CN114650304A - Authentication and authorization method and device - Google Patents

Authentication and authorization method and device Download PDF

Info

Publication number
CN114650304A
CN114650304A CN202011499207.XA CN202011499207A CN114650304A CN 114650304 A CN114650304 A CN 114650304A CN 202011499207 A CN202011499207 A CN 202011499207A CN 114650304 A CN114650304 A CN 114650304A
Authority
CN
China
Prior art keywords
user
authentication
internet
things platform
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011499207.XA
Other languages
Chinese (zh)
Other versions
CN114650304B (en
Inventor
周斌
黄烨
陈文德
付朝印
宋安平
陈涛
徐可
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Capitek Co ltd
China Unicom Jiangsu Industrial Internet Co Ltd
Original Assignee
Beijing Capitek Co ltd
China Unicom Jiangsu Industrial Internet Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Capitek Co ltd, China Unicom Jiangsu Industrial Internet Co Ltd filed Critical Beijing Capitek Co ltd
Priority to CN202011499207.XA priority Critical patent/CN114650304B/en
Publication of CN114650304A publication Critical patent/CN114650304A/en
Application granted granted Critical
Publication of CN114650304B publication Critical patent/CN114650304B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/14Charging, metering or billing arrangements for data wireline or wireless communications
    • H04L12/141Indication of costs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides an authentication and authorization method and a device, wherein the method comprises the following steps: when receiving an access request sent by a user, a server of a first platform forwards an authentication request to an Internet of things platform based on user state information, wherein the user state information is used for indicating whether the Internet of things platform stores user information of the user; the server receives an authentication result of an authentication request sent by the platform of the Internet of things, wherein the authentication result comprises successful authentication or refusal of authentication; and when the authentication result is that the authentication is successful, the server sends authorization information to the user. According to the technical scheme, the users are divided into stored types and non-stored types based on whether the user information is stored in the Internet of things platform or not, so that the Internet of things platform provides services for stored new/old VPDN users, the Internet of things platform is ensured to provide services for users in provinces, and the reliability and convenience of the authentication and authorization function are improved.

Description

Authentication and authorization method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for authentication and authorization.
Background
In the current standard networking architecture of a virtual private network (VPDN) platform in the province of the unicom (for example, fig. 1), an AAA (authentication, authorization, accounting) server of a VPDN platform in the province provides standard authentication, authorization, and accounting services for a terminal in general.
However, with the application and development of an internet of things platform (e.g., JASPER internet of things platform), the VPDN user is migrated to the internet of things platform, and the problem that the internet of things platform provides reliable and convenient AAA service for the VPDN user becomes more and more concerned at present becomes. However, after migration, an old VPDN user needs to replace an internet of things card to use a new service, otherwise, even if a plurality of old VPDN users migrate to an internet of things platform, corresponding services cannot be provided through the internet of things platform, and therefore the migration scheme is time-consuming and labor-consuming, and has certain cost pressure.
Disclosure of Invention
In view of this, embodiments of the present application provide an authentication and authorization method and apparatus, which have solved a problem that an old VPDN user cannot conveniently and quickly enjoy a high-quality service provided by an internet of things platform.
In a first aspect, an embodiment of the present application provides an authentication and authorization method, including: when receiving an access request sent by a user, a server of a first platform forwards an authentication request to an Internet of things platform based on user state information, wherein the user state information is used for indicating whether the Internet of things platform stores user information of the user; the server receives an authentication result of an authentication request sent by the platform of the Internet of things, wherein the authentication result comprises successful authentication or refusal of authentication; and when the authentication result is that the authentication is successful, the server sends authorization information to the user.
In some embodiments of the application, when the server of the first platform receives an access request sent by a user, before forwarding an authentication request to the internet of things platform based on user status information, the method further includes: according to whether the user information is synchronously stored in the platform of the Internet of things or not, dividing the user state information into synchronized state information and unsynchronized state information, wherein the step of forwarding the authentication request to the platform of the Internet of things based on the user state information comprises the following steps: and when the user state information is synchronized, transmitting an authentication request to the Internet of things platform.
In some embodiments of the present application, the method further includes sending, by the server, an authentication result to the user based on the authentication request when the user status information is not synchronized.
In some embodiments of the application, forwarding the authentication request to the internet of things platform based on the user state information includes the server forwarding the authentication request based on the original intra-provincial gateway access of the network platform to the internet of things platform based on the user state information; sending, by the server, the authorization information to the user includes: the server sends authorization information to the user through the provincial gateway.
In some embodiments of the present application, the first platform is a virtual private dial-up network platform and the authorization information includes a static IP address and a domain name system.
In some embodiments of the present application, after the server sends the authorization information to the user when the authentication result is that the authentication is successful, the method further includes: the server forwards a charging request to the Internet of things platform based on the user state information; the server receives a charging response of a charging request sent by the Internet of things platform; the server sends a charging response to the user.
In certain embodiments of the present application, further comprising: according to whether the user information is synchronously stored in the Internet of things platform or not, dividing the user state information into synchronized state information and unsynchronized state information, wherein the step of forwarding the charging request to the Internet of things platform by the server based on the user state information comprises the following steps: and when the user state information is synchronized, the server forwards a charging request to the Internet of things platform.
In some embodiments of the present application, the forwarding, by the server, the charging request to the internet of things platform based on the user state information includes: the server forwards the charging request accessed based on the original intra-provincial gateway of the network platform to the Internet of things platform based on the user state information; wherein, the server sends the charging response to the user comprises: the server sends a charging response to the user through the inter-provincial gateway.
In a second aspect, an embodiment of the present application provides an apparatus for authentication and authorization, the apparatus including: the receiving and forwarding module is used for forwarding an authentication request to the Internet of things platform based on user state information when receiving an access request sent by a user, wherein the user state information is used for indicating whether the Internet of things platform stores user information of the user; the receiving module is used for receiving an authentication result of the authentication request sent by the Internet of things platform, wherein the authentication result comprises authentication success or authentication rejection; and the sending module is used for sending the authorization information to the user when the authentication result is that the authentication is successful.
In a third aspect, an embodiment of the present application provides an electronic device, including: a processor; a memory for storing processor executable instructions, wherein the processor is adapted to perform the method of authentication and authorization according to the first aspect.
The embodiment of the application provides an authentication and authorization method and device, and the Internet of things platform provides services for stored new/old VPDN users by dividing users into stored and non-stored types based on whether user information is stored in the Internet of things platform or not. The purpose of batch migration of VPDN users is realized, and the Internet of things platform is ensured to provide authentication and authorization services for new/old VPDN users.
Drawings
FIG. 1 is an architectural diagram of a VPDN platform.
Fig. 2 is a flow diagram of a standard authentication, authorization, and accounting service.
Fig. 3 is a flowchart illustrating a method for authentication and authorization according to an exemplary embodiment of the present application.
Fig. 4 is a flowchart illustrating an authentication and authorization method according to another exemplary embodiment of the present application.
Fig. 5 is a flowchart illustrating a method for providing authentication, authorization and accounting services according to an exemplary embodiment of the present application.
Fig. 6 is a flowchart illustrating a method for authentication, authorization and accounting services according to another exemplary embodiment of the present application.
Fig. 7 is a flowchart illustrating a method for authentication, authorization and accounting services according to another exemplary embodiment of the present application.
Fig. 8 is a schematic structural diagram of an authentication and authorization apparatus according to an exemplary embodiment of the present application.
Fig. 9 is a block diagram of an electronic device for authentication and authorization provided by an exemplary embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The application scenario of the application is explained below by taking the example that a VPDN user migrates to a JASPER Internet of things platform. In the process of actually migrating a VPDN user to an internet of things platform, two schemes are generally adopted at present:
the first scheme comprises the following steps: and (3) abandoning a VPDN platform, and directly migrating the VPDN user to an Internet of things platform (such as a JASPER Internet of things platform). In the subsequent service processing process, the RADIUS message is directly accessed through a PGW (packet private network) which is in butt joint with a JASPER Internet of things platform, and the JASPER Internet of things platform provides AAA service. However, the problem with this solution is: 1. the VPDN user can use the new service only by replacing the Internet of things card, and the large-scale VPDN user card replacement operation has certain cost pressure, and time consumption can be generated in the card replacement operation, so that the user service experience is influenced. 2. The VPDN user abandons the original provincial PGW and changes the former PGW into a group private network PGW access, and the operation needs technical transformation on network element devices such as a wireless side, a Home Subscriber Server (HSS) and the like, which also generates cost pressure.
Scheme two is as follows: a VPDN platform is reserved, and the VPDN user still uses the VPDN platform to provide AAA service; and the newly added Internet of things user goes to the Internet of things platform to open an account, and the newly added Internet of things user provides AAA service by using the Internet of things platform. In short "old user, old platform; new user, new platform ". The scheme partially makes up the defects of the first scheme through the business strategy of the coexistence mode. However, the scheme only ensures that the service scene of the newly added internet of things users meets the requirement of current migration, but a large number of VPDN users do not improve the AAA service quality through a JASPER internet of things platform, and do not meet the original purpose of unified management.
Fig. 2 is a flow diagram illustrating a prior art method for providing standard authentication, authorization and accounting services. For example, fig. 2 shows an operation procedure based on an AAA server and a packet data network gateway (PGW), which includes the following contents:
step 210: sending a remote authentication in user service (RADIUS) authentication request to an AAA server based on a PGW gateway;
step 220: the AAA server returns a RADIUS authorization response to the PGW gateway;
step 230: the PGW gateway sends a RADIUS accounting request to the AAA server;
step 240: the AAA server returns a RADIUS accounting response to the PGW gateway.
Fig. 3 is a flowchart illustrating a method for authentication and authorization according to an exemplary embodiment of the present application. The method of fig. 3 is performed by a computing device, e.g., a server. As shown in fig. 3, the authentication and authorization method includes the following.
310: and when receiving an access request sent by a user, the server of the first platform forwards an authentication request to the Internet of things platform based on the user state information.
In an embodiment, the user state information is used to indicate whether the internet of things platform stores user information of the user.
In one embodiment, the first platform is a VPDN platform.
Specifically, the server may be an AAA server in the VPDN platform, and the access request may be a request issued by the user when the terminal dials. That is to say, when the user dials a number, the AAA server forwards the authentication request to the internet of things platform based on the user state information. The authentication request may be an AAA authentication request.
In an example, the internet of things platform may be a JASPER internet of things platform, and the type of the internet of things platform is not specifically limited in the embodiment of the present application. It should be understood that the internet of things platform may also refer to one or more servers.
The user state information can be stored in a JASPER Internet of things platform synchronously according to whether the user information of the VPDN user is synchronous or not, and the VPDN user is divided into two user states of 'synchronous' and 'asynchronous'. The user information of the VPDN user which is synchronously represented is synchronized to a JASPER Internet of things platform, the VPDN platform and the JASPER Internet of things platform both store the user information of the VPDN user, and further the user information stored in the VPDN platform can be stored in an AAA server of the VPDN platform. The user information of the VPDN user is not synchronized to the JASPER Internet of things platform, and the user information of the VPDN user is only stored in the VPDN platform at the moment.
When the user information of the VPDN user is synchronized to the JASPER Internet of things platform, the AAA server forwards an authentication request sent by the VPDN user to the JASPER Internet of things platform for AAA authentication; otherwise, the AAA server directly carries out local authentication. That is to say, the AAA server determines whether the current user is forwarded to the JASPER internet of things platform for authentication or is directly authenticated locally according to different states of the user.
It should be understood that the authentication request may be a RADIUS authentication request. The authentication of the user in different states by different platforms (namely, the VPDN platform or the internet of things platform) can be realized by completing forwarding operation through the standard of the RADIUS protocol.
It should also be understood that the authentication method can ensure that the synchronized VPDN user can use the highly reliable authentication service of JASPER Internet of things platform, and can also ensure that the unsynchronized VPDN user uses the basic authentication service provided by AAA server of local VPDN platform.
320: and the server receives an authentication result of the authentication request sent by the platform of the Internet of things, wherein the authentication result comprises successful authentication or refusal authentication.
Specifically, the AAA server receives an authentication result sent by the JASPER Internet of things platform. The authentication result may be authentication success or authentication rejection (i.e., authentication failure).
It should be understood that after the JASPER Internet of things platform receives the authentication request, the authentication request sent by the AAA server may be compared with database information in the JASPER Internet of things platform for analysis. If the authentication is successful, returning an authentication result of successful authentication to the AAA server; otherwise, the authentication result of the authentication rejection is sent to the AAA server.
330: and when the authentication result is that the authentication is successful, the server sends authorization information to the user.
In one embodiment, the authorization information may include a static IP address and Domain Name System (DNS).
Specifically, for VPDN users successfully authenticated by the AAA of the Internet of things platform, the AAA server uniformly performs local authorization, and issues information such as a static IP address and a DNS for the VPDN users to use.
It should be understood that the original AAA authorization service of the JASPER internet of things platform is weak and cannot support authorization of information such as static IP addresses and DNS; in consideration of user terminal management and security, some VPDN users have clear requirements for static IP addresses, so that a local authorization mode is adopted to take account of the requirements.
Further, the method further comprises: and when the user state information is not synchronous, the server sends an authentication result to the user based on the authentication request.
Specifically, when the user information of the VPDN user is not synchronized to the JASPER internet of things platform, the AAA server does not forward the authentication request, and directly performs local authentication in the AAA server. And the AAA server of the VPDN platform issues the authorization information.
Therefore, the user information is stored or not stored on the Internet of things platform, so that the Internet of things platform provides service for the stored new/old VPDN user. The method not only realizes the purpose of batch migration of VPDN users, but also ensures that an Internet of things platform can provide authentication and authorization services for new/old VPDN users.
Fig. 4 is a flowchart illustrating an authentication and authorization method according to another exemplary embodiment of the present application. FIG. 4 is an example of the embodiment of FIG. 1, and the same parts are not repeated herein, and the differences are mainly described here. The authentication and authorization method includes the following.
410: and dividing the user state information into synchronized state information and unsynchronized state information according to whether the user information is synchronously stored in the Internet of things platform.
Specifically, according to whether the user information of the VPDN user is synchronized to the JASPER Internet of things platform or not, the VPDN user is divided into two user states of 'synchronized' and 'unsynchronized'. And using the identifier as an identifier to determine whether the subsequent AAA service is provided by a JASPER Internet of things platform (namely, the service is provided for the synchronized VPDN user) or locally provided by an AAA server of the VPDN platform (namely, the service is provided for the unsynchronized VPDN user).
Compared with the migration mode of the prior art which is not the same as the migration mode of the prior art (namely, the internet of things platform and the VPDN platform are selected alternatively), the user information of the synchronized VPDN user is commonly kept in the VPDN platform and the JASPER internet of things platform.
420: and when the user state information is synchronized, transmitting an authentication request to the Internet of things platform.
Specifically, when the user information of the VPDN user is synchronized to the JASPER internet of things platform, the AAA server forwards an authentication request sent by the VPDN user to the JASPER internet of things platform for AAA authentication.
For details of the specific process, please refer to the description of the embodiment in fig. 1, and it is not repeated herein for avoiding repetition.
430: and the server receives an authentication result of the authentication request sent by the platform of the Internet of things, wherein the authentication result comprises successful authentication or refusal authentication.
440: and when the authentication result is that the authentication is successful, the server sends authorization information to the user.
Therefore, the VPDN user is accurately divided into states to provide authentication services of different platforms, so that the embodiment of the application can support user information batch synchronous operation with unlimited time limit and unlimited scale to ensure stable operation of the service.
In an embodiment of the present application, forwarding an authentication request to an internet of things platform based on user status information includes: the server forwards an authentication request based on the original intra-provincial gateway access of the network platform to the Internet of things platform based on the user state information; sending, by the server, the authorization information to the user includes: and the server sends authorization information to the user through the provincial gateway.
Specifically, the authentication request initiated by the VPDN user is still accessed through the original provincial PGW gateway, and at this time, even the VPDN user in the "synchronized" state is also accessed through the original provincial PGW gateway.
In an example, referring to fig. 5, the execution subjects are an intra-province PGW gateway, a server (e.g., AAA server), and an internet of things platform (e.g., a javascript internet of things platform), respectively. Step 510: sending an authentication request to a server based on the intra-provincial PGW gateway; step 520: the server transmits an authentication request to the platform of the Internet of things (namely the user state information of the VPDN user is synchronized); step 530: the server receives an authentication result sent by the Internet of things platform; step 540: and the server sends the authentication result to the user based on the intra-provincial PGW gateway, wherein if the authentication result is successful, authorization information is also issued.
Illustratively, the authentication request may be a RADIUS authentication request, and the returned authentication result may also be a RADIUS authentication result.
Therefore, the embodiment of the application can ensure that the access service can be reused and network element equipment such as an original wireless side, a Home Subscriber Server (HSS) and the like. Meanwhile, the VPDN user does not need to perform operations of replacing the Internet of things card, changing domain name information and the like.
Fig. 6 is a flowchart illustrating a method for authentication, authorization and accounting services according to another exemplary embodiment of the present application. Fig. 6 is an example of the embodiment of fig. 1, and the same parts are not described again, and here, the differences are noted in the description, and the method of the authentication, authorization and accounting service (i.e. AAA service) includes the following contents.
610: and when receiving an access request sent by a user, the server of the first platform forwards an authentication request to the Internet of things platform based on the user state information.
620: and the server receives an authentication result of the authentication request sent by the platform of the Internet of things, wherein the authentication result comprises successful authentication or refusal authentication.
630: and when the authentication result is that the authentication is successful, the server sends authorization information to the user.
640: and the server forwards the charging request to the Internet of things platform based on the user state information.
Specifically, the server may be an AAA server in the VPDN platform, and the user state information may divide the VPDN user into two user states of "synchronized" and "unsynchronized" according to whether the user information of the VPDN user is synchronized to the internet of things platform. The detailed description of the user status information is substantially the same as that described in fig. 3, and details thereof are not repeated herein with reference to fig. 3.
In an example, the internet of things platform may be a JASPER internet of things platform.
And the AAA server performs AAA charging of different platforms (namely a first platform and an Internet of things platform) according to the user state information of the VPDN user. If the user is a VPDN user in a synchronized state, the AAA server directly forwards the user to a JASPER Internet of things platform for AAA charging; otherwise, the AAA server directly carries out local charging.
It should be understood that the accounting request may be a RADIUS accounting request. The AAA accounting method adopted above may be to complete the forwarding operation by the standard of the RADIUS protocol itself.
The AAA charging method can ensure that the synchronized VPDN user uses the flexible charging service of JASPER Internet of things platform, and can also ensure that the unsynchronized VPDN user uses the basic charging service provided by the AAA server of the local VPDN platform.
The charging request may be a charging start, a charging end, or an intermediate accumulated charging, which is not specifically limited in this embodiment of the present application.
650: and the server receives a charging response of the charging request sent by the Internet of things platform.
Specifically, the AAA server receives a charging response aiming at the charging request sent by the JASPER Internet of things platform.
The charging response may include a charging success or a charging failure. It can be understood that whether the charging request is charging start, charging end or intermediate accumulation charging, the corresponding charging response is charging success or charging failure.
660: the server sends a charging response to the user.
Specifically, the server can send the charging response based on the original provincial gateway of the VPDN platform.
Therefore, the embodiment of the application only aims at the VPDN platform and combines the AAA service characteristics of the VPDN platform and the platform of the Internet of things on the premise of little technical improvement. The user information is synchronized to the Internet of things platform in batches, the intra-provincial PGW accesses and forwards the authentication request, the Internet of things platform authenticates, the AAA server of the VPDN platform locally authorizes and forwards the service combination of the charging of the Internet of things platform, and the fact that the Internet of things platform can provide AAA service for intra-provincial VPDN users is guaranteed.
In an embodiment of the application, the step of forwarding, by the server, the charging request to the platform of the internet of things based on the user state information includes: the server forwards the charging request accessed based on the original intra-provincial gateway of the network platform to the Internet of things platform based on the user state information; wherein, the server sends the charging response to the user comprises: the server sends a charging response to the user through the provincial gateway.
Specifically, the charging request initiated by the VPDN user is still accessed through the original intra-provincial PGW gateway, and at this time, even the VPDN user in the "synchronized" state is also accessed through the original intra-provincial PGW gateway.
In an example, referring to fig. 5, the execution subjects are an intra-province PGW gateway, a server (e.g., AAA server), and an internet of things platform (e.g., a javascript internet of things platform), respectively. Step 550: sending a charging request to a server based on an intra-provincial PGW gateway; step 560: the server transmits a charging request to the platform of the Internet of things (namely the user state information of the VPDN user is synchronized); step 570: the server receives a charging response sent by the Internet of things platform; step 580: and the server sends the charging response to the user based on the provincial PGW gateway.
Illustratively, the accounting request may be a RADIUS accounting request, and the returned accounting response may be a RADIUS accounting response.
Therefore, the embodiment of the application can ensure that the access service can be reused and network element equipment such as the original wireless side, HSS and the like can be saved. Meanwhile, the VPDN user does not need to perform operations of replacing the Internet of things card, changing domain name information and the like.
Fig. 7 is a flowchart illustrating a method for authentication, authorization and accounting services according to another exemplary embodiment of the present application. Fig. 7 is an example of the embodiments in fig. 4 and fig. 6, and the same parts are not described again, and here the difference is focused on the description, and the method of the authentication, authorization and accounting service (i.e. AAA service) includes the following contents.
710: and dividing the user state information into synchronized state information and unsynchronized state information according to whether the user information is synchronously stored in the Internet of things platform.
720: and when the user state information is synchronized, transmitting an authentication request to the Internet of things platform.
730: and the server receives an authentication result of the authentication request sent by the platform of the Internet of things, wherein the authentication result comprises successful authentication or refusal authentication.
740: and when the authentication result is that the authentication is successful, the server sends authorization information to the user.
750: and when the user state information is synchronized, the server forwards a charging request to the Internet of things platform.
Specifically, when the user information of the VPDN user is synchronized to the JASPER internet of things platform, the AAA server forwards the charging request sent by the VPDN user to the JASPER internet of things platform to serve as AAA charging service.
It should be understood that the operation steps of the AAA accounting service are substantially the same as the operation steps of the AAA authentication service described in fig. 3, and please refer to fig. 3 and the description of the above embodiments for details, which are not described herein again to avoid repetition.
760: and the server receives a charging response of the charging request sent by the Internet of things platform.
770: the server sends a charging response to the user.
Further, the method also includes: and when the user state information is not synchronous, the server sends a charging response to the user based on the charging request.
Specifically, when the user information of the VPDN user is not synchronized to the JASPER internet of things platform, the AAA server does not forward the charging request, and directly performs local charging in the AAA server. And the AAA server of the VPDN platform sends an accounting response.
Therefore, the VPDN user is accurately divided into states to provide authentication services of different platforms, so that the embodiment of the application can support user information batch synchronous operation with unlimited time limit and unlimited scale to ensure stable operation of the service.
Fig. 8 is a schematic structural diagram of an authentication and authorization apparatus according to an exemplary embodiment of the present application. As shown in fig. 8, the authentication and authorization apparatus 800 includes: a receive forwarding module 810, a receive module 820, and a transmit module 830.
The receiving and forwarding module 810 is configured to forward, when receiving an access request sent by a user, an authentication request to the internet of things platform based on user state information, where the user state information is used to indicate whether the internet of things platform stores user information of the user; a receiving module 820, configured to receive an authentication result of an authentication request sent by an internet of things platform, where the authentication result includes authentication success or authentication rejection; and a sending module 830, configured to send the authorization information to the user when the authentication result is that the authentication is successful.
The embodiment of the application provides an authentication and authorization device, and the user is divided into a stored type and a non-stored type based on whether the user information is stored in an Internet of things platform or not, so that the Internet of things platform provides services for the stored new/old VPDN user. The method realizes the purpose of batch migration of VPDN users, and ensures that an Internet of things platform can provide authentication and authorization services for new/old VPDN users.
In an embodiment of the present application, the method further includes: and a receiving and forwarding module 810, configured to forward the authentication request to the platform of the internet of things when the user state information is synchronized, according to whether the user information is synchronously stored in the platform of the internet of things.
In an embodiment of the application, the server further sends an authentication result to the user based on the authentication request when the user status information is not synchronized.
In an embodiment of the present application, the receiving and forwarding module 810 is configured to forward, to an internet of things platform, an authentication request based on an original intra-provincial gateway access of a network platform based on user state information; a sending module 830, configured to send authorization information to the user through the intra-provincial gateway by the server.
In an embodiment of the present application, the first platform is a virtual private dial-up network platform, and the authorization information includes a static ip (internet protocol) address and a domain name system.
In an embodiment of the present application, the method further includes: the server forwards a charging request to the Internet of things platform based on the user state information; the server receives a charging response of a charging request sent by the Internet of things platform; the server sends a charging response to the user.
In an embodiment of the present application, the method further includes: according to whether the user information is synchronously stored in the Internet of things platform or not, dividing the user state information into synchronized state information and unsynchronized state information, wherein the step of forwarding the charging request to the Internet of things platform by the server based on the user state information comprises the following steps: and when the user state information is synchronized, the server forwards a charging request to the Internet of things platform.
In an embodiment of the present application, the forwarding, by the server, the charging request to the internet of things platform based on the user state information includes: the server forwards the charging request accessed based on the original intra-provincial gateway of the network platform to the Internet of things platform based on the user state information; wherein, the server sends the charging response to the user comprises: the server sends a charging response to the user through the provincial gateway.
It should be understood that the receiving and forwarding module 810, the receiving module 820 and the sending module 830 in the above embodiments. The specific working process and function of the method for authentication and authorization provided in the embodiments of fig. 4 to fig. 7 may be referred to the description in the above embodiments, and are not repeated herein for avoiding repetition.
Fig. 9 is a block diagram of an electronic device 900 for authentication and authorization provided by an exemplary embodiment of the present application.
Referring to fig. 9, electronic device 900 includes a processing component 910 that further includes one or more processors, and memory resources, represented by memory 920, for storing instructions, such as applications, that are executable by processing component 910. The application programs stored in memory 920 may include one or more modules that each correspond to a set of instructions. Further, the processing component 910 is configured to execute instructions to perform the above-described methods of authentication and authorization.
The electronic device 900 may also include a power component configured to perform power management for the electronic device 900, a wired or wireless network interface configured to connect the electronic device 900 to a network, and an input-output (I/O) interface. The electronic device 900 may be operated based on an operating system, such as Windows Server, stored in the memory 920TM,Mac OS XTM,UnixTM,LinuxTM,FreeBSDTMOr the like.
A non-transitory computer readable storage medium having instructions stored thereon that, when executed by a processor of the electronic device 900, enable the electronic device 900 to perform a method of authentication and authorization, comprising: when receiving an access request sent by a user, a server of a first platform forwards an authentication request to an Internet of things platform based on user state information, wherein the user state information is used for indicating whether the Internet of things platform stores user information of the user; the server receives an authentication result of an authentication request sent by the platform of the Internet of things, wherein the authentication result comprises successful authentication or refusal of authentication; and when the authentication result is that the authentication is successful, the server sends authorization information to the user.
All the above optional technical solutions can be combined arbitrarily to form optional embodiments of the present application, and are not described herein again.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implementing, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program check codes, such as a U disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modifications, equivalents and the like that are within the spirit and principle of the present application should be included in the scope of the present application.

Claims (10)

1. A method of authentication and authorization, comprising:
when receiving an access request sent by a user, a server of a first platform forwards an authentication request to an Internet of things platform based on user state information, wherein the user state information is used for indicating whether the Internet of things platform stores user information of the user or not;
the server receives an authentication result of the authentication request sent by the Internet of things platform, wherein the authentication result comprises authentication success or authentication rejection;
and when the authentication result is that the authentication is successful, the server sends authorization information to the user.
2. The authentication and authorization method according to claim 1, before the server of the first platform forwards the authentication request to the internet of things platform based on the user status information when receiving the access request sent by the user, further comprising:
dividing the user state information into synchronized and unsynchronized state information according to whether the user information is synchronously stored in the Internet of things platform or not,
wherein the forwarding of the authentication request to the internet of things platform based on the user state information comprises:
and when the user state information is synchronized, forwarding the authentication request to the Internet of things platform.
3. The method of authentication and authorization according to claim 2, further comprising:
and when the user state information is not synchronized, the server sends the authentication result to the user based on the authentication request.
4. The method of authentication and authorization according to claim 1, wherein the forwarding an authentication request to an internet of things platform based on user status information comprises:
the server forwards the authentication request accessed based on the original in-provincial gateway of the network platform to the Internet of things platform based on the user state information;
the sending, by the server, authorization information to a user includes:
and the server sends the authorization information to the user through the provincial gateway.
5. The method of authentication and authorization according to any of claims 1 to 4, wherein the first platform is a virtual private dial-up network platform and the authorization information comprises a static IP address and a domain name system.
6. The method for authentication and authorization according to claim 1, wherein after the server sends authorization information to the user when the authentication result is authentication success, the method further comprises:
the server forwards a charging request to the Internet of things platform based on the user state information;
the server receives a charging response of the charging request sent by the Internet of things platform;
and the server sends the charging response to the user.
7. The method of authentication and authorization according to claim 6, further comprising:
dividing the user state information into synchronized and unsynchronized state information according to whether the user information is synchronously stored in the Internet of things platform or not,
wherein the server forwarding a charging request to the internet of things platform based on the user state information comprises:
and when the user state information is synchronized, the server forwards the charging request to the Internet of things platform.
8. The authentication and authorization method of claim 6, wherein the server forwarding a charging request to the internet of things platform based on the user status information comprises:
the server forwards the charging request accessed based on the original in-provincial gateway of the network platform to the Internet of things platform based on the user state information;
wherein the server sending the charging response to the user comprises:
and the server sends the charging response to the user through the provincial gateway.
9. An apparatus for authentication and authorization, comprising:
the system comprises a receiving and forwarding module, a processing module and a processing module, wherein the receiving and forwarding module is used for forwarding an authentication request to an Internet of things platform based on user state information when receiving an access request sent by a user, and the user state information is used for indicating whether the Internet of things platform stores user information of the user;
the receiving module is used for receiving an authentication result of the authentication request sent by the Internet of things platform, wherein the authentication result comprises authentication success or authentication rejection;
and the sending module is used for sending authorization information to the user when the authentication result is that the authentication is successful.
10. An electronic device, comprising:
a processor;
a memory for storing the processor-executable instructions,
wherein the processor is configured to perform the method of authentication and authorization of any of the preceding claims 1 to 8.
CN202011499207.XA 2020-12-17 2020-12-17 Authentication and authorization method and device Active CN114650304B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011499207.XA CN114650304B (en) 2020-12-17 2020-12-17 Authentication and authorization method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011499207.XA CN114650304B (en) 2020-12-17 2020-12-17 Authentication and authorization method and device

Publications (2)

Publication Number Publication Date
CN114650304A true CN114650304A (en) 2022-06-21
CN114650304B CN114650304B (en) 2024-03-15

Family

ID=81990829

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011499207.XA Active CN114650304B (en) 2020-12-17 2020-12-17 Authentication and authorization method and device

Country Status (1)

Country Link
CN (1) CN114650304B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007033519A1 (en) * 2005-09-20 2007-03-29 Zte Corporation A method for updating the access of virtual private dial-network dynamically
CN106714167A (en) * 2016-12-30 2017-05-24 北京华为数字技术有限公司 Authentication method and network access server
CN108462710A (en) * 2018-03-20 2018-08-28 新华三技术有限公司 Authentication authority method, device, certificate server and machine readable storage medium
CN109194673A (en) * 2018-09-20 2019-01-11 江苏满运软件科技有限公司 Authentication method, system, equipment and storage medium based on authorized user message
CN109450657A (en) * 2019-01-15 2019-03-08 深圳联想懂的通信有限公司 A kind of Intelligent internet of things communications service system and method
CN109889551A (en) * 2019-04-16 2019-06-14 湖南树华环保科技有限公司 A kind of method of the Internet of Things cloud platform of Intelligent hardware access
CN110753023A (en) * 2018-07-24 2020-02-04 阿里巴巴集团控股有限公司 Equipment authentication method, equipment access method and device
CN111147527A (en) * 2020-03-09 2020-05-12 深信服科技股份有限公司 Internet of things system and equipment authentication method, device, equipment and medium thereof

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007033519A1 (en) * 2005-09-20 2007-03-29 Zte Corporation A method for updating the access of virtual private dial-network dynamically
CN106714167A (en) * 2016-12-30 2017-05-24 北京华为数字技术有限公司 Authentication method and network access server
CN108462710A (en) * 2018-03-20 2018-08-28 新华三技术有限公司 Authentication authority method, device, certificate server and machine readable storage medium
CN110753023A (en) * 2018-07-24 2020-02-04 阿里巴巴集团控股有限公司 Equipment authentication method, equipment access method and device
CN109194673A (en) * 2018-09-20 2019-01-11 江苏满运软件科技有限公司 Authentication method, system, equipment and storage medium based on authorized user message
CN109450657A (en) * 2019-01-15 2019-03-08 深圳联想懂的通信有限公司 A kind of Intelligent internet of things communications service system and method
CN109889551A (en) * 2019-04-16 2019-06-14 湖南树华环保科技有限公司 A kind of method of the Internet of Things cloud platform of Intelligent hardware access
CN111147527A (en) * 2020-03-09 2020-05-12 深信服科技股份有限公司 Internet of things system and equipment authentication method, device, equipment and medium thereof

Also Published As

Publication number Publication date
CN114650304B (en) 2024-03-15

Similar Documents

Publication Publication Date Title
US8621572B2 (en) Method, apparatus and system for updating authentication, authorization and accounting session
EP1560395A1 (en) System and method for session reestablishment between client terminal and server
CN103067342B (en) A kind of equipment, system and method that external authentication is carried out using EAP
CN104601436B (en) Generation method, terminal and the background server of a kind of account
AU2003280551A1 (en) Method and network for establishing or cancelling service connection between the wireless local area network and user terminal
JP3966711B2 (en) Proxy response method
US20090025079A1 (en) Communication system for authenticating or relaying network access, relaying apparatus, authentication apparatus, and communication method
WO2013041882A2 (en) User authentication in a network access system
CN108712514A (en) IP address management method, apparatus and electronic equipment
CN107707689A (en) A kind of DHCP message processing method, Dynamic Host Configuration Protocol server and gateway device
CN111770123A (en) Communication method, apparatus and storage medium
EP1687934B1 (en) Apparatus for mediating in management orders
CN103873585A (en) Radius authentication device and method
CN110120932B (en) Multipath establishing method and device
CN115086276B (en) Address management method, device, equipment and system
CN114650304B (en) Authentication and authorization method and device
CN114338762A (en) Same city data open system, method, electronic equipment and storage medium
CN109039663B (en) Associated charging method, charging device and system
WO2011160384A1 (en) Telecommunication method and gateway apparatus
KR20030040619A (en) Method of Identifying Account Session of RADIUS Server in Mobile Telephone Packet Data Network
CN111565392A (en) Communication method and device
CN112532509A (en) Cross-application communication method and related device
WO2022141132A1 (en) Resource checking method for service-based interface and related device
JP6048969B2 (en) COMMUNICATION MANAGEMENT DEVICE, SERVICE PROVIDING DEVICE, COMMUNICATION SYSTEM, COMMUNICATION MANAGEMENT METHOD, SERVICE PROVIDING METHOD, AND PROGRAM
CN118041819B (en) Data processing method, device, equipment and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant