CN113505353A - Authentication method, device, equipment and storage medium - Google Patents

Authentication method, device, equipment and storage medium Download PDF

Info

Publication number
CN113505353A
CN113505353A CN202110779202.0A CN202110779202A CN113505353A CN 113505353 A CN113505353 A CN 113505353A CN 202110779202 A CN202110779202 A CN 202110779202A CN 113505353 A CN113505353 A CN 113505353A
Authority
CN
China
Prior art keywords
application
information
token
iam
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110779202.0A
Other languages
Chinese (zh)
Inventor
潘亚玲
郑彬
杨旭
何坤
陈实
张曼妮
薛霁
廖艳玲
陈星�
杨寒飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhou Lvmeng Chengdu Technology Co ltd
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
Shenzhou Lvmeng Chengdu Technology Co ltd
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhou Lvmeng Chengdu Technology Co ltd, Nsfocus Technologies Inc, Nsfocus Technologies Group Co Ltd filed Critical Shenzhou Lvmeng Chengdu Technology Co ltd
Priority to CN202110779202.0A priority Critical patent/CN113505353A/en
Publication of CN113505353A publication Critical patent/CN113505353A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The application relates to the technical field of network security, and discloses an authentication method, an authentication device, authentication equipment and a storage medium, wherein the method is applied to trusted control equipment and comprises the following steps: verifying the application information sent by the application server; after the application information is verified, obtaining an application authentication request based on the application information and a corresponding target user token; sending the application authentication request to a first IAM to enable the first IAM to determine application authentication information based on the application authentication request; and generating token information in a target format based on the application authentication information sent by the first IAM, and sending the token information to the application server. The application server analyzes the token information based on the uniform service logic aiming at the target format, and then application authentication can be completed.

Description

Authentication method, device, equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to an authentication method, apparatus, device, and storage medium.
Background
Single sign-on is widely applied to enterprise business integration, and users can access all mutually trusted application systems only by logging on once.
In single sign-on, the application server interfaces with a plurality of Identity and Access Management (IAM) devices through the trusted control device. Different IAMs return authentication information based on different interface protocols, so that the fields included in the authentication information received by the application are different, and different service logics need to be configured for the application server to complete authentication.
Disclosure of Invention
The application provides an authentication method, an authentication device, authentication equipment and a storage medium, which are used for enabling an application server to complete application authentication based on unified service logic.
In a first aspect, an embodiment of the present application provides an authentication method, which is applied to a trusted control device, and the method includes:
verifying the application information sent by the application server;
after the application information is verified, obtaining an application authentication request based on the application information and a corresponding target user token;
sending the application authentication request to a first IAM to enable the first IAM to determine application authentication information based on the application authentication request;
and generating token (token) information in a target format based on the application authentication information sent by the first IAM, and sending the token information to the application server.
According to the scheme, after the application information sent by the application server is verified, the trusted control equipment obtains an application authentication request based on the application information and the corresponding target user token; further sending an application authentication request meeting the first IAM format requirement to the first IAM, and determining application authentication information by the first IAM based on the application authentication request; the trusted control equipment generates token information in a uniform target format based on the application authentication information, sends the token information to the application server, and the application server analyzes the token information based on uniform service logic aiming at the target format to complete application authentication.
In some optional embodiments, the generating token information in a target format based on the application authentication information sent by the first IAM includes:
if the application authentication information contains user information, generating token information conforming to an identity authentication standard protocol (OpenID Connect, OIDC) based on the application authentication information; or
If the application authentication information does not contain user information, sending a request for acquiring the user information to the first IAM, and receiving the user information sent by the first IAM; and generating token information according with OIDC based on the application authentication information and the received user information.
In some optional embodiments, the obtaining of the application authentication request based on the application information and the corresponding target user token includes:
and generating an application authentication request comprising the application identification and the target user token according to the type of the first IAM.
According to the scheme, the trusted control device generates the application authentication request which meets the requirement format of the first IAM according to the type of the first IAM, and the first IAM can correctly analyze the application authentication request so as to authenticate the application.
In some optional embodiments, before the verifying the application information sent by the application server, the method further includes:
determining a target user token corresponding to an authorization request sent by the application server;
obtaining a token verification request containing the target user token based on the type of the selected second IAM;
sending the token verification request to the second IAM, and receiving verification information of the second IAM on the target user token;
and if the target user token is determined to pass the verification based on the verification information, encrypting the target user token based on the timestamp during encryption, the target user token and the application identifier contained in the authorization request to obtain an authorization code, and sending the authorization code to the application server, wherein the authorization code is used for indicating the application server to send the application information.
According to the scheme, before the application is authenticated, the trusted control equipment obtains a token verification request which meets the requirements of a second IAM format and contains a target user token according to the type of the selected second IAM; the token verification request is sent to a second IAM, the second IAM can correctly analyze the token verification request, and then the target user token is verified to obtain verification information, and the trusted control equipment can determine whether the target user token passes the verification after receiving the verification information; and if the verification is passed, the target user token is valid, the authorization code is obtained by encrypting based on the timestamp during encryption, the target user token and the application identifier contained in the authorization request, and the authorization code is sent to the application server, so that the application server sends the application information after the target user token passes the verification based on the authorization code.
In some optional embodiments, the application information comprises an application identification, an application key, and an authorization code;
the verifying the application information sent by the application server includes:
decrypting the authorization code contained in the application information to obtain a decrypted user token, a decrypted application identifier and an encrypted timestamp;
and if the time difference between the encrypted timestamp and the current timestamp is smaller than the preset time difference, verifying the application information based on the decrypted application identifier, the application identifier contained in the application information and the application key contained in the application information.
According to the scheme, if the time difference between the encrypted time stamp and the current time stamp is smaller than the preset time difference, the authorization code is determined to be not expired, and then whether the application information is matched with the authorization code or not is verified based on the decrypted application identifier, the application identifier contained in the application information and the application key contained in the application information, and whether the application key is forged or not is verified.
In some optional embodiments, verifying the application information based on the decrypted application identifier, the application identifier included in the application information, and the application key included in the application information includes:
if the decrypted application identifier is the same as the application identifier contained in the application information, determining a target key corresponding to the application identifier contained in the application information according to the corresponding relation between the identifier and the key;
and if the target key is the same as the application key contained in the application information, determining that the application information passes the verification, and determining the decrypted user token as the target user token.
According to the scheme, if the authorization code is determined to be not expired, the decrypted application identifier is compared with the application identifier contained in the application information, if the authorization code is the same as the application identifier, the application information is matched with the authorization code, a target key corresponding to the application identifier is further determined, the target key is compared with the application key contained in the application information, and if the target key is the same as the application key contained in the application information, the application key is not forged, and the application information is determined to pass verification.
In some optional embodiments, if the authorization request does not have a corresponding target user token, the method further comprises:
sending a command for displaying a login interface to the application server, and after receiving login information sent by the application server, sending the login information to a third IAM for login information authentication;
and receiving a target user token sent by the third IAM after the login information is authenticated, and sending an SSO login credential obtained based on the target user token to corresponding user equipment through the application server.
In a second aspect, an embodiment of the present application provides an authentication apparatus, including:
the verification module is used for verifying the application information sent by the application server;
the application authentication request processing module is used for obtaining an application authentication request based on the application information and the corresponding target user token after the application information passes the verification;
the application authentication request processing module is further configured to send the application authentication request to a first IAM, so that the first IAM determines application authentication information based on the application authentication request;
and the token information processing module is used for generating token information in a target format based on the application authentication information sent by the first IAM and sending the token information to the application server.
In a third aspect, an embodiment of the present application provides a trusted control device, including: comprising one or more processors and memory for storing instructions executable by the processors;
wherein the processor is configured to execute the instructions to implement the authentication method according to any one of the above first aspects.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, in which a computer program is stored, and when the computer program is executed by a processor, the computer program implements the authentication method according to any one of the above first aspects.
In addition, for technical effects brought by any one implementation manner of the second aspect to the fourth aspect, reference may be made to technical effects brought by different implementation manners of the first aspect, and details are not described here.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application;
fig. 2 is an interaction flowchart of a first authentication method according to an embodiment of the present application;
fig. 3 is an interaction flowchart of a second authentication method according to an embodiment of the present application;
fig. 4 is a schematic flowchart of an authentication method according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an authentication apparatus according to an embodiment of the present application;
fig. 6 is a schematic block diagram of a trusted control device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application clearer, the present application will be described in further detail with reference to the accompanying drawings, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the embodiment of the present application, the term "and/or" describes an association relationship of associated objects, and means that there may be three relationships, for example, a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
The terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of the present application, "a plurality" means two or more unless otherwise specified.
In the description of the present application, it is to be noted that, unless otherwise explicitly stated or limited, the term "connected" is to be understood broadly, and may for example be directly connected, indirectly connected through an intermediate medium, or be a communication between two devices. The specific meaning of the above terms in the present application can be understood as appropriate by those of ordinary skill in the art.
Single sign-on is widely applied to enterprise business integration, and users can access all mutually trusted application systems only by logging on once.
In single sign-on, an application server interfaces a plurality of IAMs through a trusted control device. Different IAMs return authentication information according to different interface protocols, so that different fields included in the authentication information received by the application server are different, and different service logics (such as different analysis modes and different request modes) need to be configured for the application server to obtain the authentication information and correctly analyze data related to authentication, thereby completing application authentication.
In order to enable an application server to complete application authentication based on unified service logic, embodiments of the present application provide an authentication method, apparatus, device, and storage medium, which are described in further detail below with reference to the accompanying drawings and specific embodiments.
Fig. 1 is a schematic view of an application scenario according to an embodiment of the present application. The application scenario includes the trusted control device 110, the application server 120, and a plurality of IAMs (fig. 1 takes IAM131 and IAM132 as an example, and there may be more IAMs in actual applications).
In this scenario, the trusted control device 110 verifies the application information sent by the application server 120;
after the application information is verified, the trusted control device 110 obtains an application authentication request based on the application information and the corresponding target user token;
trusted control device 110 sends the application authentication request to a first IAM (IAM131 or IAM132) to cause the first IAM to determine application authentication information based on the application authentication request;
the trusted control device 110 generates token information in a target format based on the application authentication information sent by the first IAM, and sends the token information to the application server 120.
The IAM is used for realizing centralized authorization, audit, dynamic authorization and the like based on the strategy. IAM131 and IAM132 may send application authentication requests based on OIDC or other protocols.
In the embodiment of the present application, the trusted control device 110 includes one or more groups of servers, and the servers may be of one or more types.
The application scenarios described above are merely examples of application scenarios for implementing the embodiments of the present application, and the embodiments of the present application are not limited to the application scenarios described above.
The following describes the technical solutions of the present application and how to solve the above technical problems with specific examples. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Fig. 2 is an interaction flowchart of a first authentication method provided in an embodiment of the present application, and as shown in fig. 2, the method may include:
step S201: the application server sends the application information to the trusted control device.
The application information is information that the application server requests to authenticate the application access. The content included in the application information is not specifically limited in this embodiment, and in some embodiments, the application information includes an application identifier that needs to be authenticated and other information.
Step S202: the trusted control equipment verifies the application information; and after the application information is verified, obtaining an application authentication request based on the application information and the corresponding target user token.
In this embodiment, counterfeit application information may affect the security of application access, and based on this, the application information sent by the application server needs to be verified. And after the application information is verified by the trusted control equipment, obtaining an application authentication request based on the safe application information and the corresponding target user token.
As described above, a trusted control device may be connected to multiple IAMs, with different IAMs transceiving data based on different protocols. Based on this, in some embodiments, the trusted control device determines a first IAM that authenticates the application, and generates an application authentication request that conforms to the requirements of the first IAM format based on the type of the first IAM. For example:
the trusted control equipment receives the application information through the token interface processing assembly and verifies the application information; after the verification is passed, transmitting the application information and the target user token to an IamAdap (IAM adapter) component of the trusted control equipment; and further acquiring first IAM (current IAM) source configuration information from a database of the trusted control device through the Iamadapter component, wherein the Iamadapter component determines the type of the first IAM based on the first IAM source configuration information. If the first IAM is the IAM131, the IamAdapter component generates an application authentication request conforming to the format requirement of the IAM131 as follows, based on the application identifier and the corresponding target user token included in the application information:
“appCode”:client_id,
“userToken”:user_token
wherein, the parameter corresponding to the field of the 'appCode' is the application identifier (client _ id), and the parameter corresponding to the field of the 'userToken' is the target user token (user _ token).
If the first IAM is IAM132, the IamAdapter component generates an application authentication request conforming to the format requirement of IAM132 as shown in the following drawing based on the application identifier and the corresponding target user token included in the application information:
“client_id”:client_id,
“user_token”:user_token
the parameter corresponding to the "client _ id" is an application identifier (client _ id), and the parameter corresponding to the "user _ token" is a target user token (user _ token).
The above is merely an exemplary illustration of the application authentication request, and the application authentication request of the present embodiment may also adopt other formats.
Step S203: the trusted control device sends the application authentication request to the first IAM.
In this embodiment, the trusted control device may send the application authentication request to the first IAM in multiple ways, which is not specifically limited in this embodiment. For example:
if the first IAM is the IAM131, the trusted control device sends the application authentication request to the IAM131 through an interface corresponding to the IAM 131; or if the first IAM is the IAM132, the trusted control device sends the application authentication request to the IAM132 through an interface corresponding to the IAM 132.
Step S204: the first IAM determines application authentication information based on the application authentication request.
After receiving the application authentication request meeting the format requirement of the first IAM, the first IAM can correctly analyze the application identifier and the target user token carried by the application authentication request; and then, authenticating the application according to the application identifier and the target user token, and generating application authentication information containing the application token after the authentication is passed.
The embodiment does not limit the specific implementation manner of the application authentication information, for example:
if the first IAM is IAM131, the following application authentication information is generated:
Figure BDA0003156982950000091
wherein, the application token (the parameter corresponding to the appToken) in the application authentication information is data of JWT (a standardized format).
If the first IAM is IAM132, the following application authentication information is generated:
Figure BDA0003156982950000092
Figure BDA0003156982950000101
the application Token (the parameter corresponding to the app _ Token) in the application authentication information corresponds to a random string. The application authentication information also includes the expiration time of the application token (the parameter corresponding to the expires _ in), but does not include user information.
Step S205: the first IAM sends application authentication information to the trusted control device.
In this embodiment, the first IAM may send the application authentication information to the trusted control device in multiple ways, which is not specifically limited in this embodiment.
Step S206: the trusted control equipment generates token information in a target format based on the application authentication information, and sends the token information to the application server.
The token information in the target format is generated based on the application authentication information, which may be implemented by, but is not limited to, the following ways:
if the application authentication information contains user information, generating token information conforming to OIDC based on the application authentication information; or
If the application authentication information does not contain user information, sending a request for acquiring the user information to the first IAM, and receiving the user information sent by the first IAM; and generating token information according with OIDC based on the application authentication information and the received user information.
In this embodiment, the formats of the application authentication information sent by different IAMs are different, and the IAM131 and the IAM132 are taken as examples:
if the first IAM is IAM131, the application token in the application authentication information is data in JWT format. The trusted control device obtains the following analysis data by analyzing the application token:
Figure BDA0003156982950000102
Figure BDA0003156982950000111
the analysis data includes the expiration time of the application token (the parameter corresponding to expireAt) and the user information.
If the first IAM is the IAM132, the application authentication information does not include user information, and the trusted control device further needs to send a request for obtaining user information to the IAM132 as follows:
Figure BDA0003156982950000112
the parameter corresponding to the user _ token is a target user token, and the parameter corresponding to the client _ id is an application identifier.
After receiving the request for obtaining the user information, the IAM132 sends the following user information to the trusted control device:
Figure BDA0003156982950000113
Figure BDA0003156982950000121
for example, regardless of which IAM returns the application authentication information, the trusted control device packages the application authentication information into Token information in a uniform target format through the Token interface processing component, and sends the Token information to the application server through the Token interface processing component. For example:
taking an application token obtained based on application authentication information as a parameter corresponding to access _ token, taking a preset type as a parameter corresponding to token _ type, taking a 16-system character string obtained based on a current timestamp as a parameter corresponding to refresh _ token, taking the expiration time of the application token as a parameter corresponding to expires _ in, taking a preset duration as a parameter corresponding to refresh _ expires _ in, taking user information as a parameter corresponding to id _ token, taking a user name obtained from the first IAM as a parameter corresponding to user name, taking an application identifier as a parameter corresponding to client _ id, taking the active state (true indicates active and other characters indicate inactive) of the application token as a parameter corresponding to active, taking extra information in the application token as a parameter corresponding to action, and taking the state (0, other characters are abnormal) representing whether the application token is normal or not as a parameter corresponding to code, using the description information of the code as a parameter corresponding to the text; and then token information shown below is obtained:
Figure BDA0003156982950000122
Figure BDA0003156982950000131
the application server obtains the id _ token based on the token information, analyzes the id _ token according to an analysis key obtained from the trusted control device, and obtains a user login credential inside the application, wherein the description of fields and corresponding parameters included in the id _ token is shown in table 1:
TABLE 1
Figure BDA0003156982950000132
According to the scheme, after the application information sent by the application server is verified, the trusted control equipment obtains an application authentication request based on the application information and the corresponding target user token; further sending an application authentication request meeting the first IAM format requirement to the first IAM, and determining application authentication information by the first IAM based on the application authentication request; the trusted control equipment generates token information in a uniform target format based on the application authentication information, sends the token information to the application server, and the application server analyzes the token information based on uniform service logic aiming at the target format to complete application authentication.
Fig. 3 is an interaction flowchart of a second authentication method provided in an embodiment of the present application, and as shown in fig. 3, the method may include:
step S301: and the trusted control equipment determines a target user token corresponding to the authorization request sent by the application server.
In this embodiment, the authorization request sent by the application server may or may not have a corresponding target user token. The trusted control device may determine whether the authorization request has a corresponding target user token by, but not limited to:
after receiving the authorization request through the authorization interface processing component, the trusted control device firstly confirms whether the head of the authorization request contains an SSO login credential, such as a data value corresponding to an auth _ session (identity verification field), and if no SSO login credential exists, determines that the authorization request does not have a corresponding target user token;
and if the SSO login credentials exist, inquiring a user token through a Remote Dictionary service (redis) based on the SSO login credentials, and determining the inquired user token as a target user token corresponding to the authorization request.
In this embodiment, if the authorization request does not have a corresponding target user token, before step S301, a user token needs to be acquired. The present embodiment may obtain the user token through, but is not limited to, the following ways:
the trusted control equipment sends a command for displaying a login interface to the application server, and after receiving login information sent by the application server, sends the login information to a third IAM for login information authentication;
and receiving a target user token sent by the third IAM after the login information is authenticated, and sending an SSO login credential obtained based on the target user token to corresponding user equipment through the application server.
For example, after the trusted control device determines that the authorization request does not include the SSO login credential, the trusted control device instructs the application server to return to a login interface, after the user device displays the login interface, the user inputs a user name, a password, and the like on the login interface to trigger login information, after receiving the login information, the application server sends the login information to the trusted control device, and the trusted control device sends the login information to the third IAM to authenticate the login information. And the third IAM sends the target user token to the trusted control equipment after the login information passes the authentication, the trusted control equipment generates an SSO login credential based on the target user token and the user equipment identifier and the like contained in the login information, and sends the SSO login credential to the user equipment. The user equipment stores the SSO login credentials in a browser cache, and when a user touches an application icon contained in an SSO application list page, an instruction for accessing the application is triggered, wherein the instruction carries the SSO login credentials. And then the application server sends an authorization request to the trusted control device based on the instruction of accessing the application, wherein the authorization request also carries the SSO login credential.
Step S302: and the trusted control equipment obtains a token verification request containing the target user token based on the type of the selected second IAM.
As described above, a trusted control device may be connected to multiple IAMs, with different IAMs transceiving data based on different protocols. Based on this, in some embodiments, the trusted control device determines a second IAM that authenticates the user token, and generates a token authentication request that conforms to the requirements of the second IAM format based on the type of the second IAM. For example:
the trusted control equipment receives the authorization request through the authorization interface processing component, and transmits the authorization request and the target user token to an IamAdap component of the trusted control equipment; and further acquiring second IAM (current IAM) source configuration information from a database of the trusted control device through the Iamadapter component, wherein the Iamadapter component judges the type of the second IAM based on the second IAM source configuration information. If the second IAM is the IAM131, the IamAdapter component generates a token verification request meeting the format requirement of the IAM131 as follows, based on the application identifier and the target user token included in the authorization request:
Figure BDA0003156982950000151
wherein, the parameter corresponding to the field of the 'appCode' is the application identifier (client _ id), and the parameter corresponding to the field of the 'userToken' is the target user token (user _ token).
If the second IAM is IAM132, the IamAdapter component generates a token validation request meeting the IAM132 requirements, based on the target user token, as follows:
{
“user_token”:user_token
}
wherein, the parameter corresponding to the user token is a target user token (user token).
The above is merely an exemplary illustration of the token verification request, and the token verification request of the present embodiment may also adopt other formats.
Step S303: the trusted control device sends the token authentication request to the second IAM.
In an embodiment, the trusted control device may send the token verification request to the second IAM in a plurality of ways, which is not specifically limited in this embodiment. For example:
if the second IAM is the IAM131, the trusted control device sends the token authentication request to the IAM131 through an interface corresponding to the IAM 131; or if the second IAM is the IAM132, the trusted control device sends the token authentication request to the IAM132 through an interface corresponding to the IAM 132.
Step S304: and the second IAM verifies the target user token to obtain verification information.
After receiving the token verification request meeting the format requirement, the second IAM can correctly analyze the target user token carried by the token verification request; and then the target user token is verified to obtain verification information aiming at the target user token.
The embodiment does not limit the specific implementation manner of the verification information, for example:
if the second IAM is IAM131 and the target user token is successfully verified, the following verification information may be generated:
Figure BDA0003156982950000161
the authentication information is described by taking the authentication success as an example, and it can be understood that parameters corresponding to some fields are different from the authentication information when the authentication fails.
If the second IAM is IAM132 and the target user token fails to be verified, the following verification information may be generated:
Figure BDA0003156982950000162
Figure BDA0003156982950000171
the authentication information is described by taking authentication failure as an example, and it can be understood that parameters corresponding to some fields are different from the authentication information when authentication is successful.
The above is only an exemplary illustration of the verification information, and the verification information of the present embodiment may also adopt other formats.
Step S305: and the trusted control equipment receives the verification information.
In this embodiment, the trusted control device may receive the verification information in multiple ways, which is not specifically limited in this embodiment.
Step S306: and if the target user token is determined to pass the verification based on the verification information, the trusted control equipment encrypts based on the timestamp during encryption, the target user token and the application identifier contained in the authorization request to obtain an authorization code.
Illustratively, the trusted control device receives the verification information through the authorization interface processing component, determines a verification result of the target user token based on the verification information, and notifies the application server of failure in obtaining the authorization code through the authorization interface processing component if the verification fails; if the verification is passed, forming json (a lightweight data format) data based on the target user token, the application identifier and the current (Encryption time) timestamp through an authorization interface processing component, and further encrypting the json data by using an Advanced Encryption Standard (AES) algorithm to obtain binary data; the binary data is converted into a 16-ary character string as an authorization code.
Step S307: and the trusted control equipment sends the authorization code to the application server.
In this embodiment, the trusted control device may send the authorization code to the application server in a plurality of ways, which is not specifically limited in this embodiment. The authorization code is sent to the application server, for example, through the authorization interface processing component described above.
Step S308: the application server sends the application information to the trusted control device.
Step S308 is implemented in the same manner as step S201, and is not described herein again.
Step S309: the trusted control equipment verifies the application information; and after the application information is verified, obtaining an application authentication request based on the application information and the corresponding target user token.
The verification of the application information sent by the application server may be implemented by, but not limited to, the following manners:
decrypting the authorization code contained in the application information to obtain a decrypted user token, a decrypted application identifier and an encrypted timestamp;
and if the time difference between the encrypted timestamp and the current timestamp is smaller than the preset time difference, verifying the application information based on the decrypted application identifier, the application identifier contained in the application information and the application key contained in the application information.
In some embodiments, the application information is verified based on the decrypted application identification, the application identification included in the application information, and the application key included in the application information by:
if the decrypted application identifier is the same as the application identifier contained in the application information, determining a target key corresponding to the application identifier contained in the application information according to the corresponding relation between the identifier and the key;
and if the target key is the same as the application key contained in the application information, determining that the application information passes the verification, and determining the decrypted user token as the target user token.
For example, after receiving the application information through the token interface processing component, the trusted control device determines an authorization code included in the application information, and decrypts the authorization code to obtain json data. And comparing the encrypted time stamp in the json data with the current time stamp, and if the time difference between the encrypted time stamp and the current time stamp reaches a preset time difference (such as 20 seconds), determining that the authorization code is invalid and the verification fails. If the time difference between the encrypted timestamp and the current timestamp is smaller than the preset time difference, comparing the application identifier decrypted in the json data with the application identifier contained in the application information, and if the two are different, determining that the authorization code is invalid, and failing to verify; and if the two are the same, inquiring a target key corresponding to the application identifier from the database, and comparing the target key with the application key contained in the application information. If the target key is different from the application key contained in the application information, the application key is forged, the application information is determined to be invalid, and the verification fails; and if the target key is the same as the application key contained in the application information, the application key is not forged, the application information is determined to pass the verification, and the application information is transmitted to the IamAdap component.
Step S310: the trusted control device sends the application authentication request to the first IAM.
Step S311: the first IAM determines application authentication information based on the application authentication request.
Step S312: the first IAM sends application authentication information to the trusted control device.
Step S313: the trusted control equipment generates token information in a target format based on the application authentication information, and sends the token information to the application server.
The steps S310 to 313 are the same as the steps S203 to 206, and are not described herein again.
According to the scheme, before the application is authenticated, the trusted control equipment obtains a token verification request which meets the requirements of a second IAM format and contains a target user token according to the type of the selected second IAM; the token verification request is sent to a second IAM, the second IAM can correctly analyze the token verification request, and then the target user token is verified to obtain verification information, and the trusted control equipment can determine whether the target user token passes the verification after receiving the verification information; and if the verification is passed, the target user token is valid, the authorization code is obtained by encrypting based on the timestamp during encryption, the target user token and the application identifier contained in the authorization request, and the authorization code is sent to the application server, so that the application server sends the application information after the target user token passes the verification based on the authorization code.
In the above embodiment, the first IAM, the second IAM, and the third IAM may be the same IAM or different IAMs, and this embodiment is not limited in this respect.
As shown in fig. 4, a schematic flowchart of a first authentication method provided in the embodiment of the present application is applied to the trusted control device, and the method includes the following steps:
step S401: verifying the application information sent by the application server;
step S402: after the application information is verified, obtaining an application authentication request based on the application information and a corresponding target user token;
step S403: sending the application authentication request to a first IAM to enable the first IAM to determine application authentication information based on the application authentication request;
step S404: and generating token information in a target format based on the application authentication information sent by the first IAM, and sending the token information to the application server.
In some optional embodiments, the generating token information in a target format based on the application authentication information sent by the first IAM includes:
if the application authentication information contains user information, generating token information conforming to OIDC based on the application authentication information; or
If the application authentication information does not contain user information, sending a request for acquiring the user information to the first IAM, and receiving the user information sent by the first IAM; and generating token information according with OIDC based on the application authentication information and the received user information.
In some optional embodiments, the obtaining of the application authentication request based on the application information and the corresponding target user token includes:
and generating an application authentication request comprising the application identification and the target user token according to the type of the first IAM.
In some optional embodiments, before the verifying the application information sent by the application server, the method further includes:
determining a target user token corresponding to an authorization request sent by the application server;
obtaining a token verification request containing the target user token based on the type of the selected second IAM;
sending the token verification request to the second IAM, and receiving verification information of the second IAM on the target user token;
and if the target user token is determined to pass the verification based on the verification information, encrypting the target user token based on the timestamp during encryption, the target user token and the application identifier contained in the authorization request to obtain an authorization code, and sending the authorization code to the application server, wherein the authorization code is used for indicating the application server to send the application information.
In some optional embodiments, the application information comprises an application identification, an application key, and an authorization code;
the verifying the application information sent by the application server includes:
decrypting the authorization code contained in the application information to obtain a decrypted user token, a decrypted application identifier and an encrypted timestamp;
and if the time difference between the encrypted timestamp and the current timestamp is smaller than the preset time difference, verifying the application information based on the decrypted application identifier, the application identifier contained in the application information and the application key contained in the application information.
In some optional embodiments, verifying the application information based on the decrypted application identifier, the application identifier included in the application information, and the application key included in the application information includes:
if the decrypted application identifier is the same as the application identifier contained in the application information, determining a target key corresponding to the application identifier contained in the application information according to the corresponding relation between the identifier and the key;
and if the target key is the same as the application key contained in the application information, determining that the application information passes the verification, and determining the decrypted user token as the target user token.
In some optional embodiments, if the authorization request does not have a corresponding target user token, the method further comprises:
sending a command for displaying a login interface to the application server, and after receiving login information sent by the application server, sending the login information to a third IAM for login information authentication;
and receiving a target user token sent by the third IAM after the login information is authenticated, and sending an SSO login credential obtained based on the target user token to corresponding user equipment through the application server.
As shown in fig. 5, based on the same inventive concept, an embodiment of the present application provides an authentication apparatus 500, including: the verification module 501, the application authentication request processing module 502, and the token information processing module 503, in some optional embodiments, the authentication apparatus 500 may further include a token processing module 504.
The verification module 501 is configured to verify application information sent by an application server;
an application authentication request processing module 502, configured to obtain an application authentication request based on the application information and a corresponding target user token after the application information passes verification;
the application authentication request processing module 502 is further configured to send the application authentication request to a first IAM, so that the first IAM determines application authentication information based on the application authentication request;
the token information processing module 503 is configured to generate token information in a target format based on the application authentication information sent by the first IAM, and send the token information to the application server.
In some optional embodiments, the token information processing module 503 is specifically configured to:
if the application authentication information contains user information, generating token information conforming to OIDC based on the application authentication information; or
If the application authentication information does not contain user information, sending a request for acquiring the user information to the first IAM, and receiving the user information sent by the first IAM; and generating token information according with OIDC based on the application authentication information and the received user information.
In some optional embodiments, the application information includes an application identifier, and the application authentication request processing module 502 is specifically configured to:
and generating an application authentication request comprising the application identification and the target user token according to the type of the first IAM.
In some optional embodiments, the token processing module 504 is configured to: before the authentication module 501 authenticates the application information sent by the application server,
determining a target user token corresponding to an authorization request sent by the application server;
obtaining a token verification request containing the target user token based on the type of the selected second IAM;
sending the token verification request to the second IAM, and receiving verification information of the second IAM on the target user token;
and if the target user token is determined to pass the verification based on the verification information, encrypting the target user token based on the timestamp during encryption, the target user token and the application identifier contained in the authorization request to obtain an authorization code, and sending the authorization code to the application server, wherein the authorization code is used for indicating the application server to send the application information.
In some optional embodiments, the application information comprises an application identification, an application key, and an authorization code;
the verification module 501 is specifically configured to:
decrypting the authorization code contained in the application information to obtain a decrypted user token, a decrypted application identifier and an encrypted timestamp;
and if the time difference between the encrypted timestamp and the current timestamp is smaller than the preset time difference, verifying the application information based on the decrypted application identifier, the application identifier contained in the application information and the application key contained in the application information.
In some optional embodiments, the verification module 501 is specifically configured to:
if the decrypted application identifier is the same as the application identifier contained in the application information, determining a target key corresponding to the application identifier contained in the application information according to the corresponding relation between the identifier and the key;
and if the target key is the same as the application key contained in the application information, determining that the application information passes the verification, and determining the decrypted user token as the target user token.
In some optional embodiments, if the authorization request does not have a corresponding target user token, the token processing module 504 is further configured to:
sending a command for displaying a login interface to the application server, and after receiving login information sent by the application server, sending the login information to a third IAM for login information authentication;
and receiving a target user token sent by the third IAM after the login information is authenticated, and sending an SSO login credential obtained based on the target user token to corresponding user equipment through the application server.
As shown in fig. 6, based on the same inventive concept, an embodiment of the present application provides a trusted control device 600, including: a processor 601 and a memory 602;
a memory 602 for storing computer programs executed by the processor 601. The memory 602 may be a volatile memory (volatile memory), such as a random-access memory (RAM); the memory 602 may also be a non-volatile memory (non-volatile memory), such as a read-only memory (rom), a flash memory (flash memory), a hard disk (HDD) or a solid-state drive (SSD); or memory 602 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 602 may also be a combination of the above.
The processor 601 may include one or more Central Processing Units (CPUs), Graphics Processing Units (GPUs), or digital Processing units (dsps), etc.
The specific connection medium between the memory 602 and the processor 601 is not limited in the embodiments of the present application. In fig. 6, the memory 602 and the processor 601 are connected by a bus 603, but the embodiment of the present application is not limited to this. The bus 603 may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 6, but this is not intended to represent only one bus or type of bus.
Wherein the memory stores a computer program which, when executed by the processor, causes the processor 601 to perform the following:
verifying the application information sent by the application server;
after the application information is verified, obtaining an application authentication request based on the application information and a corresponding target user token;
sending the application authentication request to a first IAM to enable the first IAM to determine application authentication information based on the application authentication request;
and generating token information in a target format based on the application authentication information sent by the first IAM, and sending the token information to the application server.
In some optional embodiments, the processor 601 is specifically configured to:
if the application authentication information contains user information, generating token information conforming to OIDC based on the application authentication information; or
If the application authentication information does not contain user information, sending a request for acquiring the user information to the first IAM, and receiving the user information sent by the first IAM; and generating token information according with OIDC based on the application authentication information and the received user information.
In some optional embodiments, the application information includes an application identifier, and the processor 601 is specifically configured to:
and generating an application authentication request comprising the application identification and the target user token according to the type of the first IAM.
In some optional embodiments, before the verifying the application information sent by the application server, the processor 601 is further configured to:
determining a target user token corresponding to an authorization request sent by the application server;
obtaining a token verification request containing the target user token based on the type of the selected second IAM;
sending the token verification request to the second IAM, and receiving verification information of the second IAM on the target user token;
and if the target user token is determined to pass the verification based on the verification information, encrypting the target user token based on the timestamp during encryption, the target user token and the application identifier contained in the authorization request to obtain an authorization code, and sending the authorization code to the application server, wherein the authorization code is used for indicating the application server to send the application information.
In some optional embodiments, the application information comprises an application identification, an application key, and an authorization code;
the processor 601 is specifically configured to:
decrypting the authorization code contained in the application information to obtain a decrypted user token, a decrypted application identifier and an encrypted timestamp;
and if the time difference between the encrypted timestamp and the current timestamp is smaller than the preset time difference, verifying the application information based on the decrypted application identifier, the application identifier contained in the application information and the application key contained in the application information.
In some optional embodiments, the processor 601 is specifically configured to:
if the decrypted application identifier is the same as the application identifier contained in the application information, determining a target key corresponding to the application identifier contained in the application information according to the corresponding relation between the identifier and the key;
and if the target key is the same as the application key contained in the application information, determining that the application information passes the verification, and determining the decrypted user token as the target user token.
In some optional embodiments, if the authorization request does not have a corresponding target user token, the processor 601 is further configured to:
sending a command for displaying a login interface to the application server, and after receiving login information sent by the application server, sending the login information to a third IAM for login information authentication;
and receiving a target user token sent by the third IAM after the login information is authenticated, and sending an SSO login credential obtained based on the target user token to corresponding user equipment through the application server.
Embodiments of the present application provide a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps of the authentication method as described above. The readable storage medium may be a nonvolatile readable storage medium, among others.
The present application is described above with reference to block diagrams and/or flowchart illustrations of methods, apparatus (systems) and/or computer program products according to embodiments of the application. It will be understood that one block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, and/or other programmable authentication apparatus to produce a machine, such that the instructions, which execute via the processor of the computer and/or other programmable authentication apparatus, create means for implementing the functions/acts specified in the block diagrams and/or flowchart block or blocks.
Accordingly, the subject application may also be embodied in hardware and/or in software (including firmware, resident software, micro-code, etc.). Furthermore, the present application may take the form of a computer program product on a computer-usable or computer-readable storage medium having computer-usable or computer-readable program code embodied in the medium for use by or in connection with an instruction execution system. In the context of this application, a computer-usable or computer-readable medium may be any medium that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (10)

1. An authentication method applied to a trusted control device, the method comprising:
verifying the application information sent by the application server;
after the application information is verified, obtaining an application authentication request based on the application information and a corresponding target user token;
sending the application authentication request to a first identity identification and access management device (IAM) so that the first IAM determines application authentication information based on the application authentication request;
and generating token information in a target format based on the application authentication information sent by the first IAM, and sending the token information to the application server.
2. The method of claim 1, wherein generating token information in a target format based on the application authentication information sent by the first IAM comprises:
if the application authentication information contains user information, generating token information conforming to an identity authentication standard protocol (OIDC) based on the application authentication information; or
If the application authentication information does not contain user information, sending a request for acquiring the user information to the first IAM, and receiving the user information sent by the first IAM; and generating token information according with OIDC based on the application authentication information and the received user information.
3. The method of claim 1, wherein the application information comprises an application identifier, and wherein obtaining an application authentication request based on the application information and a corresponding target user token comprises:
and generating an application authentication request comprising the application identification and the target user token according to the type of the first IAM.
4. The method of claim 1, further comprising, before the verifying the application information sent by the application server:
determining a target user token corresponding to an authorization request sent by the application server;
obtaining a token verification request containing the target user token based on the type of the selected second IAM;
sending the token verification request to the second IAM, and receiving verification information of the second IAM on the target user token;
and if the target user token is determined to pass the verification based on the verification information, encrypting the target user token based on the timestamp during encryption, the target user token and the application identifier contained in the authorization request to obtain an authorization code, and sending the authorization code to the application server, wherein the authorization code is used for indicating the application server to send the application information.
5. The method of claim 4, wherein the application information comprises an application identification, an application key, and an authorization code;
the verifying the application information sent by the application server includes:
decrypting the authorization code contained in the application information to obtain a decrypted user token, a decrypted application identifier and an encrypted timestamp;
and if the time difference between the encrypted timestamp and the current timestamp is smaller than the preset time difference, verifying the application information based on the decrypted application identifier, the application identifier contained in the application information and the application key contained in the application information.
6. The method of claim 5, wherein verifying the application information based on the decrypted application identifier, the application identifier included in the application information, and the application key included in the application information comprises:
if the decrypted application identifier is the same as the application identifier contained in the application information, determining a target key corresponding to the application identifier contained in the application information according to the corresponding relation between the identifier and the key;
and if the target key is the same as the application key contained in the application information, determining that the application information passes the verification, and determining the decrypted user token as the target user token.
7. The method of claim 4, wherein if the authorization request does not have a corresponding target user token, the method further comprises:
sending a command for displaying a login interface to the application server, and after receiving login information sent by the application server, sending the login information to a third IAM for login information authentication;
and receiving a target user token sent by the third IAM after the login information is authenticated, and sending a single sign-on SSO login credential obtained based on the target user token to corresponding user equipment through the application server.
8. An authentication apparatus, comprising
The verification module is used for verifying the application information sent by the application server;
the application authentication request processing module is used for obtaining an application authentication request based on the application information and the corresponding target user token after the application information passes the verification;
the application authentication request processing module is further configured to send the application authentication request to a first IAM, so that the first IAM determines application authentication information based on the application authentication request;
and the token information processing module is used for generating token information in a target format based on the application authentication information sent by the first IAM and sending the token information to the application server.
9. A trusted control device comprising one or more processors, and a memory for storing instructions executable by said processors;
wherein the processor is configured to execute the instructions to implement the authentication method of any one of claims 1 to 7.
10. A computer-readable storage medium, in which a computer program is stored, which, when executed by a processor, implements an authentication method according to any one of claims 1 to 7.
CN202110779202.0A 2021-07-09 2021-07-09 Authentication method, device, equipment and storage medium Pending CN113505353A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110779202.0A CN113505353A (en) 2021-07-09 2021-07-09 Authentication method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110779202.0A CN113505353A (en) 2021-07-09 2021-07-09 Authentication method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN113505353A true CN113505353A (en) 2021-10-15

Family

ID=78012531

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110779202.0A Pending CN113505353A (en) 2021-07-09 2021-07-09 Authentication method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113505353A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114826946A (en) * 2022-06-29 2022-07-29 深圳红途科技有限公司 Unauthorized access interface detection method, device, equipment and storage medium
CN114844714A (en) * 2022-05-24 2022-08-02 中国民生银行股份有限公司 User identity authentication method and LDAP protocol-based proxy server

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103609090A (en) * 2013-06-19 2014-02-26 华为技术有限公司 Method and device for identity login
US20160105420A1 (en) * 2013-12-13 2016-04-14 T-Mobile Usa, Inc. Identity and Access Management
CN106034123A (en) * 2015-03-17 2016-10-19 ***通信集团湖北有限公司 Authentication method, application system server and client
US20180309756A1 (en) * 2015-12-28 2018-10-25 Huawei Technologies Co., Ltd. Identity Authentication Method and Apparatus
CN112000951A (en) * 2020-08-31 2020-11-27 上海商汤智能科技有限公司 Access method, device, system, electronic equipment and storage medium
CN112039873A (en) * 2020-08-28 2020-12-04 浪潮云信息技术股份公司 Method for accessing business system by single sign-on
CN112104621A (en) * 2020-08-31 2020-12-18 新华三信息安全技术有限公司 Traffic management method and equipment

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103609090A (en) * 2013-06-19 2014-02-26 华为技术有限公司 Method and device for identity login
US20160105420A1 (en) * 2013-12-13 2016-04-14 T-Mobile Usa, Inc. Identity and Access Management
CN106034123A (en) * 2015-03-17 2016-10-19 ***通信集团湖北有限公司 Authentication method, application system server and client
US20180309756A1 (en) * 2015-12-28 2018-10-25 Huawei Technologies Co., Ltd. Identity Authentication Method and Apparatus
CN112039873A (en) * 2020-08-28 2020-12-04 浪潮云信息技术股份公司 Method for accessing business system by single sign-on
CN112000951A (en) * 2020-08-31 2020-11-27 上海商汤智能科技有限公司 Access method, device, system, electronic equipment and storage medium
CN112104621A (en) * 2020-08-31 2020-12-18 新华三信息安全技术有限公司 Traffic management method and equipment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114844714A (en) * 2022-05-24 2022-08-02 中国民生银行股份有限公司 User identity authentication method and LDAP protocol-based proxy server
CN114826946A (en) * 2022-06-29 2022-07-29 深圳红途科技有限公司 Unauthorized access interface detection method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN106330850B (en) Security verification method based on biological characteristics, client and server
US9641521B2 (en) Systems and methods for network connected authentication
CN110138562B (en) Certificate issuing method, device and system of intelligent equipment
US20210234857A1 (en) Authentication system, authentication method, and application providing method
JP2018501567A (en) Device verification method and equipment
CN112000951B (en) Access method, device, system, electronic equipment and storage medium
CN106790183A (en) Logging on authentication method of calibration, device
CN111800378B (en) Login authentication method, device, system and storage medium
CN106302606B (en) Across the application access method and device of one kind
KR102137122B1 (en) Security check method, device, terminal and server
US11526596B2 (en) Remote processing of credential requests
CN105391734A (en) Secure login system, secure login method, login server and authentication server
CN111030814A (en) Key negotiation method and device
CN110069909B (en) Method and device for login of third-party system without secret
US20170070486A1 (en) Server public key pinning by url
CN113505353A (en) Authentication method, device, equipment and storage medium
CN113783867B (en) Authentication request method and terminal
JP6081857B2 (en) Authentication system and authentication method
CN112261103A (en) Node access method and related equipment
CN112653676B (en) Identity authentication method and equipment crossing authentication system
CN111817860B (en) Communication authentication method, device, equipment and storage medium
CN115473668A (en) Data verification method and device
CN112953711A (en) Database security connection system and method
CN113271306B (en) Data request and transmission method, device and system
CN113672898B (en) Service authorization method, authorization device, system, electronic device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination