CN116232604A - Authentication method, device, electronic equipment and storage medium - Google Patents

Authentication method, device, electronic equipment and storage medium Download PDF

Info

Publication number
CN116232604A
CN116232604A CN202310092261.XA CN202310092261A CN116232604A CN 116232604 A CN116232604 A CN 116232604A CN 202310092261 A CN202310092261 A CN 202310092261A CN 116232604 A CN116232604 A CN 116232604A
Authority
CN
China
Prior art keywords
service request
plug
authentication
business service
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310092261.XA
Other languages
Chinese (zh)
Inventor
星存田
胡二洋
缪利道
韩笑
王丽君
周明骏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Sensetime Technology Development Co Ltd
Original Assignee
Shanghai Sensetime Technology Development Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Sensetime Technology Development Co Ltd filed Critical Shanghai Sensetime Technology Development Co Ltd
Priority to CN202310092261.XA priority Critical patent/CN116232604A/en
Publication of CN116232604A publication Critical patent/CN116232604A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The disclosure provides an authentication method, an authentication device, an electronic device and a storage medium, wherein the authentication method is applied to a server and comprises the following steps: responding to a business service request initiated by a user side, and acquiring an access token carried by the business service request; authenticating the business service request based on the access token by using a first plug-in unit contained in the gateway of the service end to obtain an authentication result; the plug-in parameters of the first plug-in comprise authority information of a service interface corresponding to the business service request; and under the condition that the authentication result indicates that the authentication passes, acquiring a request result corresponding to the business service request by utilizing the service interface corresponding to the business service request.

Description

Authentication method, device, electronic equipment and storage medium
Technical Field
The disclosure relates to the field of computer technology, and in particular relates to an authentication method, an authentication device, electronic equipment and a storage medium.
Background
The cloud platform is used as a unified management platform of resource service, and provides computing, network and storage capacity based on the service of hardware resources and software resources; in order to ensure the security and confidentiality of accessing service, a secure access authentication system and an authentication system are generally required to be established in the development process of a cloud platform, so that an authorized entity, such as the cloud platform, can access the service within the authority range and reject unauthorized access.
Generally, authority information of a business service request can be input into a preset authority system in a manual input mode, and the authority information of the business service request is bound to a corresponding user; furthermore, when the user initiates a business service request, the authority system can be utilized to authenticate the identity information of the user and authenticate the business service request initiated by the user. However, the authentication and authorization method has high complexity, and each business service component is required to intercept the business service request for authentication and authorization, so that the code intrusion problem exists, resulting in low business service development efficiency.
Disclosure of Invention
In view of this, the present disclosure provides at least an authentication method, an apparatus, an electronic device, and a storage medium.
In a first aspect, the present disclosure provides an authentication method, where the method is applied to a server, and includes:
responding to a business service request initiated by a user side, and acquiring an access token carried by the business service request;
authenticating the business service request based on the access token by using a first plug-in unit contained in the gateway of the service end to obtain an authentication result; the plug-in parameters of the first plug-in comprise authority information of a service interface corresponding to the business service request;
And under the condition that the authentication result indicates that the authentication passes, acquiring a request result corresponding to the business service request by utilizing the service interface corresponding to the business service request.
In the method, after the user side initiates the service request, the service side can respond to the service request initiated by the user side to acquire the access token carried by the service request; because the plug-in parameters of the first plug-in the gateway of the service end comprise the authority information of the service interface corresponding to the service request, and the authority information owned by the user end can be determined through the access token, the automatic authentication of the service request can be simply and efficiently realized by using the first plug-in the gateway based on the access token, and the authentication result is obtained; under the condition that the authentication result indicates passing, a service interface corresponding to the business service request can be utilized to obtain a request result corresponding to the business service request, so that the security of obtaining the request result through the service interface is improved. Here, the service component does not need to be set, and the service component of the service end does not need to be utilized to intercept the service request for authentication, so that the decoupling of authentication and service is realized.
Meanwhile, because the development and maintenance costs of the plug-in are lower, and the state of the plug-in can be controlled according to the requirements of business service, for example, the plug-in is started or the plug-in is forbidden, the technical complexity of authentication of business service requests can be simplified, the workload and the access difficulty of sub-products with business service functions to access the service end are reduced, and the development efficiency is improved.
In a possible implementation manner, the authenticating the business service request by using the first plugin included in the gateway of the server based on the access token to obtain an authentication result includes:
acquiring the identification information of the user from the access token;
and authenticating the business service request by using a first plug-in unit contained in the gateway of the service terminal based on the identification information of the user terminal and the authority information of the service interface corresponding to the business service request contained in the first plug-in unit to obtain an authentication result.
Here, since the plug-in parameter of the first plug-in the gateway includes the authority information of the service interface corresponding to the business service request; when the service request arrives at the gateway, the first plug-in the gateway can be utilized to authenticate the service request based on the identification information of the user terminal obtained from the access token and the authority information of the service interface corresponding to the service request, so as to obtain an authentication result; the service end service component is not required to intercept the service request, and then the service request is authenticated, so that the decoupling of authentication and service is realized, and meanwhile, the efficiency of the service request authentication is improved.
Meanwhile, the gateway is used for realizing automatic authentication of the business service request through the first plug-in, so that the sub-product with the business service function does not need to pay attention to the authenticated data information during development; the state of the first plug-in unit can be controlled at any time according to the requirements of business service, so that the workload and the access difficulty of the sub-product with business service function to the service end are reduced, and the development efficiency is improved.
In a possible implementation manner, the authenticating the service request by using the first plugin included in the gateway of the service end based on the identification information of the user end and the authority information of the service interface corresponding to the service request included in the first plugin to obtain an authentication result includes:
acquiring preset authority information of the user side based on the identification information of the user side by using a first plug-in unit contained in the gateway of the service side, and determining whether the preset authority information is matched with the authority information of the service interface;
if so, generating an authentication result for indicating the passing of authentication.
Because the plug-in parameters of the first plug-in the gateway contain the authority information of the service interface corresponding to the business service request, the first plug-in the gateway of the service end can be utilized to acquire the preset authority information of the user end based on the identification information of the user end, and whether the preset authority information is matched with the authority information of the service interface or not is determined, if so, an authentication result for indicating the passing of authentication is generated; so as to judge whether the user terminal has the authority of requesting the business service by using the service interface corresponding to the business service request according to the authentication result.
In a possible implementation manner, after the obtaining the access token carried by the business service request, the method further includes:
authenticating the access token by using a second plug-in unit contained in the gateway of the server to obtain an authentication result;
the first plug-in unit included in the gateway of the service end is used for authenticating the business service request based on the access token to obtain an authentication result, and the method comprises the following steps:
and under the condition that the authentication result indicates that the authentication passes, authenticating the business service request based on the access token by using a first plug-in unit contained in the gateway of the server to obtain an authentication result.
Here, after the access token carried by the business service request is obtained, whether the user information of the user side is legal and effective needs to be authenticated, so that the access token is authenticated by using a second plug-in unit contained in the gateway of the server side to obtain an authentication result; the validity and the accuracy of the access token are judged according to the authentication result, and the guarantee is provided for the validity of the subsequent authentication by using the access token.
In a possible implementation manner, the step of generating the first plugin includes:
Acquiring interface information corresponding to at least one service interface; wherein the interface information includes definition information and authority information;
generating a permission file based on interface information corresponding to at least one service interface by using a third plug-in the service end;
and taking the file content in the authority file as a plug-in parameter of an initialization plug-in to generate the first plug-in.
In a possible embodiment, the definition information includes: first definition information for describing a request mode of the service interface; and/or second definition information for describing request parameters of the service interface;
the authority information includes: first authority information for describing operation semantics of a resource object under a service corresponding to a service interface; and second authority information for controlling the validation scope of the first authority information.
In a second aspect, the present disclosure provides an authentication method, where the method is applied to a user terminal, and includes:
a business service request carrying an access token is initiated to a server side, so that the server side uses a first plug-in component contained in a gateway of the server side to authenticate the business service request based on the access token, and an authentication result is obtained; the plug-in parameters of the first plug-in comprise authority information of a service interface corresponding to the business service request; acquiring a request result corresponding to the business service request by utilizing the service interface corresponding to the business service request under the condition that the authentication result indicates that the authentication is passed;
And receiving a request result corresponding to the business service request.
Here, a user side initiates a business service request carrying an access token to a server side, and the server side authenticates the business service request based on the access token by utilizing a first plug-in unit contained in a gateway of the server side to obtain an authentication result; and under the condition that the authentication result indicates that the authentication passes, acquiring a request result corresponding to the business service request by utilizing a service interface corresponding to the business service request. The method and the device can enable the speed of receiving the request result corresponding to the business service request by the user terminal to be high, and improve the request efficiency of the user terminal.
The following description of the effects of the apparatus, the electronic device, etc. refers to the description of the above method, and will not be repeated here.
In a third aspect, the present disclosure provides an authentication apparatus, applied to a server, including:
the first acquisition module is used for responding to a business service request initiated by a user terminal and acquiring an access token carried by the business service request;
the authentication module is used for authenticating the business service request based on the access token by using a first plug-in component contained in the gateway of the server to obtain an authentication result; the plug-in parameters of the first plug-in comprise authority information of a service interface corresponding to the business service request;
And the second acquisition module is used for acquiring a request result corresponding to the business service request by utilizing the service interface corresponding to the business service request under the condition that the authentication result indicates that the authentication is passed.
In a fourth aspect, the present disclosure provides an authentication apparatus, applied to a user terminal, including:
the request module is used for initiating a business service request carrying an access token to a server side so that the server side can authenticate the business service request based on the access token by utilizing a first plug-in component contained in a gateway of the server side to obtain an authentication result; the plug-in parameters of the first plug-in comprise authority information of a service interface corresponding to the business service request; acquiring a request result corresponding to the business service request by utilizing the service interface corresponding to the business service request under the condition that the authentication result indicates that the authentication is passed;
and the receiving module is used for receiving a request result corresponding to the business service request.
In a fifth aspect, the present disclosure provides an electronic device comprising: a processor, a memory and a bus, the memory storing machine readable instructions executable by the processor, the processor and the memory communicating over the bus when the electronic device is running, the machine readable instructions when executed by the processor performing the steps of the authentication method as described in the first aspect or any implementation manner, or in the second aspect.
In a sixth aspect, the present disclosure provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the authentication method as described in the first aspect or any implementation manner, or in the second aspect.
The foregoing objects, features and advantages of the disclosure will be more readily apparent from the following detailed description of the preferred embodiments taken in conjunction with the accompanying drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings required for the embodiments are briefly described below, which are incorporated in and constitute a part of the specification, these drawings showing embodiments consistent with the present disclosure and together with the description serve to illustrate the technical solutions of the present disclosure. It is to be understood that the following drawings illustrate only certain embodiments of the present disclosure and are therefore not to be considered limiting of its scope, for the person of ordinary skill in the art may admit to other equally relevant drawings without inventive effort.
Fig. 1 shows a flowchart of an authentication method applied to a server according to an embodiment of the present disclosure;
Fig. 2a is a schematic diagram illustrating defining interface information in an authentication method according to an embodiment of the present disclosure;
fig. 2b is a schematic diagram of a rights file in an authentication method according to an embodiment of the present disclosure;
fig. 2c shows a code schematic diagram of a first plug-in an authentication method according to an embodiment of the present disclosure;
fig. 3 is a schematic flow chart of an authentication method applied to a user side according to an embodiment of the disclosure;
fig. 4 is a schematic diagram illustrating an authentication and authorization flow in an authentication method according to an embodiment of the disclosure;
fig. 5 shows a schematic architecture diagram of an authentication device applied to a server according to an embodiment of the disclosure;
fig. 6 shows a schematic architecture diagram of an authentication device applied to a user side according to an embodiment of the disclosure;
fig. 7 shows a schematic structural diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are only some embodiments of the present disclosure, not all embodiments. The components of the embodiments of the present disclosure, which are generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present disclosure provided in the accompanying drawings is not intended to limit the scope of the disclosure, as claimed, but is merely representative of selected embodiments of the disclosure. All other embodiments, which can be made by those skilled in the art based on the embodiments of this disclosure without making any inventive effort, are intended to be within the scope of this disclosure.
The cloud platform is used as a unified management platform of resource service, and provides computing, network and storage capacity based on the service of hardware resources and software resources; in order to ensure the security and confidentiality of accessing service, a secure access authentication system and an authentication system are generally required to be established in the development process of a cloud platform, so that an authorized entity, such as the cloud platform, can access the service within the authority range and reject unauthorized access.
Generally, authority information of a business service request can be input into a preset authority system in a manual input mode, and the authority information of the business service request is bound to a corresponding user; furthermore, when the user initiates a business service request, the authority system can be utilized to authenticate the identity information of the user and authenticate the business service request initiated by the user. However, the authentication and authorization method has high complexity, and each business service component is required to intercept the business service request for authentication and authorization, so that the code intrusion problem exists, resulting in low business service development efficiency.
In order to alleviate the above problems, embodiments of the present disclosure provide an authentication method, an apparatus, an electronic device, and a storage medium.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
For ease of understanding the embodiments of the present disclosure, a detailed description of an authentication method disclosed in the embodiments of the present disclosure is first provided. The execution subject of the authentication method provided by the embodiments of the present disclosure is generally a computer device having a certain computing capability, where the computer device includes, for example: a terminal device or server or other processing device. In some possible implementations, the authentication method may be implemented by way of a processor invoking computer readable instructions stored in a memory.
The authentication method provided by the embodiment of the disclosure can be applied to a large and complex cloud platform scene, for example, an artificial intelligence (Artificial Intelligence, AI) cloud management platform. The following uses a server as a main body, and describes the authentication method provided by the embodiment of the present disclosure in a relatively specific manner.
Referring to fig. 1, a flow chart of an authentication method provided by an embodiment of the disclosure includes: S101-S103; specific:
S101, responding to a business service request initiated by a user terminal, and acquiring an access token carried by the business service request.
S102, authenticating a business service request based on an access token by using a first plugin contained in a gateway of a server to obtain an authentication result; the plug-in parameters of the first plug-in comprise authority information of a service interface corresponding to the business service request.
And S103, under the condition that the authentication result indicates that the authentication passes, acquiring a request result corresponding to the business service request by utilizing a service interface corresponding to the business service request.
In the method, after the user side initiates the service request, the service side can respond to the service request initiated by the user side to acquire the access token carried by the service request; because the plug-in parameters of the first plug-in the gateway of the service end comprise the authority information of the service interface corresponding to the service request, and the authority information owned by the user end can be determined through the access token, the automatic authentication of the service request can be simply and efficiently realized by using the first plug-in the gateway based on the access token, and the authentication result is obtained; under the condition that the authentication result indicates passing, a service interface corresponding to the business service request can be utilized to obtain a request result corresponding to the business service request, so that the security of obtaining the request result through the service interface is improved. Here, the service component does not need to be set, and the service component of the service end does not need to be utilized to intercept the service request for authentication, so that the decoupling of authentication and service is realized.
Meanwhile, because the development and maintenance costs of the plug-in are lower, and the state of the plug-in can be controlled according to the requirements of business service, for example, the plug-in is started or the plug-in is forbidden, the technical complexity of authentication of business service requests can be simplified, the workload and the access difficulty of sub-products with business service functions to access the service end are reduced, and the development efficiency is improved.
S101-S103 are described in relative detail below.
For S101:
when the method is implemented, a user can firstly perform login operation so that a server responds to the login operation triggered by the user side, generates an access token and sends the access token to the user side; in the subsequent process, if the user side initiates a business service request to the service side, the business service request carries an access token.
The specific process of the server side generating the access token is that a user carries out login operation from the user side, and the server side responds to the login operation triggered by the user side to acquire the identification information of the user, namely, the user name and the password input by the user; the identification information can be verified according to preset verification conditions, and a verification result is obtained; for example, the verification conditions may include: the user name may contain at least one of numbers, letters, chinese characters; the user name may not contain a symbol; the password may contain at least one of numbers, letters, symbols; if the verification result is that the verification is passed, an access token can be generated based on the identification information and sent to the user side; so that the subsequent user side carries the access token when initiating the business service request. The access token may contain, among other things, identification information of the user side (i.e., a unique string that identifies the user or group of users), expiration time of the access token, and other data.
In the implementation, in response to a business service request initiated by a user terminal, if the business service request does not carry an access token, i.e. the service terminal does not successfully acquire the access token, the business service request of the user terminal is directly refused.
For S102:
when the method is implemented, after the access token carried by the business service request is acquired, the access token can contain identification information of the user side. Therefore, the authority information owned by the user side can be obtained according to the identification information of the user side in the access token; meanwhile, since the plug-in parameters of the first plug-in the gateway of the service end contain the authority information of the service interface corresponding to the service request, whether the authority information of the user end and the authority information of the service interface corresponding to the service request are matched or not can be determined, and the service request can be authenticated by the first plug-in based on the access token, so that an authentication result is obtained.
In the implementation, after the service end obtains the access token carried by the business service request, the service end can also authenticate the access token.
Specifically, after the access token carried by the business service request is obtained, the method further comprises the following steps: and authenticating the access token by using a second plug-in unit contained in the gateway of the server to obtain an authentication result.
The business service request is authenticated based on the access token by using a first plug-in unit contained in the gateway of the service end, and an authentication result is obtained, wherein the authentication result comprises the following steps: and under the condition that the authentication result indicates that the authentication passes, the business service request is authenticated based on the access token by using a first plug-in unit contained in the gateway of the server to obtain an authentication result.
The access token is a character string, and the format is header information, valid information and signature information. When in implementation, the authentication flow can be executed according to the specific development condition of the server side; in one mode, when the reference access token is stored in the database of the server, the second plugin contained in the gateway of the server can be utilized to determine whether the reference access token consistent with the access token is stored in the database of the server; if yes, generating an authentication result for indicating authentication passing; if not, generating an authentication result for indicating authentication failure. Here, the second plug-in may be configured according to an actual development situation, for example, may be an OpenID Connect plug-in.
In another way, under the condition that the database of the server does not store the reference access token, that is, the server does not store the reference access token, the second plug-in unit included in the gateway of the server can be utilized to obtain the header information and the effective information in the access token; the hash processing can be carried out on the header information and the effective information to obtain data to be authenticated; the signature information in the access token can be decrypted to obtain the reference authentication data; further, whether the data to be authenticated is consistent with the reference authentication data or not is determined, and if so, an authentication result for indicating that the authentication is passed is generated; if the authentication results are inconsistent, an authentication result for indicating authentication failure is generated.
Further, when the authentication result indicates that the authentication is passed, the service request may be authenticated based on the access token by using a first plug-in component included in the gateway of the server, to obtain an authentication result.
Here, after the access token carried by the business service request is obtained, whether the user information of the user side is legal and effective needs to be authenticated, so that the access token is authenticated by using a second plug-in unit contained in the gateway of the server side to obtain an authentication result; the validity and the accuracy of the access token are judged according to the authentication result, and the guarantee is provided for the validity of the subsequent authentication by using the access token.
In a possible implementation manner, when the authentication result indicates that the authentication is passed, the first plug-in module included in the gateway of the server side can be used to authenticate the service request based on the access token, so as to obtain an authentication result; specifically, the method comprises the following steps:
and step A1, acquiring the identification information of the user side from the access token.
And step A2, authenticating the business service request by using a first plugin contained in the gateway of the service terminal based on the identification information of the user terminal and the authority information of the service interface corresponding to the business service request contained in the first plugin, and obtaining an authentication result.
Here, since the plug-in parameter of the first plug-in the gateway includes the authority information of the service interface corresponding to the business service request; when the service request arrives at the gateway, the first plug-in the gateway can be utilized to authenticate the service request based on the identification information of the user terminal obtained from the access token and the authority information of the service interface corresponding to the service request, so as to obtain an authentication result; the service end service component is not required to intercept the service request, and then the service request is authenticated, so that the decoupling of authentication and service is realized, and meanwhile, the efficiency of the service request authentication is improved.
Meanwhile, the gateway is used for realizing automatic authentication of the business service request through the first plug-in, so that the sub-product with the business service function does not need to pay attention to the authenticated data information during development; the state of the first plug-in unit can be controlled at any time according to the requirements of business service, so that the workload and the access difficulty of the sub-product with business service function to the service end are reduced, and the development efficiency is improved.
When the method is implemented, the access token comprises the identification information of the user side, and the identification information is a unique character string for identifying the user side, so that the identification information of the user side can be obtained from the access token; and because the plug-in parameters of the first plug-in the gateway contain the authority information of the service interface corresponding to the business service request, the authority information of the service interface corresponding to the business service request can be obtained from the plug-in parameters of the first plug-in; furthermore, the first plug-in unit included in the gateway of the server can be used for authenticating the service request based on the identification information of the user and the authority information of the service interface corresponding to the service request to obtain an authentication result, so that whether the user has the authority for requesting the service is judged according to the authentication result.
In specific implementation, step A2, using a first plugin included in a gateway of a server, authenticates a service request based on identification information of a user side and authority information of a service interface corresponding to the service request included in the first plugin, to obtain an authentication result, including:
step A21, the first plug-in unit included in the gateway of the server side is utilized to obtain preset authority information of the user side based on the identification information of the user side, and whether the preset authority information is matched with the authority information of the service interface or not is determined.
And step A22, if the authentication results are matched, generating an authentication result for indicating the passing of the authentication.
When the method is implemented, after the identification information of the user side is obtained from the access token, the first plug-in unit contained in the gateway of the server side can be utilized to obtain the preset authority information of the user side based on the identification information of the user side; and can confirm whether the authority information of the preset authority matches with authority information of the service interface; specifically, if the authority information of the service interface is written data, and if the preset authority information of the user side includes read data, delete data and modify data, it can be determined that the preset authority information is not matched with the authority information of the service interface, and then an authentication result for indicating authentication failure is generated; under the condition that the preset authority information of the user side comprises data reading, data deleting and data writing, the preset authority information can be determined to be matched with the authority information of the service interface, and an authentication result for indicating that authentication passes is generated.
Because the plug-in parameters of the first plug-in the gateway contain the authority information of the service interface corresponding to the business service request, the first plug-in the gateway of the service end can be utilized to acquire the preset authority information of the user end based on the identification information of the user end, and whether the preset authority information is matched with the authority information of the service interface or not is determined, if so, an authentication result for indicating the passing of authentication is generated; so as to judge whether the user terminal has the authority of requesting the business service by using the service interface corresponding to the business service request according to the authentication result.
In implementation, before the user side initiates the service request, the server side may generate the first plugin so as to execute the authentication procedure in the service request process.
Specifically, the first plug-in may be generated according to the following steps:
step B1, obtaining interface information corresponding to at least one service interface; wherein the interface information includes definition information and authority information.
And B2, generating a right file based on interface information corresponding to at least one service interface by using a third plug-in the service end.
And B3, taking the file content in the authority file as a plug-in parameter of the initialization plug-in to generate a first plug-in.
In implementation, for each service interface, the authority information of the service interface can be expanded when the definition information of the service interface is configured; here, the definition information may be used to describe a request manner and request parameters of the service interface; rights information may be used to describe rights and validation scope of rights owned by the service interface.
Specifically, the definition information includes: first definition information for describing a request mode of the service interface; and/or second definition information for describing request parameters of the service interface; the authority information includes: first authority information for describing operation semantics of a resource object under a service corresponding to a service interface; and second authority information for controlling the validation scope of the first authority information.
For example, referring to the interface information definition diagram shown in fig. 2a, the first definition information is post: "/v1/managementGroups/{ parent_name }"; the request mode is post; here, the request method may be get, delete, patch or the like. The second definition information is body: "management_group"; the request parameter is management_group; here, in the case where the request patterns are get and delete, the definition information does not include the second definition information.
Here, the format of the first authority information may be: the resource is a verb which is a service name corresponding to a service interface, the resource is a resource object operating under the service, and the verb is a verb for specifically executing the operation on the resource; as shown in FIG. 2a, the first rights information is permission: "rm.management group.create", and the operation semantics are to allow creation of a management group. The second authority information is scope: "/rm/management groups/{ parent_name }", and the effective scope of the first authority information is controlled to be a root management group, wherein { parent_name } represents any sub management group under the root management group.
When the first plug-in is generated, interface information corresponding to at least one service interface can be acquired, wherein the interface information can comprise definition information and authority information; and a third plug-in the server side can be utilized to generate a permission file according to a preset data format based on interface information corresponding to at least one service interface, as shown in fig. 2b, the file content of the permission file includes: comment section, business service path, request mode method, second authority information scope, first authority information permission. The third plug-in used in the embodiments of the present disclosure may be a protoc plug-in protoc-gen-policy, which may be developed according to actual needs, which is only exemplified herein.
Further, the file content in the authority file can be used as a plug-in parameter of the initialization plug-in to generate the first plug-in. As shown in a first plugin configuration diagram in fig. 2c, a first plugin generated by configuring an initialization plugin with a file content comment of a rights file, a business service path, a request mode method, a second rights information scope and a first rights information permission as plugin parameters.
For S103:
when the authentication result indicates that the authentication passes, that is, the user terminal has the authority of the service request, the service interface corresponding to the service request can be utilized to obtain the request result corresponding to the service request, and the request result can be sent to the user terminal. And under the condition that the authentication result indicates authentication failure, namely that the user terminal does not possess the authority of the business service request, the request result of rejecting the request can be sent to the user terminal. For example, when the business service request is to access the target data of the target address, the request result may include the target data. For example, when the service request is to write the target data into the target address, the request result may include first feedback information of successful writing or second feedback information of failed writing, etc.
The following uses the user terminal as a main body to relatively specifically describe the authentication method provided by the embodiment of the present disclosure.
Referring to fig. 3, a flowchart of an authentication method according to an embodiment of the disclosure includes: S301-S302, specifically:
s301, a business service request carrying an access token is initiated to a server side, so that the server side authenticates the business service request based on the access token by using a first plug-in component contained in a gateway of the server side, and an authentication result is obtained; the plug-in parameters of the first plug-in comprise authority information of a service interface corresponding to the business service request; and under the condition that the authentication result indicates that the authentication passes, acquiring a request result corresponding to the business service request by utilizing a service interface corresponding to the business service request.
S302, receiving a request result corresponding to the business service request.
When in implementation, a user can initiate a service request carrying an access token to a server through a user terminal, for example, the user can request to create a management group, request to modify data and the like; so that the service end can authenticate the business service request based on the access token by using the first plugin contained in the gateway of the service end to obtain an authentication result; the plug-in parameters of the first plug-in comprise authority information of a service interface corresponding to the business service request; and under the condition that the authentication result indicates that the authentication passes, acquiring a request result corresponding to the business service request by utilizing a service interface corresponding to the business service request. Further, a request result corresponding to the business service request may be received.
Here, a user side initiates a business service request carrying an access token to a server side, and the server side authenticates the business service request based on the access token by utilizing a first plug-in unit contained in a gateway of the server side to obtain an authentication result; and under the condition that the authentication result indicates that the authentication passes, acquiring a request result corresponding to the business service request by utilizing a service interface corresponding to the business service request. The method and the device can enable the speed of receiving the request result corresponding to the business service request by the user terminal to be high, and improve the request efficiency of the user terminal.
The following describes the authentication and authorization process of the user terminal to initiate the business service request in a relatively specific manner.
Referring to the schematic diagram of implementing a gateway authentication flow through a gateway plug-in shown in fig. 4, a user initiates a service request carrying an access token to a server; the service end obtains an access token carried by the business service request, and utilizes a second plugin oidc contained in a gateway kong of the service end to call an authentication interface for identity recognition and access management (Identity and Access Management, IAM) -Hydra to authenticate the access token to obtain an authentication result; and sending the authentication result indicating the authentication failure to the user side under the condition that the authentication result indicates the authentication failure.
When the authentication result indicates that the authentication is passed, using a first plug-in Authz contained in a gateway kong of a server side, and calling an authentication interface IAM-Authz, and authenticating a service request based on identification information of the user side obtained from an access token and authority information of a service interface corresponding to the service request obtained from plug-in parameters of the first plug-in to obtain an authentication result; and sending the authentication result indicating the authentication failure to the user terminal under the condition that the authentication result indicates the authentication failure.
When the authentication result indicates that the authentication passes, a service interface corresponding to the service request is utilized to acquire a request result corresponding to the service request, and the request result is sent to the user side; and the user receives a request result corresponding to the business service request and executes subsequent operations.
It will be appreciated by those skilled in the art that in the above-described method of the specific embodiments, the written order of steps is not meant to imply a strict order of execution but rather should be construed according to the function and possibly inherent logic of the steps.
Based on the same concept, the embodiment of the present disclosure further provides an authentication device, which is applied to a server, and referring to fig. 5, which is a schematic architecture diagram of the authentication device provided by the embodiment of the present disclosure, and includes a first obtaining module 501, an authentication module 502, and a second obtaining module 503, specifically:
A first obtaining module 501, configured to obtain an access token carried by a service request initiated by a user terminal in response to the service request;
an authentication module 502, configured to authenticate the service request based on the access token by using a first plug-in component included in the gateway of the server, to obtain an authentication result; the plug-in parameters of the first plug-in comprise authority information of a service interface corresponding to the business service request;
and the second obtaining module 503 is configured to obtain, when the authentication result indicates that authentication passes, a request result corresponding to the service request by using the service interface corresponding to the service request.
In a possible implementation manner, the authentication module 502 is configured to, when using a first plug-in included in the gateway of the server, authenticate the service request based on the access token, and obtain an authentication result:
acquiring the identification information of the user from the access token;
and authenticating the business service request by using a first plug-in unit contained in the gateway of the service terminal based on the identification information of the user terminal and the authority information of the service interface corresponding to the business service request contained in the first plug-in unit to obtain an authentication result.
In a possible implementation manner, when the authentication module 502 performs authentication on the service request by using the first plugin included in the gateway of the service side based on the identification information of the user side and the authority information of the service interface corresponding to the service request included in the first plugin, the authentication module is configured to:
acquiring preset authority information of the user side based on the identification information of the user side by using a first plug-in unit contained in the gateway of the service side, and determining whether the preset authority information is matched with the authority information of the service interface;
if so, generating an authentication result for indicating the passing of authentication.
In a possible embodiment, the apparatus further comprises: an authentication module 504; the authentication module 504 is further configured to, after the access token carried by the service request is obtained:
authenticating the access token by using a second plug-in unit contained in the gateway of the server to obtain an authentication result;
the authentication module 502 is configured to, when using a first plug-in component included in the gateway of the server, authenticate the service request based on the access token, and obtain an authentication result:
And under the condition that the authentication result indicates that the authentication passes, authenticating the business service request based on the access token by using a first plug-in unit contained in the gateway of the server to obtain an authentication result.
In a possible embodiment, the apparatus further comprises: a generation module 505; the generating module is configured to generate the first plugin:
acquiring interface information corresponding to at least one service interface; wherein the interface information includes definition information and authority information;
generating a permission file based on interface information corresponding to at least one service interface by using a third plug-in the service end;
and taking the file content in the authority file as a plug-in parameter of an initialization plug-in to generate the first plug-in.
In a possible embodiment, the definition information includes: first definition information for describing a request mode of the service interface; and/or second definition information for describing request parameters of the service interface;
the authority information includes: first authority information for describing operation semantics of a resource object under a service corresponding to a service interface; and second authority information for controlling the validation scope of the first authority information.
Based on the same concept, the embodiment of the present disclosure further provides an authentication device, which is applied to a user side, and as shown in fig. 6, is an architecture schematic diagram of the authentication device provided by the embodiment of the present disclosure, and includes a request module 601, a receiving module 602, and specifically:
a request module 601, configured to initiate a service request carrying an access token to a server, so that the server uses a first plugin included in a gateway of the server to authenticate the service request based on the access token, and obtain an authentication result; the plug-in parameters of the first plug-in comprise authority information of a service interface corresponding to the business service request; acquiring a request result corresponding to the business service request by utilizing the service interface corresponding to the business service request under the condition that the authentication result indicates that the authentication is passed;
and the receiving module 602 is configured to receive a request result corresponding to the service request.
In some embodiments, the functions or templates included in the apparatus provided by the embodiments of the present disclosure may be used to perform the methods described in the foregoing method embodiments, and specific implementations thereof may refer to descriptions of the foregoing method embodiments, which are not repeated herein for brevity.
Based on the same technical concept, the embodiment of the disclosure also provides electronic equipment. Referring to fig. 7, a schematic structural diagram of an electronic device according to an embodiment of the disclosure includes a processor 701, a memory 702, and a bus 703. The memory 702 is configured to store execution instructions, including a memory 7021 and an external memory 7022; the memory 7021 is also referred to as an internal memory, and is used for temporarily storing operation data in the processor 701 and data exchanged with the external memory 7022 such as a hard disk, and the processor 701 exchanges data with the external memory 7022 through the memory 7021, and when the electronic device 700 is operated, the processor 701 and the memory 702 communicate through the bus 703, so that the processor 701 executes the following instructions:
responding to a business service request initiated by a user side, and acquiring an access token carried by the business service request;
authenticating the business service request based on the access token by using a first plug-in unit contained in the gateway of the service end to obtain an authentication result; the plug-in parameters of the first plug-in comprise authority information of a service interface corresponding to the business service request;
and under the condition that the authentication result indicates that the authentication passes, acquiring a request result corresponding to the business service request by utilizing the service interface corresponding to the business service request.
The specific process flow of the processor 701 may refer to the description of the above method embodiment, and will not be repeated here.
Furthermore, the embodiments of the present disclosure also provide a computer readable storage medium, on which a computer program is stored, which when being executed by a processor performs the steps of the authentication method described in the above method embodiments. Wherein the storage medium may be a volatile or nonvolatile computer readable storage medium.
The embodiments of the present disclosure further provide a computer program product, where the computer program product carries a program code, where instructions included in the program code may be used to perform steps of the authentication method described in the foregoing method embodiments, and specifically reference may be made to the foregoing method embodiments, which are not described herein.
Wherein the above-mentioned computer program product may be realized in particular by means of hardware, software or a combination thereof. In an alternative embodiment, the computer program product is embodied as a computer storage medium, and in another alternative embodiment, the computer program product is embodied as a software product, such as a software development kit (Software Development Kit, SDK), or the like.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described system and apparatus may refer to corresponding procedures in the foregoing method embodiments, which are not described herein again. In the several embodiments provided in the present disclosure, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present disclosure may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer readable storage medium executable by a processor. Based on such understanding, the technical solution of the present disclosure may be embodied in essence or a part contributing to the prior art or a part of the technical solution, or in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method described in the embodiments of the present disclosure. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a specific embodiment of the disclosure, but the protection scope of the disclosure is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the disclosure, and it should be covered in the protection scope of the disclosure. Therefore, the protection scope of the present disclosure shall be subject to the protection scope of the claims.

Claims (11)

1. The authentication method is characterized by being applied to a server and comprising the following steps:
responding to a business service request initiated by a user side, and acquiring an access token carried by the business service request;
authenticating the business service request based on the access token by using a first plug-in unit contained in the gateway of the service end to obtain an authentication result; the plug-in parameters of the first plug-in comprise authority information of a service interface corresponding to the business service request;
and under the condition that the authentication result indicates that the authentication passes, acquiring a request result corresponding to the business service request by utilizing the service interface corresponding to the business service request.
2. The method of claim 1, wherein the authenticating the business service request based on the access token with the first plug-in included in the gateway of the server to obtain the authentication result includes:
acquiring the identification information of the user from the access token;
and authenticating the business service request by using a first plug-in unit contained in the gateway of the service terminal based on the identification information of the user terminal and the authority information of the service interface corresponding to the business service request contained in the first plug-in unit to obtain an authentication result.
3. The method according to claim 2, wherein the authenticating the service request by using the first plugin included in the gateway of the service end based on the identification information of the user end and the authority information of the service interface corresponding to the service request included in the first plugin includes:
acquiring preset authority information of the user side based on the identification information of the user side by using a first plug-in unit contained in the gateway of the service side, and determining whether the preset authority information is matched with the authority information of the service interface;
if so, generating an authentication result for indicating the passing of authentication.
4. A method according to any of claims 1-3, further comprising, after said obtaining an access token carried by said traffic service request:
authenticating the access token by using a second plug-in unit contained in the gateway of the server to obtain an authentication result;
the first plug-in unit included in the gateway of the service end is used for authenticating the business service request based on the access token to obtain an authentication result, and the method comprises the following steps:
And under the condition that the authentication result indicates that the authentication passes, authenticating the business service request based on the access token by using a first plug-in unit contained in the gateway of the server to obtain an authentication result.
5. The method of any of claims 1-4, wherein the step of generating the first plug-in comprises:
acquiring interface information corresponding to at least one service interface; wherein the interface information includes definition information and authority information;
generating a permission file based on interface information corresponding to at least one service interface by using a third plug-in the service end;
and taking the file content in the authority file as a plug-in parameter of an initialization plug-in to generate the first plug-in.
6. The method of claim 5, wherein the definition information comprises: first definition information for describing a request mode of the service interface; and/or second definition information for describing request parameters of the service interface;
the authority information includes: first authority information for describing operation semantics of a resource object under a service corresponding to a service interface; and second authority information for controlling the validation scope of the first authority information.
7. The authentication method is characterized by being applied to a user side and comprising the following steps:
a business service request carrying an access token is initiated to a server side, so that the server side uses a first plug-in component contained in a gateway of the server side to authenticate the business service request based on the access token, and an authentication result is obtained; the plug-in parameters of the first plug-in comprise authority information of a service interface corresponding to the business service request; acquiring a request result corresponding to the business service request by utilizing the service interface corresponding to the business service request under the condition that the authentication result indicates that the authentication is passed;
and receiving a request result corresponding to the business service request.
8. An authentication device, applied to a server, comprising:
the first acquisition module is used for responding to a business service request initiated by a user terminal and acquiring an access token carried by the business service request;
the authentication module is used for authenticating the business service request based on the access token by using a first plug-in component contained in the gateway of the server to obtain an authentication result; the plug-in parameters of the first plug-in comprise authority information of a service interface corresponding to the business service request;
And the second acquisition module is used for acquiring a request result corresponding to the business service request by utilizing the service interface corresponding to the business service request under the condition that the authentication result indicates that the authentication is passed.
9. An authentication device, applied to a user terminal, comprising:
the request module is used for initiating a business service request carrying an access token to a server side so that the server side can authenticate the business service request based on the access token by utilizing a first plug-in component contained in a gateway of the server side to obtain an authentication result; the plug-in parameters of the first plug-in comprise authority information of a service interface corresponding to the business service request; acquiring a request result corresponding to the business service request by utilizing the service interface corresponding to the business service request under the condition that the authentication result indicates that the authentication is passed;
and the receiving module is used for receiving a request result corresponding to the business service request.
10. An electronic device, comprising: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory in communication over the bus when the electronic device is running, the machine-readable instructions when executed by the processor performing the authentication method according to any one of claims 1 to 7.
11. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a computer program which, when run by a processor, performs the authentication method according to any of claims 1 to 7.
CN202310092261.XA 2023-02-01 2023-02-01 Authentication method, device, electronic equipment and storage medium Pending CN116232604A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310092261.XA CN116232604A (en) 2023-02-01 2023-02-01 Authentication method, device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310092261.XA CN116232604A (en) 2023-02-01 2023-02-01 Authentication method, device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116232604A true CN116232604A (en) 2023-06-06

Family

ID=86586710

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310092261.XA Pending CN116232604A (en) 2023-02-01 2023-02-01 Authentication method, device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116232604A (en)

Similar Documents

Publication Publication Date Title
AU2017242765C1 (en) Method and device for registering biometric identity and authenticating biometric identity
EP2283669B1 (en) Trusted device-specific authentication
EP2929479B1 (en) Method and apparatus of account login
US8209394B2 (en) Device-specific identity
CN107294900B (en) Identity registration method and device based on biological characteristics
CA3035817A1 (en) System and method for decentralized authentication using a distributed transaction-based state machine
CN111931144B (en) Unified safe login authentication method and device for operating system and service application
CN112000951B (en) Access method, device, system, electronic equipment and storage medium
US20230412399A1 (en) Database Multi-Authentication Method and System, Terminal, and Storage Medium
KR20160018554A (en) Roaming internet-accessible application state across trusted and untrusted platforms
KR20220167366A (en) Cross authentication method and system between online service server and client
CN116192483A (en) Authentication method, device, equipment and medium
EP3407241A1 (en) User authentication and authorization system for a mobile application
CN116996305A (en) Multi-level security authentication method, system, equipment, storage medium and entry gateway
CN115208669B (en) Distributed identity authentication method and system based on blockchain technology
CN111581616A (en) Multi-terminal login control method and device
CN115563588A (en) Software offline authentication method and device, electronic equipment and storage medium
CN112565209B (en) Network element equipment access control method and equipment
CN116232604A (en) Authentication method, device, electronic equipment and storage medium
CN116962088B (en) Login authentication method, zero trust controller and electronic equipment
CN115696329B (en) Zero trust authentication method and device, zero trust client device and storage medium
CN115085968B (en) Login authentication method based on custom tag under Linux
CN115190483B (en) Method and device for accessing network
CN115696329A (en) Zero trust authentication method and device, zero trust client device and storage medium
CN114978552A (en) Safe management method, device, equipment and medium for mailbox verification code

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination