CN114301634A - Oauth protocol-based portal system user sharing method - Google Patents
Oauth protocol-based portal system user sharing method Download PDFInfo
- Publication number
- CN114301634A CN114301634A CN202111495633.0A CN202111495633A CN114301634A CN 114301634 A CN114301634 A CN 114301634A CN 202111495633 A CN202111495633 A CN 202111495633A CN 114301634 A CN114301634 A CN 114301634A
- Authority
- CN
- China
- Prior art keywords
- application
- key
- user
- web service
- oauth protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 21
- 210000004258 portal system Anatomy 0.000 title claims abstract description 18
- 238000013475 authorization Methods 0.000 claims abstract description 11
- 238000004891 communication Methods 0.000 claims abstract description 6
- 238000012545 processing Methods 0.000 claims abstract description 5
- 230000008569 process Effects 0.000 claims description 4
- 238000003860 storage Methods 0.000 claims description 3
- 238000012795 verification Methods 0.000 claims description 3
- 238000012790 confirmation Methods 0.000 claims description 2
- 230000004044 response Effects 0.000 claims description 2
- 238000009826 distribution Methods 0.000 abstract description 2
- 230000005540 biological transmission Effects 0.000 description 6
- 238000011161 development Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 238000013068 supply chain management Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000013439 planning Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000010200 validation analysis Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a portal system user sharing method based on an Oauth protocol, which comprises access application authentication and key distribution on the basis of the Oauth protocol; providing a web service layer for providing an application entrance for an application which is scheduled to be accessed to the sharing user system, distributing the application identity and the secret key of the application after the application is checked, and storing the application identity and the secret key by a user; the web service layer changes a key of an access party from a random character string to an AES string key, and encrypts the whole message through an AES symmetric algorithm on the basis of the communication of the https protocol; after the message enters the web service layer, the web service layer carries out AES decryption processing on the message and pushes signed plaintext data to the internal network; the application program interface authorizes, authenticates and calls the plaintext data; and (6) login authorization. The method has the advantages that hackers cannot obtain the acquired information subjected to AES encryption, so that the information can be intercepted by the web service when being retransmitted, and the service security is improved.
Description
Technical Field
The invention relates to user system sharing, in particular to a portal system user sharing method based on an Oauth protocol.
Background
In the prior art, problems encountered by enterprises in the production and operation processes are met through enterprise informatization construction, and due to division and organization refinement of management functions, most of the public can divide some complete business chains into independent enterprise management systems, such as resource planning (ERP), Customer Relationship Management (CRM), Supply Chain Management (SCM) and the like. However, with the progress of enterprise informatization, problems of the development time drop of each system, the experience of development teams, the limitation of service range, the non-uniformity of development platforms and the like gradually restrict the compatibility and the integration between information systems.
The most important problem is that different systems, different applications and different technical platforms form an information isolated island, so that enterprises are deeply trapped in the information isolated island, and the problem cannot be improved along with the improvement of the informatization level of the enterprises, but is continuously worsened due to the introduction of more application systems by the enterprises. Particularly, the user information maintained in different business systems is the most serious, high-level managers sometimes have to maintain a large number of administrator accounts, and the non-uniformity of user systems can directly cause difficulty in circulation of business flows in different systems, so that the administrative efficiency of enterprises is restricted.
As the "user authentication and authorization" standard of the next generation, the prior art portal system user sharing process flow based on the Oauth protocol is roughly as follows, taking a password mode as an example:
firstly, an access party applies for access authorization, a supplier issues an application identity (appId) and a password (Secret), both of which are random character strings, the former is used for representing the identity of a user, and the latter is used as the concept of the password to verify the access of the user.
Then, the access side applies for or purchases part of the service function of the application side, and the supplier sends the resource identifier (SecretId) and the key (SecretId) of the corresponding function, wherein the SecretId is used as a random character string for corresponding to the resource identifier owned and used by the user, and the SecretId is the key part of the asymmetric encryption algorithm and used for preventing the user information request from being tampered and repudiated.
The above procedure requires that the transmission be done under the https protocol, since https ensures that communications over the network are encrypted.
HTTPs (full name: Hyper Text Transfer Protocol over secure token Layer) is an HTTP channel with a security target, and the security of a transmission process is ensured through transmission encryption and identity authentication on the basis of HTTP.
It can be seen that the Oauth protocol is heavily dependent on https, which, assuming that https is broken, will directly expose appid (application identity), and secretId. secretekey appears relatively secure since it does not participate in network transmission. However, secretekey only acts to say a validation operation to the field of the request and the timestamp. This gives the attacker the opportunity to ride it.
Therefore, it is necessary to provide a portal system user sharing method based on the Oauth protocol to solve the above problems.
Disclosure of Invention
In view of the above-mentioned problems, the present invention aims to provide a portal system user sharing method based on the Oauth protocol, so as to improve the service security.
In order to achieve the purpose, the invention adopts the following technical scheme: a portal system user sharing method based on Oauth protocol comprises the following steps: s1, allowing application authentication and distributing keys on the basis of the Oauth protocol; providing a web service layer for providing an application entrance for an application which is scheduled to be accessed to the sharing user system, distributing the application identity and the secret key of the application after the application is checked, and storing the application identity and the secret key by a user; the web service layer changes a key of an access party from a random character string to an AES string key, and encrypts the whole message through an AES symmetric algorithm on the basis of the communication of the https protocol; after the message enters the web service layer, the web service layer carries out AES decryption processing on the message and pushes signed plaintext data to the internal network; the application program interface authorizes, authenticates and calls the plaintext data; and (6) login authorization.
The application identity is a 16-byte UUID, and the algorithm is generated based on a machine network card, local time and a random number.
Wherein the key is a base64 encoded value of AES algorithm key with 256 bits.
When the access application obtains the application identity and the secret key after being audited, when the user proposes an application, verifying whether the user is an identification user through the clientId; verifying the legality of the user; and confirming whether the interface requesting access is authorized or not by means of verifying the source of the domain name through the domain name, and applying for authorization through a user on the basis of the Oauth protocol if the verification is passed.
The admission application acquires a temporary admission token through the https get request, the Oauth protocol protects the admission token, and the token is unique within preset time and is used for confirming admission of the request of the authorized application and reducing risk of secret exposure; the admission application carries a temporary admission token in the request and grants the call.
Compared with the prior art, the portal system user sharing method based on the Oauth protocol has the advantages that an external hacker cannot obtain the acquired information subjected to AES encryption, so that the information can be intercepted by a web service when being retransmitted, and the service security is improved.
Detailed Description
The technical solutions in the embodiments of the present invention are clearly and completely described below through the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention relates to a portal system user sharing method based on Oauth protocol, which comprises the following steps:
s1, authenticating the access application and distributing the key of the user based on the Oauth protocol;
providing a web service layer for providing an application entrance for the access application of a preset shared user system to be accessed, distributing the identity and the secret key of the access application after authentication, and storing the identity and the secret key by a user;
each portal system and application is based on an Oauth protocol; protection is performed by the Oauth protocol in key distribution, preventing the risk of key leakage.
The web service layer changes a key of an access party from a random character string into an AES string key, and encrypts the whole message by an AES symmetric algorithm (advanced encryption standard) on the basis of communication of an https protocol (the security can be ensured even without the support of the https protocol, but the exposure risk of an application identity (api) is increased if the https protocol is lost, but the security requirement level of the application identity is not high). After the message enters the web service layer, the web service layer carries out AES decryption processing on the message and pushes signed plaintext data to the local area network.
The application identity is a 16-byte (128-bit) UUID (the UUID is a universal Unique Identifier), and the core of the algorithm is a network card based on a machine, local time and random number generation. And the non-repetition is supported for 10M times per second, and the non-repetition serves as a main key for the admission application.
The key (secret) is a 256-bit AES algorithm (advanced encryption standard) key's base64 encoded value, on which the interaction of the admission application and the user hierarchy relies to verify its legitimacy and decrypt portions of the sensitive data fields.
S2, authorizing, authenticating and calling the user through plaintext data;
specifically, after the access application obtains the application identity and the secret key after being audited, when the user proposes an application, whether the user is an identification user is verified through the clientId; verifying the legality of the user; and confirming whether the interface requesting access is authorized or not by means of verifying the source of the domain name through the domain name, and applying for authorization through a user on the basis of the Oauth protocol if the verification is passed.
The admission application acquires a temporary admission Token (Access Token) through the https get request, and the Oauth protocol also protects the admission Token to prevent leakage. The token is unique within a preset time (within two hours) and is used for confirming the admission of the authorized application request and reducing the risk of secret exposure; the admission application carries a temporary admission Token (Access Token) in the request and grants the call.
The calling steps comprise:
s21: generating a two-dimensional code through an access token, generating a random character string as a redis key (a key of a memory-shaped key value storage database), value being a two-dimensional code state (waiting for scanning-W), redis key expiration time being timeout time of the two-dimensional code, and returning an interface for updating the cache together with the redis key as a two-dimensional code content to a foreground, for example, generating the two-dimensional code: (https:// scankey ═ abc), (k, v) - > (abc, W);
s22: according to the two-dimensional code information scanned by a user, the two-dimensional code triggers an update interface, and the value cached by the internal memory form key value storage database (redis) of the corresponding key (key) is updated to be a scanned code (scanned-S), for example: (K, V) - > (abc, S);
s23: according to the obtained code-scanned information, information login is carried out, a confirmation page is skipped, and the state of the two-dimensional code is updated; (confirmed entry-T), for example: (k, v) - > (abc, T).
S24: polling a request two-dimensional code state, returning a state overtime, executing response operation according to the returned two-dimensional code state, executing no operation in a W state, prompting that a code is scanned in an S state, finishing polling in a T state, entering a system, finishing polling in the overtime state and restarting a login process.
Because the portal system is opened and maintains the user system uniformly, the core attribute of different user systems of the existing system is extracted as the establishment basis of the user system. For each application specific field attribute, support is maintained by primary key association, in the form of an attached table or by the admission application itself.
S3, authorization of login (username and password, skip login, scan login, usbKey)
Various modes such as user name and password login, code scanning login, usbKey login and the like are supported; and the interfaces of the user such as login, inquiry, authority and the like are exposed to the application program interface open system. The access application can reserve an application entrance of the access application, call a login interface of a portal after obtaining authorization, and complete login service according to an authentication rule of an application program interface system in a user name and password mode;
its login mode can also jump via the portal.
The invention changes the random character string of the key of the access party into the AES string key, and encrypts the whole message by the AES symmetric algorithm on the basis of the communication of the https protocol (even if the https protocol support is not needed, the safety can be ensured, but the exposure risk of the appid can be increased if the https protection is lost, but the safety requirement level of the appid is not high). After the message body enters the web service layer, the web service layer carries out AES decryption processing on the message and pushes signed plaintext data to the internal network.
At this time, the hacker can still redirect the message to its own server, but due to the lack of secret information (secret information only participates in network transmission when obtaining temporary authorization, but the transmission process is also encrypted by AES, and even if https is cracked, the hacker can only obtain appId). There is no way to obtain AES-encrypted information and therefore the information is intercepted by the web service when it is retransmitted. In this case, a hacker can only brute force the AES algorithm, but since the protection of the information signature carries the timestamp, it is generally 5 minutes. It is obviously a difficult matter to break AES within 5 minutes.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that various changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined by the appended claims.
Claims (6)
1. A portal system user sharing method based on Oauth protocol is characterized in that the steps are as follows:
s1, allowing application authentication and distributing keys on the basis of the Oauth protocol;
providing a web service layer for providing an application entrance for an application which is scheduled to be accessed to the sharing user system, distributing the application identity and the secret key of the application after the application is checked, and storing the application identity and the secret key by a user; the web service layer changes a key of an access party from a random character string to an AES string key, and encrypts the whole message through an AES symmetric algorithm on the basis of the communication of the https protocol; after the message enters the web service layer, the web service layer carries out AES decryption processing on the message and pushes signed plaintext data to the internal network;
s2, authorizing, authenticating and calling the plaintext data by the application program interface;
and S3, login authorization.
2. The Oauth protocol based portal system user sharing method of claim 1, wherein: the application identity is a 16-byte UUID, and the algorithm is generated based on a machine network card, local time and a random number.
3. The Oauth protocol based portal system user sharing method of claim 1, wherein: the key is a base64 encoded value of the AES algorithm key of 256 bits.
4. The Oauth protocol based portal system user sharing method of claim 1, wherein: in the step S2, when the access application has obtained the application identity and the key after being audited, the user makes an application, and verifies whether the user is the identified user through the clientId; verifying the legality of the user; and confirming whether the interface requesting access is authorized or not by means of verifying the source of the domain name through the domain name, and applying for authorization through a user on the basis of the Oauth protocol if the verification is passed.
5. The Oauth protocol based portal system user sharing method of claim 4, wherein: the admission application acquires a temporary admission token through the https get request, the Oauth protocol protects the admission token, and the token is unique within preset time and is used for confirming admission of the request of the authorized application and reducing risk of secret exposure; the admission application carries a temporary admission token in the request and grants the call.
6. The Oauth protocol based portal system user sharing method of claim 5, wherein: the calling steps comprise:
s21: generating a two-dimensional code through the access token, generating a random character string as a redis key, using the overdue time of the redis key as the timeout time of the two-dimensional code, and returning the updated cached interface and the redis key as the two-dimensional code content to the foreground;
s22: according to the two-dimension code scanning information of the user, the two-dimension code triggers an updating interface, and the value cached in the memory-shaped key value storage database corresponding to the key is updated to be the scanned code;
s23: according to the obtained code-scanned information, information login is carried out, a confirmation page is skipped, and the state of the two-dimensional code is updated;
s24: polling requests a two-dimensional code state, returning the state in time out, executing response operation according to the returned two-dimensional code state, and finishing polling and reinitiating the login process in the time out state.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111495633.0A CN114301634A (en) | 2021-12-09 | 2021-12-09 | Oauth protocol-based portal system user sharing method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111495633.0A CN114301634A (en) | 2021-12-09 | 2021-12-09 | Oauth protocol-based portal system user sharing method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114301634A true CN114301634A (en) | 2022-04-08 |
Family
ID=80965908
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111495633.0A Pending CN114301634A (en) | 2021-12-09 | 2021-12-09 | Oauth protocol-based portal system user sharing method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301634A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115297346A (en) * | 2022-06-30 | 2022-11-04 | 贵阳朗玛视讯科技有限公司 | Multi-application authentication method and device based on EPG system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100306547A1 (en) * | 2009-05-28 | 2010-12-02 | Fallows John R | System and methods for providing stateless security management for web applications using non-http communications protocols |
| US9819672B1 (en) * | 2015-06-26 | 2017-11-14 | EMC IP Holding Company LLC | Sharing access tokens with trusted users |
| CN111327582A (en) * | 2019-08-22 | 2020-06-23 | 刘高峰 | Authorization method, device and system based on OAuth protocol |
| WO2021218885A1 (en) * | 2020-04-28 | 2021-11-04 | 万维数码智能有限公司 | Security and confidentiality protection method and system for data transmission |
-
2021
- 2021-12-09 CN CN202111495633.0A patent/CN114301634A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100306547A1 (en) * | 2009-05-28 | 2010-12-02 | Fallows John R | System and methods for providing stateless security management for web applications using non-http communications protocols |
| US9819672B1 (en) * | 2015-06-26 | 2017-11-14 | EMC IP Holding Company LLC | Sharing access tokens with trusted users |
| CN111327582A (en) * | 2019-08-22 | 2020-06-23 | 刘高峰 | Authorization method, device and system based on OAuth protocol |
| WO2021218885A1 (en) * | 2020-04-28 | 2021-11-04 | 万维数码智能有限公司 | Security and confidentiality protection method and system for data transmission |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115297346A (en) * | 2022-06-30 | 2022-11-04 | 贵阳朗玛视讯科技有限公司 | Multi-application authentication method and device based on EPG system |
| CN115297346B (en) * | 2022-06-30 | 2023-08-25 | 贵阳朗玛视讯科技有限公司 | EPG system-based multi-application authentication method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108810029B (en) | Authentication system and optimization method between micro-service architecture services | |
| US11038873B2 (en) | Time-based one time password (TOTP) for network authentication | |
| US10243742B2 (en) | Method and system for accessing a device by a user | |
| CN107257334B (en) | Identity authentication method for Hadoop cluster | |
| US10554393B2 (en) | Universal secure messaging for cryptographic modules | |
| US8051297B2 (en) | Method for binding a security element to a mobile device | |
| US8843415B2 (en) | Secure software service systems and methods | |
| CN102217277B (en) | Method and system for token-based authentication | |
| CN103109495B (en) | Method for authenticating and registering devices | |
| US8171527B2 (en) | Method and apparatus for securing unlock password generation and distribution | |
| CN109672675B (en) | OAuth 2.0-based WEB authentication method of password service middleware | |
| WO2021139338A1 (en) | Data access permission verification method and apparatus, computer device, and storage medium | |
| CN113420319A (en) | Data privacy protection method and system based on block chain and permission contract | |
| Kim et al. | Puf based iot device authentication scheme | |
| GB2404535A (en) | Secure transmission of data via an intermediary which cannot access the data | |
| CN114301634A (en) | Oauth protocol-based portal system user sharing method | |
| CA2553081A1 (en) | A method for binding a security element to a mobile device | |
| KR101996317B1 (en) | Block chain based user authentication system using authentication variable and method thereof | |
| JP4499575B2 (en) | Network security method and network security system | |
| KR102053993B1 (en) | Method for Authenticating by using Certificate | |
| CN111935164B (en) | Https interface request method | |
| TWI725623B (en) | Point-to-point authority management method based on manager's self-issued tickets | |
| CN114329395A (en) | Supply chain financial privacy protection method and system based on block chain | |
| CN112906032A (en) | File secure transmission method, system and medium based on CP-ABE and block chain | |
| US20240121083A1 (en) | Secure restoration of private key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20220408 |