 2021-11-16 | 2023-05-25 | 深圳前海微众银行股份有限公司 | Traceable picture authorization method and apparatus |
| CN114338031A (en) * | 2021-11-22 | 2022-04-12 | 珠海格力电器股份有限公司 | Data sharing method and device, electronic equipment and storage medium |
| CN114117551A (en) * | 2021-11-26 | 2022-03-01 | 深圳前海微众银行股份有限公司 | Access verification method and device |
| CN114117551B (en) * | 2021-11-26 | 2022-12-27 | 深圳前海微众银行股份有限公司 | Access verification method and device |
| CN114244533A (en) * | 2021-12-21 | 2022-03-25 | 掌阅科技股份有限公司 | Resource transmission method, terminal and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112861089B (en) | 2024-02-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112861089B (en) | Authorization authentication method, resource server, resource user, equipment and medium | |
| CN110519309B (en) | Data transmission method, device, terminal, server and storage medium | |
| CN106453361B (en) | A kind of security protection method and system of the network information | |
| EP2999189A1 (en) | Network authentication method for secure electronic transactions | |
| CN111740844A (en) | SSL communication method and device based on hardware cryptographic algorithm | |
| CN109361668A (en) | A kind of data trusted transmission method | |
| CN111901346B (en) | Identity authentication system | |
| US8321924B2 (en) | Method for protecting software accessible over a network using a key device | |
| CN112000951B (en) | Access method, device, system, electronic equipment and storage medium | |
| CN108322416B (en) | Security authentication implementation method, device and system | |
| US20020032873A1 (en) | Method and system for protecting objects distributed over a network | |
| CN111030814A (en) | Key negotiation method and device | |
| CN110933078B (en) | H5 unregistered user session tracking method | |
| CN109684129B (en) | Data backup recovery method, storage medium, encryption machine, client and server | |
| EP2414983B1 (en) | Secure Data System | |
| CN108769029B (en) | Authentication device, method and system for application system | |
| JP5452192B2 (en) | Access control system, access control method and program | |
| CN109873819A (en) | Method and system for preventing illegal access to server | |
| CN111600948B (en) | Cloud platform application and data security processing method, system, storage medium and program based on identification password | |
| CN113918967A (en) | Data transmission method, system, computer equipment and medium based on security check | |
| CN114513339A (en) | Security authentication method, system and device | |
| CN110891065A (en) | Token-based user identity auxiliary encryption method | |
| CN112448958A (en) | Domain policy issuing method and device, electronic equipment and storage medium | |
| CN104463584A (en) | Method for achieving mobile terminal App safety payment | |
| CN114338201B (en) | Data processing method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |