CN114697055A - Method, device, equipment and system for service access - Google Patents

Method, device, equipment and system for service access Download PDF

Info

Publication number
CN114697055A
CN114697055A CN202011579037.6A CN202011579037A CN114697055A CN 114697055 A CN114697055 A CN 114697055A CN 202011579037 A CN202011579037 A CN 202011579037A CN 114697055 A CN114697055 A CN 114697055A
Authority
CN
China
Prior art keywords
authentication
session identifier
service access
module
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011579037.6A
Other languages
Chinese (zh)
Inventor
徐超
李丽芳
李光焰
张知晓
崔芳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202011579037.6A priority Critical patent/CN114697055A/en
Publication of CN114697055A publication Critical patent/CN114697055A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a method, a device, equipment and a system for service access. The method comprises the following steps: sending a first service access request to an application server for the application server to verify a first session identifier, and sending a second session identifier to an application client when the first session identifier fails; sending a first login request to an authentication Software Development Kit (SDK), wherein the first login request comprises a second session identifier and is used for determining an authentication token corresponding to the second session identifier according to the second session identifier by the authentication SDK and verifying the validity of the authentication token through an authentication platform; when the authentication token is valid, receiving a first login result sent by the authentication SDK, wherein the first login result comprises successful login; and sending a second service access request to the application server, wherein the second service access request comprises a second session identifier, so that the application client and the application server can access the service. The method of the embodiment of the invention can improve the efficiency of the user in using the application client to access the service.

Description

Method, device, equipment and system for service access
Technical Field
The invention belongs to the technical field of terminals, and particularly relates to a method, device and system for service access.
Background
With the rapid development of the mobile internet, most of the applications of smart phones which provide value-added services for users are configured with an account system.
The application of the smart phone associates user service data with a user account, and a user needs to establish the account and perform a series of login operations, and can access the service after logging in.
In the existing account system, the process of service access by a user logging in an application account is complicated, and the efficiency is low.
Disclosure of Invention
Embodiments of the present invention provide a method, an apparatus, a device, and a system for service access, which can improve efficiency of a user using an application client to perform service access by reducing authentication processes.
In a first aspect, an embodiment of the present invention provides a method for service access, where the method includes:
sending a first service access request to an application server, wherein the first service access request comprises a first session identifier, the first session identifier is used for verifying the first session identifier by the application server, and when the first session identifier fails, a second session identifier is sent to an application client;
sending a first login request to an authentication Software Development Kit (SDK), wherein the first login request comprises a second session identifier and is used for determining an authentication token corresponding to the second session identifier according to the second session identifier by the authentication SDK and verifying the validity of the authentication token through an authentication platform;
when the authentication token is valid, receiving a first login result sent by the authentication SDK, wherein the first login result comprises successful login;
and sending a second service access request to the application server, wherein the second service access request comprises a second session identifier, so that the application client and the application server can access the service.
In one possible implementation, the method further includes:
sending a request for applying for a session to an application server;
receiving a first session identifier sent by an application server according to a session application request;
and sending a second login request to the authentication SDK, wherein the second login request comprises a first session identifier, and is used for the authentication SDK to authenticate with the authentication platform according to the first session identifier and acquire an authentication token.
In a possible implementation manner, the first login request and the second login request respectively further include at least one of the following information: an application server identification, an application client key.
In one possible implementation, the method includes:
receiving a first login request sent by an application client, wherein the first login request comprises a second session identifier;
determining an authentication token corresponding to the second session identifier according to the second session identifier, and verifying the validity of the authentication token through an authentication platform;
and when the authentication token is valid, sending a first login result to the application client, wherein the first login result comprises successful login and is used for service access between the application client and the application server.
In one possible implementation, the method further includes:
acquiring user identity data, sending the user identity data to an authentication platform for the authentication platform to authenticate the user identity data, and generating a certification token by the authentication platform when the authentication is passed;
receiving an authentication token sent by an authentication platform;
the first session identification is stored in association with the authentication token.
In a second aspect, an embodiment of the present invention provides an apparatus for service access, where the apparatus includes:
the application client module is used for sending a first service access request to the application server module, wherein the first service access request comprises a first session identifier; the first session identifier is also used for receiving a second session identifier sent by the application server module when the first session identifier fails; the authentication SDK module is also used for sending a first login request to the authentication SDK module, wherein the first login request comprises a second session identifier; the authentication server is further used for receiving a first login result sent by the authentication SDK module when the authentication token is valid, wherein the first login result comprises successful login; the server module is also used for sending a second service access request to the application server module, wherein the second service access request comprises a second session identifier and is used for performing service access with the application server module;
the application server module is used for verifying the first session identifier and sending a second session identifier to the application client module when the first session identifier fails; the system is also used for receiving a second service access request sent by the application client module; the system is also used for receiving service access of the application client module;
the authentication SDK module is used for receiving a first login request sent by the application client module, determining an authentication token corresponding to the second session identifier according to the second session identifier, and verifying the validity of the authentication token through the authentication platform module; when the authentication token is valid, the authentication token is also used for sending a first login result to the application client module;
and the authentication platform module is used for verifying the validity of the authentication token.
In a possible implementation manner, the application client module is further configured to send a request for applying for a session to the application server module; the first session identifier is also used for receiving the first session identifier sent by the application server module; the authentication SDK module is also used for sending a second login request to the authentication SDK module, wherein the second login request comprises a first session identifier;
the application server module is also used for receiving a session application request sent by the application client module; the first session identifier is also used for sending the first session identifier to the application client module according to the application session request;
the authentication SDK module is used for authenticating with the authentication platform according to the first session identifier and acquiring an authentication token;
and the authentication platform module is also used for sending an authentication token to the authentication SDK module when the authentication is successful.
In a third aspect, an embodiment of the present invention provides an electronic device, including: a processor and a memory storing computer program instructions; the processor, when executing the computer program instructions, performs the method as in the first aspect or any possible implementation of the first aspect.
In a fourth aspect, an embodiment of the present invention provides a system for service access, where the system includes:
the application client is used for sending a first service access request to the application server, wherein the first service access request comprises a first session identifier; the first session identifier is also used for receiving a second session identifier sent by the application server when the first session identifier fails; the authentication SDK is also used for sending a first login request to the authentication SDK, wherein the first login request comprises a second session identifier; the authentication system is also used for receiving a first login result sent by the authentication SDK module when the authentication token is valid, wherein the first login result comprises login success; the first service access request comprises a first session identifier and is used for carrying out service access with the application server;
the application server is used for verifying the first session identifier and sending a second session identifier to the application client when the first session identifier fails; the system is also used for receiving a second service access request sent by the application client; the system is also used for receiving service access of the application client;
the authentication SDK is used for receiving a first login request sent by the application client, determining an authentication token corresponding to the second session identifier according to the second session identifier, and verifying the validity of the authentication token through the authentication platform; when the authentication token is valid, sending a first login result to the application client;
and the authentication platform is used for verifying the validity of the authentication token.
In a possible implementation manner, the application client is further configured to send a request for applying for a session to the application server; the first session identifier is also used for receiving the first session identifier sent by the application server; the authentication SDK is also used for sending a second login request to the authentication SDK, wherein the second login request comprises a first session identifier;
the application server is also used for receiving a session application request sent by the application client; the first session identifier is also used for sending the first session identifier to the application client according to the application session request;
the authentication SDK is also used for authenticating with the authentication platform according to the first session identifier and acquiring an authentication token;
and the authentication platform is also used for sending an authentication token to the authentication SDK when the authentication is successful.
The technical scheme provided by the embodiment of the invention at least has the following beneficial effects:
according to the invention, the application client sends login request information to the authentication SDK according to the valid second session identifier, the authentication SDK determines an authentication token corresponding to the second session identifier according to the login request information, the validity of the authentication token is verified through the authentication platform, the application client logs in successfully when the authentication token is valid, and the application client can access the service to the application server. The authentication process is reduced, so that the efficiency of service access of the user by using the application client is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the embodiments of the present invention will be briefly described below, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic diagram of a system for service access according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of a method for service access according to an embodiment of the present invention;
fig. 3 is a schematic flow chart of another service access method provided by the embodiment of the present invention;
fig. 4 is a schematic structural diagram of a user terminal and a server according to an embodiment of the present invention;
fig. 5 is a schematic flow chart of another service access method provided in the embodiment of the present invention;
fig. 6 is a schematic structural diagram of a service access device provided in an embodiment of the present invention;
fig. 7 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present invention.
Detailed Description
Features and exemplary embodiments of various aspects of the present invention will be described in detail below, and in order to make objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not to be construed as limiting the invention. It will be apparent to one skilled in the art that the present invention may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present invention by illustrating examples of the present invention.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of additional identical elements in the process, method, article, or apparatus that comprises the element.
With the rapid development of the mobile internet, most of the applications of smart phones which provide value-added services for users are configured with an account system.
The application of the smart phone associates user service data with a user account, and a user needs to establish the account and perform a series of login operations, and can access the service after logging in.
In the existing account system, the process of service access by a user logging in an application account is complicated, and the efficiency is low.
The embodiment of the invention provides a method, a device, equipment and a system for service access. The authentication process can be reduced, so that the efficiency of service access of the user by using the application client is improved.
An embodiment of the present invention further provides a system for service access, as shown in fig. 1, the system 100 for service access includes: application client 110, application server 120, authentication SDK130, and authentication platform 140.
In one embodiment provided by the present invention, the application client 110 is configured to send a first service access request to the application server, where the first service access request includes a first session identifier; the first session identifier is also used for receiving a second session identifier sent by the application server when the first session identifier fails; the server is further configured to send a first login request to an authentication SDK, where the first login request includes the second session identifier; the authentication SDK module is further used for receiving a first login result sent by the authentication SDK module when the authentication token is valid, wherein the first login result comprises login success; and the server is further configured to send a second service access request to the application server, where the second service access request includes a second session identifier, so as to perform service access with the application server.
The application server 120 is configured to verify the first session identifier, and send a second session identifier to the application client when the first session identifier fails; the system is also used for receiving a second service access request sent by the application client; and is also used for receiving service access of the application client.
The authentication SDK130 is used for receiving a first login request sent by the application client, determining an authentication token corresponding to the second session identifier according to the second session identifier, and verifying the validity of the authentication token through the authentication platform; and when the authentication token is valid, sending a first login result to the application client.
An authentication platform 140 for verifying the validity of the authentication token.
And when the authentication token is valid, the authentication platform is further used for sending the verification result and the second session identifier to the application server.
In the service access system provided by the embodiment of the invention, the application client sends a first service access request to the application server, wherein the first service access request comprises a first session identifier; when the first session identifier fails, the application server sends a second session identifier to the application client; the application client sends login request information to the authentication SDK according to the valid second session identifier, the authentication SDK determines an authentication token corresponding to the second session identifier according to the login request information, the validity of the authentication token is verified through the authentication platform, when the authentication token is valid, the authentication platform sends a verification result and the second session identifier to the application server, the application client logs in successfully, and the application client can access the service to the application server. The authentication process is reduced, so that the efficiency of service access of the user by using the application client is improved.
In the system for service access according to an embodiment of the present invention, the application client 110 is further configured to send a request for applying for a session to the application server; the first session identifier is also used for receiving the first session identifier sent by the application server; and is further configured to send a second login request to the authentication SDK, the second login request including the first session identification.
The application server 120 is further configured to receive a session application request sent by an application client; and the first session identifier is also used for sending the first session identifier to the application client according to the application session request.
And the authentication SDK130 is further configured to authenticate with the authentication platform according to the first session identifier and obtain an authentication token.
The authentication SDK130 is further configured to store the first session identification in association with the authentication token.
The authentication platform 140 is further configured to send an authentication token to the authentication SDK when the authentication is successful.
In the service access system provided by the embodiment of the invention, the application server can send the first session identifier to the application client according to the application session request sent by the application client, the authentication SDK receives the second login request sent by the application client to start authentication, after the authentication is passed, the authentication platform generates the authentication token and sends the authentication token to the authentication SDK, and the authentication SDK stores the first session identifier and the authentication token in an associated manner. The authentication token is stored in the authentication SDK, and is not sent to the application client, so that the information such as the authentication token can be prevented from being intercepted and captured during transmission, the safety is ensured, and the application client does not need to authenticate the application server when accessing the service, only the validity of the authentication token needs to be verified, the authentication process is reduced, and the efficiency of the user in accessing the service by using the application client is improved.
The method for service access provided by one embodiment of the present invention will be described in detail below with reference to fig. 2.
As shown in fig. 2, the method may include the steps of:
an application client sends a first service access request to an application server 201.
The first service access request includes a first session identification.
Before service access is carried out, the application client sends a service access request to the corresponding application server. In the embodiment of the invention, the application client sends the first service access request to the application server.
The application server verifies 202 said first session identity.
When the application client accesses the application server to perform service interaction, the application server verifies whether the current session identifier exceeds the validity period and whether authentication is completed, and only when the first session identifier is valid and verified, the application server allows the application client to continue a subsequent service flow.
In the embodiment of the invention, the application server verifies the first session identifier.
And 203, when the first session identification fails, the application server sends a second session identification to the application client.
And the application server sends a new session identifier to the application client during the second session identifier, wherein the second session identifier is an effective session identifier.
The application client sends 204 a first login request to the authentication SDK.
The first login request includes the second session identification.
In one embodiment provided by the present invention, the first login request further includes at least one of the following information: an application server identification, an application client key.
In the method provided by the embodiment of the invention, the application client sends the first login request to the authentication SDK, so that the authentication SDK can conveniently perform authentication with the authentication platform according to the first login request.
205, the authentication SDK determines an authentication token corresponding to the second session identifier according to the second session identifier.
The authentication token is stored in the authentication SDK, which facilitates the authentication SDK to determine the authentication token corresponding to the second session identification.
206, the authentication SDK verifies the validity of the authentication token through the authentication platform.
The authentication SDK sends the first login request and the authentication token to the authentication platform, and the authentication platform verifies the validity of the authentication token.
And 207, when the authentication token is valid, the application client receives a first login result sent by the authentication SDK.
The first result comprises a successful login.
When the authentication token is valid, the application client logs in successfully. The authentication SDK sends a first login result to the application client.
And when the authentication token is valid, the authentication platform sends a verification result of the authentication token to the application server.
In an embodiment provided by the present invention, after the authentication platform verifies that the authentication token is valid, the authentication platform sends the first login result to the authentication SDK, and also generates a new authentication token and sends the new authentication token to the authentication SDK. And the authentication SDK receives a new authentication token sent by the authentication platform, stores the second session identifier and the authentication token in association and stores the second session identifier and the authentication token in the authentication SDK. In the method provided by the embodiment of the invention, the authentication token is only stored in the authentication SDK, and is not sent to the application client, so that the information such as the authentication token and the like is prevented from being intercepted during transmission, and the safety is ensured.
In one embodiment provided by the invention, the authentication SDK acquires user identity data and sends the user identity data to the authentication platform, and the authentication platform generates an authentication token, a corresponding relation between the user identity data and the authentication token and also generates effective time of the authentication token.
The Subscriber Identity data may be a Subscriber Identity Module (SIM).
The authentication SDK acquires the SIM code and sends the SIM code to the authentication platform, and the authentication platform generates an authentication token, a corresponding relation between the SIM code and the authentication token and also generates the valid time of the authentication token.
The authentication platform verifying the validity of the authentication token comprises: authenticating the corresponding relation between the user identity data and the authentication token; authenticating the corresponding relation between the application client and the authentication token; and authenticating the valid time of the authentication token.
The authentication token is valid only if the above authentications are all passed.
And when the authentication token is valid, the authentication platform sends an authentication result and user identity data to the application server.
And if the user identity data SIM code is valid, the authentication platform sends an authentication result and the SIM code to the application server.
In the embodiment provided by the invention, no matter the terminal where the application client is located uses wireless broadband or mobile data, when the data of the user identity is not changed, the application client can successfully log in when the authentication token is valid, and can avoid the information such as the authentication token and the like from being intercepted and captured during transmission, thereby ensuring the safety, reducing the authentication process and improving the efficiency of the user in using the application client to access the service.
The application client sends 208 a second service request to the application server.
The second service request comprises a second session identifier, and the application client performs service request access to the application server based on the second session identifier.
According to the method provided by the embodiment of the invention, the application client sends login request information to the authentication SDK according to the valid second session identifier, the authentication SDK determines the authentication token corresponding to the second session identifier according to the login request information, the validity of the authentication token is verified through the authentication platform, the application client logs in successfully when the authentication token is valid, the application client can access the service to the application server, the authentication process is reduced, and therefore the efficiency of the user for accessing the service by using the application client is improved.
In an embodiment provided by the present invention, in the method for accessing a service, when a user logs in an application client for the first time, a flow of a method for acquiring an authentication token by an authentication SDK is shown in fig. 2.
The method comprises the following steps:
301, the application client sends a request for applying for a session to the application server.
Before the application client service starts, a session application request is sent to an application server, and the session application request is used for the application server to generate a first session identifier according to the session application request.
The application server sends 302 a first session identification to the application client.
And the application client receives a first session identifier sent by the application server according to the application session request.
303, the application client sends a second login request to the authentication SDK.
The second login request comprises a first session identifier, and the first session identifier is used for authenticating the authentication SDK with the authentication platform according to the first session identifier and acquiring an authentication token.
In one example, the second login request further includes at least one of: an application server identifier, an application client key.
In the method provided by the embodiment of the invention, the application client sends the second login request to the authentication SDK, so that the authentication SDK can conveniently perform authentication with the authentication platform according to the second login request.
The authentication SDK authenticates 304 with the authentication platform.
And the authentication SDK authenticates with the authentication platform according to the first session identifier.
In one example, an authentication SDK obtains user identity data and sends the user identity data to an authentication platform, the authentication platform authenticates the user identity data, and the authentication platform generates an authentication token when the authentication passes.
The authentication platform also generates a corresponding relation between the user identity data and the authentication token, and also generates the valid time of the authentication token.
The Subscriber Identity data may be a Subscriber Identity Module (SIM).
The authentication platform sends 305 an authentication token to the authentication SDK.
The authentication token is stored in the authentication SDK.
306, the authentication platform stores the first session identification in association with the authentication token.
In the method provided by the embodiment of the invention, the application server can send the first session identifier to the application client according to the application session request sent by the application client, the authentication SDK receives the second login request sent by the application client, acquires the user identity data to start authentication, and the authentication platform generates the authentication token after the authentication passes. The authentication token is obtained, when the user identity data is not changed, the application client does not need to authenticate the application server when accessing the service, and only the validity of the authentication token is verified, so that the authentication process is reduced, and the efficiency of the user accessing the service by using the application client is improved.
In one example, a schematic diagram of the structure of the user terminal and the server is shown in fig. 4.
The android system architecture can comprise an application layer and an application client. Authentication SDK, framework layer and system operation library. The application layer comprises applications such as calls (Phone), contacts (contacts), short messages (messages) and the like. The framework layer includes Activity Manager, Window Manager, telephone Manager, and the like.
The server may include an Application server, a Network element Network Application Function (NAF) server, a Network element Bootstrapping Function (BSF) server
And the authentication SDK reads a telephone management component of the android system to acquire SIM card information and an authentication related key, interacts with a network element NAF server and a network element BSF server, completes authentication and acquires an authentication token.
In one embodiment provided by the present invention, a method flow of service access is shown in fig. 5. The method comprises the following steps:
1. and the application client applies for the session identification from the application server.
2. The application server returns the session identifier to the application client.
3. And the application client sends the applied session identifier to the authentication SDK to initiate an authentication login process.
In one example, the application client further sends at least one of an application server address and an application client key (appkey) contained in a Uniform Resource Locator (URL) to the authentication SDK to initiate an authentication login process.
4. The authentication SDK establishes a Transport Layer protocol (TLS) link with the NAF.
The authentication SDK establishes TLS link with NAF via TLS Handshake (Handshake).
5. The authentication SDK sends hypertext Transfer Protocol (HTTP request) information to the NAF via the TLS link, including a session identifier, requesting authentication.
The HTTP request information in one example further comprises at least one of an application server address, an application client key (appkey).
And 6, NAF authenticates the application client.
NAF authenticates the application client, which may also be referred to as NAF authenticates the application client.
7. When NAF determines that the SDK does not carry the authentication token or the authentication token is invalid/expired, NAF authenticates the UE.
In one example, the NAF replies to the authentication SDK: 401, unauthorized (unauthorized), and then instructs the authenticating SDK to authenticate.
The SDK initiates HTTP request information to the BSF, the HTTP request information including user identity data.
In one example, the user identity data may be an International Mobile Private Identification Number (IMPI).
The BSF sends an MBMS Request Key (MAR) to a Subscriber Server (HSS), and acquires an Authentication Vector (AV) of the User and User security Settings (GUSS) from the HSS.
The HSS is sending the user's AV and GUSS to the BSF.
Meanwhile, the Public-Identity field carries the mobile phone number of the user.
The BSF sends 401 to the UE carrying the relevant parameters for authentication based on Authentication and Key Agreement (AKA).
The related parameters may include at least one of The random number (RAND), an Authentication token (AUTN).
12. And the Authentication SDK calls an android native interface to obtain Authentication (get Icc Authentication) to perform AKA Authentication.
13. And the authentication SDK receives authentication result information after AKA authentication is completed.
The authentication result information includes at least one of: encryption key (CK), Integrity Key (IK), Response (RES).
14. The authentication SDK extracts RES, IK, CK from The authentication result information, and generates key information (Ks).
And 15, sending an HTTP GET message to the BSF by the SDK, wherein RES is carried in header field Authorization.
And 16, the BSF checks the RES carried by the terminal, generates a guiding service identifier (B-TID) after passing the authentication, and stores information such as the B-TID, IMPI, CK, IK, GUSS, Ks and the like.
BSF sends 200OK to authentication SDK, carrying life time (life time) of B-TID and Ks.
18. And the authentication SDK of the terminal generates Ks _ NAF according to the Ks, RAND, IMPI and NAF identifications.
19. And the authentication SDK sends the B-TID, the Ks _ NAF, the session identifier and the URL to the NAF.
NAF obtains the domain name of BSF accessed by UE from B-TID, sends bootstrap Info-Request message (BIR) Request to BSF to obtain Ks _ NAF of user identified by B-TID.
The BIR request comprises B-TID and NAF identification.
The BSF finds the corresponding IP Multimedia Private Identity (IMPI) and IP Multimedia Public Identity (IMPU) of the user by checking the B-TID, and generates Ks _ NAF by calculation.
BSF sends a reply message (BIA) to NAF containing fields of IMPI, IMPU, Ks _ NAF, etc.
NAF calculates response (response) by using B-TID and Ks _ NAF in BIA message, compares it with the response value in SDK request message header field Authorization in step 19, and passes authentication if they are consistent. After the authentication is passed, NAF performs service processing and generates token.
NAF extracts user's Mobile phone number from IMPU field in BIA message of step 22, uses URL parameter of step 6 to access application server to inform authentication result, and carries session identification and user's Mobile phone number (MSISDN).
ISDN is an Integrated Service Digital Network (Integrated Service Digital Network).
The PSTN is a Packet Switched Data Network (Packet Switched Data Network).
25. The application server returns ok.
NAF replies to 200ok message, carrying Authentication-Info header field, Authentication token and sends to SDK.
And the SDK sends the authentication passing result to the application client.
28. The application client accesses the application server to initiate a service, and each access needs to carry a session identifier.
The application server needs to check the session identifier of each access, verify whether the session identifier is in the validity period and whether the authentication is completed, and acquire the user identity information sent by the authentication platform through the session identifier.
The method provided by the embodiment of the invention carries out authentication through the authentication SDK and the authentication platform to generate the authentication token, and stores the authentication token in the authentication SDK, so that when the user logs in again, if the mobile phone number of the user is not changed and the authentication token is in the validity period, the user can log in the application and carry out service access only by checking the validity of the authentication token without going through the authentication process. The method and the system can avoid the information such as the authentication token from being intercepted during transmission, ensure the safety, reduce the authentication process and improve the efficiency of the user for accessing the service by using the application client.
The method shown in fig. 5 is an example of a method for acquiring an authentication token by an authentication SDK in the embodiment of the present invention, and the authentication SDK may also acquire the authentication token by another method in the embodiment of the present invention, which is not described herein again.
As shown in fig. 6, the service access apparatus 600 includes an application client module 610, an application server module 620, an authentication SDK module 630, and an authentication platform module 640.
An application client module 610, configured to send a first service access request to an application server module, where the first service access request includes a first session identifier; the first session identifier is also used for receiving a second session identifier sent by the application server module when the first session identifier fails; the server is further configured to send a first login request to an authentication SDK module, where the first login request includes the second session identifier; the authentication system is further used for receiving a first login result sent by the authentication SDK module when the authentication token is valid, wherein the first login result comprises login success; and the server module is further configured to send a second service access request to the application server module, where the second service access request includes the second session identifier, so as to perform service access with the application server module.
The application server module 620 is configured to verify the first session identifier, and send a second session identifier to the application client module when the first session identifier fails; the system is also used for receiving a second service access request sent by the application client module; and the service access module is also used for receiving the service access of the application client module.
The authentication SDK module 630 is configured to receive the first login request sent by the application client module, determine, according to the second session identifier, an authentication token corresponding to the second session identifier, and verify, by using an authentication platform module, validity of the authentication token; and when the authentication token is valid, sending the first login result to the application client module.
And the authentication platform module 640 is used for verifying the validity of the authentication token.
In the service access device provided by the embodiment of the invention, the application client module sends login request information to the authentication SDK module according to the valid second session identifier, the authentication SDK module determines an authentication token corresponding to the second session identifier according to the login request information, the validity of the authentication token is verified through the authentication platform module, when the authentication token is valid, the application client module logs in successfully, the application client module can access the service to the application server, the authentication process is reduced, and therefore, the efficiency of the user for accessing the service of the application client by using the terminal is improved.
In an embodiment provided by the present invention, the application client module 610 is further configured to send a request for applying for a session to the application server module; the first session identifier is also used for receiving the first session identifier sent by the application server module; the authentication SDK module is further used for sending a second login request to the authentication SDK module, wherein the second login request comprises the first session identifier;
the application server module 620 is further configured to receive the application session request sent by the application client module; and the application client module is further used for sending the first session identifier to the application client module according to the application session request.
And the authentication SDK module 630 is configured to authenticate the authentication platform according to the first session identifier, and acquire the authentication token.
The authentication platform module 640 is further configured to send the authentication token to the authentication SDK module when the authentication is successful.
In the service access device provided by the embodiment of the invention, the application server module can send the first session identifier to the application client module according to the application session request sent by the application client module, the authentication SDK module receives the second login request sent by the application client module, starts authentication, and the authentication platform module generates the authentication token after the authentication is passed. The application client module does not need to authenticate the application server module before service access is carried out on the application server module, only the validity of the authentication token is verified, the authentication process is reduced, and the efficiency of the user using the terminal to carry out service access on the application client is improved.
The device for service access provided in the embodiment of the present invention executes each step in the method shown in fig. 2, and can achieve the technical effects of reducing authentication processes and improving the efficiency of service access performed by a user using an application client, which is not described in detail herein for brevity.
Fig. 7 is a schematic diagram illustrating a hardware structure of an electronic device according to an embodiment of the present invention.
The electronic device may include a processor 701 and a memory 702 in which computer program instructions are stored.
Specifically, the processor 701 may include a Central Processing Unit (CPU), or an Application Specific Integrated Circuit (ASIC), or may be configured as one or more Integrated circuits implementing an embodiment of the present invention.
Memory 702 may include a mass storage for data or instructions. By way of example, and not limitation, memory 702 may include a Hard Disk Drive (HDD), a floppy Disk Drive, flash memory, an optical Disk, a magneto-optical Disk, tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 702 may include removable or non-removable (or fixed) media, where appropriate. The memory 702 may be internal or external to the integrated gateway disaster recovery device, where appropriate. In a particular embodiment, the memory 702 is non-volatile solid-state memory. In a particular embodiment, the memory 702 includes Read Only Memory (ROM). Where appropriate, the ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), Electrically Alterable ROM (EAROM), or flash memory or a combination of two or more of these.
The processor 701 implements the method of service access in any of the embodiments shown in fig. 2, 3 and 5 by reading and executing computer program instructions stored in the memory 702.
In one example, the electronic device may also include a communication interface 703 and a bus 710. As shown in fig. 7, the processor 701, the memory 702, and the communication interface 703 are connected via a bus 710 to perform communication with each other.
The communication interface 703 is mainly used for implementing communication between modules, apparatuses, units and/or devices in the embodiment of the present invention.
Bus 710 includes hardware, software, or both to couple the components of the electronic device to each other. By way of example, and not limitation, a bus may include an Accelerated Graphics Port (AGP) or other graphics bus, an Enhanced Industrial Standard Architecture (EISA) bus, a Front Side Bus (FSB), a Hyper Transport (HT) interconnect, an Industrial Standard Architecture (ISA) bus, an infiniband interconnect, a Low Pin Count (LPC) bus, a memory bus, a Micro Channel Architecture (MCA) bus, a Peripheral Component Interconnect (PCI) bus, a PCI-Express (PCI-X) bus, a Serial Advanced Technology Attachment (SATA) bus, a video electronics standards association local (VLB) bus, or other suitable bus or a combination of two or more of these. Bus 710 may include one or more buses, where appropriate. Although specific buses have been described and shown in the embodiments of the invention, any suitable buses or interconnects are contemplated by the invention.
The electronic device may execute the method for service access in the embodiment of the present invention, so as to implement the method for service access described in conjunction with fig. 1.
In addition, in combination with the service access method in the foregoing embodiment, the embodiment of the present invention may provide a computer storage medium to implement. The computer storage medium having computer program instructions stored thereon; the computer program instructions, when executed by a processor, implement a method of service access as in any of the above embodiments.
It is to be understood that the invention is not limited to the specific arrangements and instrumentality described above and shown in the drawings. A detailed description of known methods is omitted herein for the sake of brevity. In the above embodiments, several specific steps are described and shown as examples. However, the method processes of the present invention are not limited to the specific steps described and illustrated, and those skilled in the art can make various changes, modifications and additions or change the order between the steps after comprehending the spirit of the present invention.
The functional blocks shown in the above-described structural block diagrams may be implemented as hardware, software, firmware, or a combination thereof. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, plug-in, function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine-readable medium or transmitted by a data signal carried in a carrier wave over a transmission medium or a communication link. A "machine-readable medium" may include any medium that can store or transfer information. Examples of a machine-readable medium include electronic circuits, semiconductor memory devices, ROM, flash memory, Erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, Radio Frequency (RF) links, and so forth. The code segments may be downloaded via computer networks such as the internet, intranet, etc.
It should also be noted that the exemplary embodiments mentioned in this patent describe some methods or systems based on a series of steps or devices. However, the present invention is not limited to the order of the above steps, that is, the steps may be performed in the order mentioned in the embodiments, may be performed in an order different from the order in the embodiments, or may be performed at the same time.
As described above, only the specific embodiments of the present invention are provided, and it can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working processes of the system, the module and the unit described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again. It should be understood that the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive various equivalent modifications or substitutions within the technical scope of the present invention, and these modifications or substitutions should be covered within the scope of the present invention.

Claims (10)

1. A method for service access, the method comprising:
sending a first service access request to an application server, wherein the first service access request comprises a first session identifier, the first session identifier is used for verifying the first session identifier by the application server, and when the first session identifier fails, a second session identifier is sent to an application client;
sending a first login request to an authentication Software Development Kit (SDK), wherein the first login request comprises a second session identifier, and is used for determining an authentication token corresponding to the second session identifier by the authentication SDK according to the second session identifier and verifying the validity of the authentication token through an authentication platform;
when the authentication token is valid, receiving a first login result sent by the authentication SDK, wherein the first login result comprises login success;
and sending a second service access request to an application server, wherein the second service access request comprises the second session identifier, and is used for service access between an application client and the application server.
2. The method of claim 1, further comprising:
sending a request for applying for a session to the application server;
receiving the first session identifier sent by the application server according to the application session request;
and sending a second login request to the authentication SDK, wherein the second login request comprises the first session identifier, so that the authentication SDK authenticates the authentication platform according to the first session identifier and acquires the authentication token.
3. The method according to claim 1 or 2, wherein the first login request and the second login request each further comprise at least one of the following information: an application server identifier, an application client key.
4. A method for service access, the method comprising:
receiving a first login request sent by an application client, wherein the first login request comprises a second session identifier;
determining an authentication token corresponding to the second session identifier according to the second session identifier, and verifying the validity of the authentication token through an authentication platform;
and when the authentication token is valid, sending a first login result to the application client, wherein the first login result comprises a login success, so that the application client and the application server can perform service access.
5. The method of claim 4, further comprising:
acquiring user identity data, and sending the user identity data to an authentication platform for the authentication platform to authenticate the user identity data, wherein the authentication platform generates the authentication token when the authentication passes;
receiving the authentication token sent by the authentication platform;
storing the first session identification in association with the authentication token.
6. An apparatus for service access, the apparatus comprising:
the application client module is used for sending a first service access request to the application server module, wherein the first service access request comprises a first session identifier; the first session identifier is also used for receiving a second session identifier sent by the application server module when the first session identifier fails; the system is further used for sending a first login request to an authentication SDK module, wherein the first login request comprises the second session identifier; the authentication SDK module is further used for receiving a first login result sent by the authentication SDK module when the authentication token is valid, wherein the first result comprises successful login; the server is further configured to send a second service access request to an application server module, where the second service access request includes the second session identifier, and is used for performing service access with the application server module;
the application server module is used for verifying the first session identifier and sending a second session identifier to the application client module when the first session identifier fails; the system is also used for receiving a second service access request sent by the application client module; the system is also used for receiving the service access of the application client module;
the authentication SDK module is used for receiving a first login request sent by the application client module, determining an authentication token corresponding to the second session identifier according to the second session identifier, and verifying the validity of the authentication token through an authentication platform module; when the authentication token is valid, the authentication token is further used for sending the first login result to the application client module;
and the authentication platform module is used for verifying the validity of the authentication token.
7. The apparatus of claim 6, wherein the application client module is further configured to send a request for application session to the application server module; the first session identifier is also used for receiving the first session identifier sent by the application server module; the authentication SDK module is further used for sending a second login request to the authentication SDK module, wherein the second login request comprises the first session identifier;
the application server module is further configured to receive the application session request sent by the application client module; the first session identifier is also used for sending the first session identifier to the application client module according to the application session request;
the authentication SDK module is used for authenticating with the authentication platform according to the first session identifier and acquiring the authentication token;
the authentication platform module is further configured to send the authentication token to the authentication SDK module when the authentication is successful.
8. An electronic device, characterized in that the device comprises: a processor and a memory storing computer program instructions; the processor, when executing the computer program instructions, implements a method of service access as claimed in any of claims 1-5.
9. A system for service access, the system comprising:
the application client is used for sending a first service access request to the application server, wherein the first service access request comprises a first session identifier; the first session identifier is also used for receiving a second session identifier sent by the application server when the first session identifier fails; the server is further configured to send a first login request to an authentication SDK, where the first login request includes the second session identifier; the authentication SDK module is further used for receiving a first login result sent by the authentication SDK module when the authentication token is valid, wherein the first login result comprises login success; the second session identifier is further used for sending a second service access request to an application server, where the second service access request includes the second session identifier, and is used for performing service access with the application server;
the application server is used for verifying the first session identifier and sending a second session identifier to the application client when the first session identifier fails; the system is also used for receiving a second service access request sent by the application client; the system is also used for receiving the service access of the application client;
the authentication SDK is used for receiving a first login request sent by the application client, determining an authentication token corresponding to the second session identifier according to the second session identifier, and verifying the validity of the authentication token through an authentication platform; when the authentication token is valid, sending the first login result to the application client;
and the authentication platform is used for verifying the validity of the authentication token.
10. The system of claim 9, wherein the application client is further configured to send a request for application of a session to the application server; the first session identifier is also used for receiving the first session identifier sent by the application server; the authentication SDK is also used for sending a second login request to the authentication SDK, wherein the second login request comprises the first session identifier;
the application server is further configured to receive the application session request sent by the application client; the first session identifier is further used for sending the first session identifier to the application client according to the application session request;
the authentication SDK is further used for authenticating with the authentication platform according to the first session identifier and acquiring the authentication token;
and the authentication platform is further used for sending the authentication token to the authentication SDK when the authentication is successful.
CN202011579037.6A 2020-12-28 2020-12-28 Method, device, equipment and system for service access Pending CN114697055A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011579037.6A CN114697055A (en) 2020-12-28 2020-12-28 Method, device, equipment and system for service access

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011579037.6A CN114697055A (en) 2020-12-28 2020-12-28 Method, device, equipment and system for service access

Publications (1)

Publication Number Publication Date
CN114697055A true CN114697055A (en) 2022-07-01

Family

ID=82130916

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011579037.6A Pending CN114697055A (en) 2020-12-28 2020-12-28 Method, device, equipment and system for service access

Country Status (1)

Country Link
CN (1) CN114697055A (en)

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101742507A (en) * 2009-12-21 2010-06-16 中兴通讯股份有限公司 System and method for accessing Web application site for WAPI terminal
CN102316080A (en) * 2010-06-30 2012-01-11 百度在线网络技术(北京)有限公司 Function for supporting anonymous verification of central authentication service in same master domain
CN103685267A (en) * 2013-12-10 2014-03-26 小米科技有限责任公司 Data access method and device
CN104954331A (en) * 2014-03-27 2015-09-30 杭州迪普科技有限公司 Login authentication configuration device and method
CN105610810A (en) * 2015-12-23 2016-05-25 北京奇虎科技有限公司 Data processing method, client and servers
US20160286378A1 (en) * 2014-08-15 2016-09-29 Telefonakiebolaget L M Ericsson (Publ) Methods and Nodes for Mapping Subscription to Service User Identity
CN106612180A (en) * 2015-10-26 2017-05-03 阿里巴巴集团控股有限公司 Method and device for realizing session identifier synchronization
WO2017210914A1 (en) * 2016-06-08 2017-12-14 华为技术有限公司 Method and apparatus for transmitting information
CN108011717A (en) * 2016-11-11 2018-05-08 北京车和家信息技术有限责任公司 A kind of method, apparatus and system for asking user data
CN109547458A (en) * 2018-12-10 2019-03-29 平安科技(深圳)有限公司 Login validation method, device, computer equipment and storage medium
CN110781482A (en) * 2019-10-12 2020-02-11 广州酷旅旅行社有限公司 Login method, login device, computer equipment and storage medium
US20200099675A1 (en) * 2018-09-21 2020-03-26 Microsoft Technology Licensing, Llc Nonce handler for single sign on authentication in reverse proxy solutions
WO2020155492A1 (en) * 2019-01-31 2020-08-06 平安科技(深圳)有限公司 Device id-based login state sharing method and device

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101742507A (en) * 2009-12-21 2010-06-16 中兴通讯股份有限公司 System and method for accessing Web application site for WAPI terminal
CN102316080A (en) * 2010-06-30 2012-01-11 百度在线网络技术(北京)有限公司 Function for supporting anonymous verification of central authentication service in same master domain
CN103685267A (en) * 2013-12-10 2014-03-26 小米科技有限责任公司 Data access method and device
CN104954331A (en) * 2014-03-27 2015-09-30 杭州迪普科技有限公司 Login authentication configuration device and method
US20160286378A1 (en) * 2014-08-15 2016-09-29 Telefonakiebolaget L M Ericsson (Publ) Methods and Nodes for Mapping Subscription to Service User Identity
CN106612180A (en) * 2015-10-26 2017-05-03 阿里巴巴集团控股有限公司 Method and device for realizing session identifier synchronization
CN105610810A (en) * 2015-12-23 2016-05-25 北京奇虎科技有限公司 Data processing method, client and servers
WO2017210914A1 (en) * 2016-06-08 2017-12-14 华为技术有限公司 Method and apparatus for transmitting information
CN108011717A (en) * 2016-11-11 2018-05-08 北京车和家信息技术有限责任公司 A kind of method, apparatus and system for asking user data
US20200099675A1 (en) * 2018-09-21 2020-03-26 Microsoft Technology Licensing, Llc Nonce handler for single sign on authentication in reverse proxy solutions
CN109547458A (en) * 2018-12-10 2019-03-29 平安科技(深圳)有限公司 Login validation method, device, computer equipment and storage medium
WO2020155492A1 (en) * 2019-01-31 2020-08-06 平安科技(深圳)有限公司 Device id-based login state sharing method and device
CN110781482A (en) * 2019-10-12 2020-02-11 广州酷旅旅行社有限公司 Login method, login device, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
EP2651097B1 (en) Method of authenticating a user at a service on a service server, application and system
US8646063B2 (en) Methods, apparatus, and computer program products for subscriber authentication and temporary code generation
US20230070253A1 (en) Methods and systems for authenticating devices using 3gpp network access credentials for providing mec services
US8176327B2 (en) Authentication protocol
US8806596B2 (en) Authentication to an identity provider
JP4841842B2 (en) Contact authentication and reliable contact renewal in mobile radio communication equipment
CN108476223B (en) Method and apparatus for SIM-based authentication of non-SIM devices
US20070208936A1 (en) Means and Method for Single Sign-On Access to a Service Network Through an Access Network
US9088565B2 (en) Use of a public key key pair in the terminal for authentication and authorization of the telecommunication user with the network operator and business partners
US9787478B2 (en) Service provider certificate management
KR20090036562A (en) Method and system for controlling access to networks
US20160261581A1 (en) User authentication
EP3008935A1 (en) Mobile device authentication in heterogeneous communication networks scenario
CN102201915A (en) Terminal authentication method and device based on single sign-on
WO2015139725A1 (en) User identifier based device, identity and activity management system
EP1680940B1 (en) Method of user authentication
CN111800377B (en) Mobile terminal identity authentication system based on safe multi-party calculation
KR20200130106A (en) Apparatus and method for providing mobile edge computing service in wireless communication system
CN114390524B (en) Method and device for realizing one-key login service
US20200162910A1 (en) Mobile device authentication using different channels
CN113438081B (en) Authentication method, device and equipment
CN108123918A (en) A kind of account authentication login method and device
CN113536277A (en) Authentication method, system, server, client and storage medium
CN116647345A (en) Method and device for generating permission token, storage medium and computer equipment
WO2007114710A2 (en) A method and device for sim based authentification in ip networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination