CN116257827A - User identity authentication sharing method and system between handle system and information system - Google Patents
User identity authentication sharing method and system between handle system and information system Download PDFInfo
- Publication number
- CN116257827A CN116257827A CN202310214113.0A CN202310214113A CN116257827A CN 116257827 A CN116257827 A CN 116257827A CN 202310214113 A CN202310214113 A CN 202310214113A CN 116257827 A CN116257827 A CN 116257827A
- Authority
- CN
- China
- Prior art keywords
- handle
- user
- server
- authorization
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 238000013475 authorization Methods 0.000 claims abstract description 171
- 238000012795 verification Methods 0.000 claims description 40
- 238000004891 communication Methods 0.000 claims description 23
- 238000004590 computer program Methods 0.000 claims description 14
- 238000010586 diagram Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 9
- 230000008569 process Effects 0.000 description 8
- 238000012545 processing Methods 0.000 description 8
- 230000004044 response Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a user identity authentication sharing method and system between a handle system and an information system. The method comprises the following steps: expanding an OAuth 2-based identity authentication type, and establishing an independent authorization server under an OAuth 2-based framework outside a Handle system; configuring a Handle server, and storing an address and a port of an authorization server, and a user identifier and a user key which are distributed to a Handle client by the authorization server; expanding a user information table, and adding Handle identity information of a Handle system; inputting a user name and a password at a Handle client based on the configured Handle server and the expanded user information table, and sending an authorization code to an authorization server; applying for a user temporary token from the authorization server according to the authorization code; after the authorization server authenticates the authorization code, the user is allowed to access the resource servers, and the interoperability between the resource servers is realized according to the temporary token of the user. The invention enables the Handle system to be compatible with other information systems to use the user account number, and realizes the interoperation between the two systems.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and a system for sharing user identity authentication between a handle system and an information system.
Background
Different information systems adopt user identity authentication methods with different forms, and unified user identity authentication cannot be realized among the systems. The Handle system is used as an identification data management system and adopts a unique identity authentication method, and needs to be communicated with various information systems in an identity authentication mode to realize authentication among the same identity systems so as to perform data operation.
The existing Handle system performs user identity authentication through two modes of secret keys and passwords, and user accounts are Handle codes, for example, 300:86.100.1/ADMIN. The user identity Handle comprises an index part and a Handle code part, and other information systems generally use a user name and password mode to carry out identity authentication, so that the Handle system and other information systems cannot be compatible with each other to use a user account number, and interoperation between the two systems cannot be carried out.
Disclosure of Invention
The invention aims to provide a shared method and a shared system for user identity authentication between a Handle system and an information system, which are used for solving the problem that a Handle system and other information systems cannot be compatible to use a user account number so as to interoperate the two systems.
In order to achieve the above object, the present invention provides the following solutions:
a user identity authentication sharing method between a handle system and an information system comprises the following steps:
modifying source codes of a Handle system, expanding an OAuth 2-based identity authentication type, and establishing an independent authorization server based on an OAuth2 framework outside the Handle system; the authorization server is used for issuing and verifying a user temporary token; the authorization server supports an authorization code mode, a password mode and a client mode;
configuring a Handle server of the Handle system, and storing an address and a port of the authorization server, and a user identifier and a user key which are distributed to a Handle client by the authorization server;
establishing a user information table based on role access control on the authorization server, expanding the user information table, and adding Handle identity information of the Handle system; the Handle identity information comprises a Handle code and a Handle index;
inputting a user name and a password at the Handle client based on the configured Handle server and the expanded user information table, and enabling the Handle client to send an authorization code to the authorization server according to the user name and the password;
applying for the user temporary token from the authorization server according to the authorization code;
allowing a user to access a resource server after the authorization server passes the authorization code authentication, and realizing the interoperability between the resource servers according to the user temporary token; the resource server comprises the Handle system and an information system.
Optionally, modifying the source code of the Handle system, and expanding the identity authentication type based on OAuth2, which specifically includes:
acquiring the communication protocol types of the Handle client and the Handle server;
and modifying the source code of the Handle system according to the communication protocol type, and expanding the identity authentication type based on OAuth 2.
Optionally, based on the configured Handle server and the expanded user information table, inputting a user name and a password at the Handle client, and enabling the Handle client to send an authorization code to the authorization server according to the user name and the password, which specifically includes:
verifying whether the user name, the password, the user identification and the user key are correct or not based on the configured Handle server and the expanded user information table;
if the user name, the password, the user identifier and the user key pass verification, inquiring whether the user is authorized;
if the user agrees to authorize, the Handle client sends the authorization code to the authorization server.
Optionally, applying the temporary token for the user to the authorization server according to the authorization code further includes:
setting verification content, verifying the authorization code according to the verification content, generating a verification result, and returning the verification result to the Handle client;
if the verification result shows that the verification is successful, allowing the Handle client to access the Handle server; and if the verification result shows that the verification fails, rejecting the Handle client to the Handle server.
Optionally, the interoperation between the resource servers is implemented according to the temporary user token, and before the step of:
checking the user temporary token with the authorization server and returning a token check result to the resource server;
and if the token check result is expressed as a valid token, allowing the user to access the resource server.
A user identity authentication sharing system between a handle system and an information system, comprising:
the program expansion module is used for modifying the source code of the Handle system, expanding the identity authentication type based on OAuth2 and establishing an independent authorization server based on the OAuth2 framework outside the Handle system; the authorization server is used for issuing and verifying a user temporary token; the authorization server supports an authorization code mode, a password mode and a client mode;
the server expansion module is used for configuring a Handle server of the Handle system, and storing an address and a port of the authorization server, and a user identifier and a user key which are distributed to a Handle client by the authorization server;
the user information table expansion module is used for establishing a user information table based on role access control on the authorization server, expanding the user information table and adding the Handle identity information of the Handle system; the Handle identity information comprises a Handle code and a Handle index;
the authorization code sending module is used for inputting a user name and a password at the Handle client based on the configured Handle server and the expanded user information table, and enabling the Handle client to send an authorization code to the authorization server according to the user name and the password;
the user temporary token application module is used for applying the user temporary token to the authorization server according to the authorization code;
the interoperation module is used for allowing a user to access the resource servers after the authorization server authenticates the authorization code, and realizing interoperation among the resource servers according to the user temporary token; the resource server comprises the Handle system and an information system.
Optionally, the program expansion module specifically includes:
the communication protocol type acquisition unit is used for acquiring the communication protocol types of the Handle client and the Handle server;
the program expansion unit is used for modifying the source code of the Handle system according to the communication protocol type and expanding the identity authentication type based on OAuth 2.
Optionally, the authorization code sending module specifically includes:
the verification unit is used for verifying whether the user name, the password, the user identifier and the user key are correct or not based on the configured Handle server and the expanded user information table;
the inquiring unit is used for inquiring whether the user is authorized if the user name, the password, the user identification and the user key pass verification;
and the authorization code sending unit is used for enabling the Handle client to send the authorization code to the authorization server if the user agrees to authorization.
An electronic device comprising a memory and a processor, the memory being configured to store a computer program, the processor being configured to cause the electronic device to perform the method for sharing user identity authentication between a handle system and an information system.
A computer readable storage medium storing a computer program which when executed by a processor implements the method of sharing user identity authentication between a handle system and an information system described above.
According to the specific embodiment provided by the invention, the invention discloses the following technical effects: the invention provides a user identity authentication sharing method and a system between a Handle system and an information system, which are characterized in that the operations of expanding a new identity authentication mode, establishing an authorization server based on an OAuth2 framework to expand a user information table, configuring the Handle server and the like are realized by modifying the source code of the Handle system, the identity authentication of the Handle system based on the OAuth2 framework is realized, the unified identity authentication with other information systems is completed, the interoperation between the two systems is realized, the connection cost of the Handle system and other information systems is effectively reduced, the difficulty of deployment of the Handle system is reduced, and the service capability of the Handle system is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions of the prior art, the drawings that are needed in the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a shared method for user identity authentication between a handle system and an information system provided by the invention;
FIG. 2 is a diagram of the classification of the identity authentication of the Handle system provided by the invention;
FIG. 3 is a schematic diagram of the authentication of the Handle system OAuth2 provided by the present invention;
FIG. 4 is a schematic diagram of a handshake between a Handle client and a server according to the present invention;
FIG. 5 is a schematic diagram of authentication of a Handle system and an information system based on an OAuth2 architecture according to the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The invention aims to provide a shared method and a shared system for user identity authentication between a Handle system and an information system, which enable a Handle system to be compatible with other information systems to use user accounts, and realize interoperation between the two systems.
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to the appended drawings and appended detailed description.
As shown in fig. 1, the present invention provides a method for sharing user identity authentication between a handle system and an information system, comprising:
step 101: modifying source codes of a Handle system, expanding an OAuth 2-based identity authentication type, and establishing an independent authorization server based on an OAuth2 framework outside the Handle system; the authorization server is used for issuing and verifying a temporary Token of a user to finish the verification of the user identities of the Handle system and the information system; the authorization server supports an authorization code mode, a password mode, and a client mode.
In practical application, step 101 specifically includes: acquiring the communication protocol types of the Handle client and the Handle server; and modifying the source code of the Handle system according to the communication protocol type, and expanding the identity authentication type based on OAuth 2.
As an alternative implementation mode of the present invention, as shown in FIG. 2, by modifying the source code of the Handle system, a third authentication mode HS_OAUTH is extended based on the two existing authentication modes (HS_PUBKEY and HS_SECKEY) of the implemented Handle system. The system architecture is not required to be modified, and the HS-OAUTH authentication type is expanded on the basis of the original supported key HS-PUBKEY mode and HS-SECKEY.
Step 102: and configuring a Handle server of the Handle system, and storing an address and a port of the authorization server, and a user identifier and a user key which are distributed to a Handle client by the authorization server.
In practical applications, step 102 specifically includes: verifying whether the user name, the password, the user identification and the user key are correct or not based on the configured Handle server and the expanded user information table; if the user name, the password, the user identifier and the user key pass verification, inquiring whether the user is authorized; if the user agrees to authorize, the Handle client sends the authorization code to the authorization server.
As an optional implementation mode of the invention, the information of the authorized server address, the user identification ClientID and the user key Clientsecret distributed to the client by the port and the authorized server is saved in the Handle server through configuration or using the agreed Handle value, and the information is used for Token application and verification.
The Handle server of the present invention needs to store the client id and the client secret assigned to the client by the address, the port and the authorization server of the authorization server in the system, one by writing a configuration file, and the other in a specific Handle value.
Step 103: establishing a user information table based on role access control on the authorization server, expanding the user information table, and adding Handle identity information of the Handle system; the Handle identity information comprises a Handle code and a Handle index.
As an optional implementation manner of the invention, a personnel information model and a database table structure based on role access control are established at an authorization server, a user information table is expanded on the authorization server, and two fields are added: the Handle code and the Handle index, namely the Handle identity information of the Handle system.
Step 104: based on the configured Handle server and the expanded user information table, inputting a user name and a password at the Handle client, and enabling the Handle client to send an authorization code to the authorization server according to the user name and the password.
As an alternative implementation mode of the invention, an authorization code mode (authorization code) which is the safest and most commonly used by an OAuth2 framework is adopted, a Handle client needs to input a user name and a password to acquire an authorization code, a Token is acquired from an authorization server through the authorization code, and then the data operation of the Handle is realized according to the Token.
Step 105: and applying the user temporary token to the authorization server according to the authorization code.
In practical applications, step 105 further includes: setting verification content, verifying the authorization code according to the verification content, generating a verification result, and returning the verification result to the Handle client; if the verification result shows that the verification is successful, allowing the Handle client to access the Handle server; and if the verification result shows that the verification fails, rejecting the Handle client to the Handle server.
After the authorization server passes the authentication, the user is allowed to access the resource server, and the resource server comprises a Handle system and an information system.
Step 106: allowing a user to access a resource server after the authorization server passes the authorization code authentication, and realizing the interoperability between the resource servers according to the user temporary token; the resource server comprises the Handle system and an information system.
In an actual application, the implementing the interoperability between the resource servers according to the temporary tokens of the users further includes: checking the user temporary token with the authorization server and returning a token check result to the resource server; and if the token check result is expressed as a valid token, allowing the user to access the resource server.
In practical application, after the Token is acquired by the user, other information systems can be accessed through the Handle system, and the Handle system can also be accessed through the information system.
The Handle system and the information system realize interoperation through interfaces, and user authentication and authorization are realized through a user Token. For example, when data in the information system needs to be registered in the Handle system, a user can directly operate in the information system, and the information system carries a user Token to send a registration request to the Handle system without switching a user and an operation interface between the two systems.
The invention regards the Handle service as a resource server as the same as other information systems, can uniformly access after the client obtains the token, and can shield the difference between resource service providers.
Example two
The process of realizing OAuth2 authentication by the Handle system is shown in fig. 3, and in fig. 3, the configuration items of the authorization server at the Handle server end are added through the configuration files of the Handle server, so that the configuration files do not need to be added additionally, or the configuration information of the authorization server is written into the Handle identifier with the type of HS_OAUTH.
And 1, the Handle client applies Token to the authorization server according to the account number (Handle identity index and Handle identity value).
Specifically, the Handle client needs to input a user name and a password to acquire an authorization code, and acquire the Token from the authorization server through the authorization code.
2. The authorization server verifies the information of the Handle client, wherein the information comprises a user name and a password, and if the authentication is passed, a Token is issued to the Handle client.
Specifically, the client information includes a user name, a password, a ClientID, and a ClientSecret; and verifying whether the client information is correct or not, inquiring whether the user is authorized or not, and if so, transmitting an authorization code to an authorization server by the client, and issuing a Token according to the authorization code by the server.
And 3, carrying Token access Handle servers issued by the authorization servers by the Handle clients.
And 4, the Token sent by the Handle client is checked by the Handle server through the authorization server, and whether the Token is valid, expired and the like are checked.
Specifically, whether the authorization code is expired or not is verified, whether the authorization code corresponds to the account number one by one or not is verified, and the verification content is customized according to requirements.
5. The authorization server returns a Token check result to the Handle server; the verification result is generally a Boolean value, the verification success returns true, and the verification failure returns false.
If the checking result is false, directly returning to the unauthorized operation; if the checking result is true, returning an operation result corresponding to the current operation, for example: and adding, deleting, changing and checking different returned information.
The Handle server returns corresponding information to the Handle client according to the checking result, if the checking result is 'pass', the Handle client is allowed to access the Handle server, and an operation result is returned; and if the verification result is 'failure', rejecting the Handle client to access the Handle server.
In practical application, the server extension specifically includes the following:
the standard Handle system supports two identity authentication modes of a password (HS_SECKEY) and a secret key (HS_PUBKEY) on the interfaces of the UDP/TCP protocol and the REST interface of the HTTP protocol, and the invention extends an authentication type OAuth2 mode (HS_OAUTH) on the basis, as shown in figure 2. To implement the authentication mode of the Handle system through OAuth2, an authorization server needs to be added.
The identity authentication method requires the respective program modification of RESTful based on TCP/UDP protocol and HTTPS. After program transformation, the communication handshake process of the original client and the server is not changed, but when the client responds to the challenge of the server, the authentication type is modified to HS_OAUTH, and meanwhile, an access Token (Token) is added to the response information.
In practical application, the program expansion specifically includes the following steps:
the handshake process for the Handle system client to communicate with the Handle server is shown in fig. 3. The Handle system client communicates with the Handle server to support three protocols, UDP, TCP and HTTP. To implement extension of OAuth2 by the Handle system, program modification needs to be performed for the above protocols respectively. The "program modification for the above protocol" is the "program extension" mentioned in the above comments.
Based on the UDP/TCP protocol: as shown in fig. 4, 1. Request an operation requiring authentication. 2. The server side initiates a challenge: < REQDigest > < Nonce >.3. Pre-expansion response example: HS_SECKEY+KeyHandle: keyIndex+hash; response after expansion: HS_OAUTH+KeyHandle KeyIndex+token.4. And the server side returns an authentication result.
RESTful interface based on HTTP protocol: as shown in fig. 4, 1. Client initiates a request: /api/sessions.2. The server side returns a response: { "sessionId": "xxxxxxx", "nonce": "xxxxxx" }.3. Pre-expansion response example: api/sessions/thisAuthorization: handleset id= "xxxxx", alg= "SHA1", type= "hs_seckey", cnoce= "xxxxx", signature= "xxxxx"; response after expansion: api/sessions/thisAuthorization: handlesessionid= "xxxxxx", id= "xxxxxx", type= "hs_oauth", token= "xxxxxx".4. And the server side returns an authentication result.
In practical application, the user information table is expanded as follows:
the authorization server identity authentication user information table needs to add a Handle system identity field on the original basis: the Handle identity index and the Handle identity identifier are shown in table 1, table 1 is an authorization server user information table, and table 2 is an authorization server user information expansion table, and table 1-table 2 are shown.
TABLE 1
| Sequence number | Fields | Type(s) | |
|
| 1 | USER_ID | Digital | Main key | |
| 2 | USER_NAME | Character | User name | |
| 3 | USER_PASSWORD | Character string | User password | |
| … | … | … | … |
TABLE 2
In practical application, the Handle server configuration is extended as follows:
the Handle system adapting OAuth2 also needs to configure an interface address of the authorization server, a client ID and a client Secret at the client to obtain the Token distributed by the authorization server and check the validity of the Token.
Checking the validity of Token: checking whether the Token corresponds to the user account, checking whether the Token is out of date, and performing self-definition by a program.
Achieving the above configuration can be achieved in two ways:
mode one: the attribute configuration is added in a configuration file (config. Dct).
Mode two: storing configuration information of an authorization server in a Handle, wherein the type of the Handle value is HS_OAUTH, and the storage content is as follows:
Server_ip:192.168.1.1
Port:8443
Protocol:https
URI:/oauth_center/check_token
Client_id:xxxxxxxxxxx
Client_secret:xxxxxxxxxxxxxxxxxx
the deployment scenario of the Handle system and the information system as part of the resource service under OAuth2 framework is shown in fig. 5.
1. The user accesses a client application, referred to herein as a browser, or a custom developed client program.
2. The client application redirects to the authorization server if the access token is not carried according to the current state of the user.
3. The authorization server inquires whether the user agrees to access or not, inquires about the user access opinion in the form of a pop-up box, and agrees whether the client side agrees to access the resource server or not.
4. If the user agrees to access, an access account number and a password are input in a query box returned by the authorization server, and the access is authorized.
5. If the user agrees to access and inputs the user name and password, the authorization server checks and returns the feedback weight.
6. The client application sends an authorization code returned by the authorization server to obtain a Token (Token) to access the resource server.
7. The authorization server verifies the authorization code and returns an authorization Token (Token) after passing.
8. The client application accesses the protected resource using the authorization token obtained in the previous step.
9. After receiving the request, the resource server verifies the validity of the access Token (Token) with the authorization server.
10. The authorization server returns a token check result, whether the token is a valid token or not.
11. And the resource server returns a user access request according to the token checking result.
Example III
In order to execute the corresponding method of the above embodiment to achieve the corresponding functions and technical effects, a user identity authentication shared system between the handle system and the information system is provided below.
A user identity authentication sharing system between a handle system and an information system, comprising:
the program expansion module is used for modifying the source code of the Handle system, expanding the identity authentication type based on OAuth2 and establishing an independent authorization server based on the OAuth2 framework outside the Handle system; the authorization server is used for issuing and verifying a user temporary token; the authorization server supports an authorization code mode, a password mode, and a client mode.
In practical application, the program expansion module specifically includes: the communication protocol type acquisition unit is used for acquiring the communication protocol types of the Handle client and the Handle server; the program expansion unit is used for modifying the source code of the Handle system according to the communication protocol type and expanding the identity authentication type based on OAuth 2.
The server expansion module is used for configuring a Handle server of the Handle system, and storing an address and a port of the authorization server, and a user identifier and a user key which are distributed to the Handle client by the authorization server.
The user information table expansion module is used for establishing a user information table based on role access control on the authorization server, expanding the user information table and adding the Handle identity information of the Handle system; the Handle identity information comprises a Handle code and a Handle index.
And the authorization code sending module is used for inputting a user name and a password at the Handle client based on the configured Handle server and the expanded user information table, and enabling the Handle client to send an authorization code to the authorization server according to the user name and the password.
In practical application, the authorization code sending module specifically includes: the verification unit is used for verifying whether the user name, the password, the user identifier and the user key are correct or not based on the configured Handle server and the expanded user information table; the inquiring unit is used for inquiring whether the user is authorized if the user name, the password, the user identification and the user key pass verification; and the authorization code sending unit is used for enabling the Handle client to send the authorization code to the authorization server if the user agrees to authorization.
And the user temporary token application module is used for applying the user temporary token to the authorization server according to the authorization code.
The interoperation module is used for allowing a user to access the resource servers after the authorization server authenticates the authorization code, and realizing interoperation among the resource servers according to the user temporary token; the resource server comprises the Handle system and an information system.
Example IV
The embodiment of the invention provides an electronic device which comprises a memory and a processor, wherein the memory is used for storing a computer program, and the processor runs the computer program to enable the electronic device to execute the user identity authentication sharing method between the handle system and the information system provided in the embodiment I.
In practical applications, the electronic device may be a server.
In practical applications, the electronic device includes: at least one processor (processor), memory (memory), bus, and communication interface (communication interface).
Wherein: the processor, communication interface, and memory communicate with each other via a communication bus.
And the communication interface is used for communicating with other devices.
And a processor, configured to execute a program, and specifically may execute the method described in the foregoing embodiment.
In particular, the program may include program code including computer-operating instructions.
The processor may be a central processing unit, CPU, or specific integrated circuit ASIC (ApplicationSpecificIntegratedCircuit), or one or more integrated circuits configured to implement embodiments of the present invention. The one or more processors included in the electronic device may be the same type of processor, such as one or more CPUs; but may also be different types of processors such as one or more CPUs and one or more ASICs.
And the memory is used for storing programs. The memory may comprise high-speed RAM memory or may further comprise non-volatile memory (non-volatile memory), such as at least one disk memory.
Based on the description of the above embodiments, the embodiments of the present application provide a storage medium having stored thereon computer program instructions executable by a processor to implement the method of any of the embodiments
The user identity authentication shared system between the handle system and the information system provided by the embodiment of the application exists in various forms, including but not limited to:
(1) A mobile communication device: such devices are characterized by mobile communication capabilities and are primarily aimed at providing voice, data communications. Such terminals include: smart phones (e.g., iPhone), multimedia phones, functional phones, and low-end phones, etc.
(2) Ultra mobile personal computer device: such devices are in the category of personal computers, having computing and processing functions, and generally having mobile internet access capabilities. Such terminals include: PDA, MID, and UMPC devices, etc., such as iPad.
(3) Portable entertainment device: such devices may display and play multimedia content. The device comprises: audio, video players (e.g., iPod), palm game consoles, electronic books, and smart toys and portable car navigation devices.
(4) Other electronic devices with data interaction functions.
Thus, particular embodiments of the present subject matter have been described. Other embodiments are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may be advantageous.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. One typical implementation is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of each element may be implemented in one or more software and/or hardware elements when implemented in the present application. It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, etc., such as Read Only Memory (ROM) or flash memory (flashRAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of a storage medium for a computer include, but are not limited to, a phase change memory (PRAM), a Static Random Access Memory (SRAM), a Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a flash memory or other memory technology, a compact disc read only memory (CD-ROM), a compact disc Read Only Memory (ROM),
Digital Versatile Disk (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices
Or any other non-transmission medium, may be used to store information that may be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular transactions or implement particular abstract data types. The application may also be practiced in distributed computing environments where transactions are performed by remote processing devices that are connected through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
In the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other. For the system disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
The principles and embodiments of the present invention have been described herein with reference to specific examples, the description of which is intended only to assist in understanding the methods of the present invention and the core ideas thereof; also, it is within the scope of the present invention to be modified by those of ordinary skill in the art in light of the present teachings. In view of the foregoing, this description should not be construed as limiting the invention.
Claims (10)
1. A user identity authentication sharing method between a handle system and an information system is characterized by comprising the following steps:
modifying source codes of a Handle system, expanding an OAuth 2-based identity authentication type, and establishing an independent authorization server based on an OAuth2 framework outside the Handle system; the authorization server is used for issuing and verifying a user temporary token; the authorization server supports an authorization code mode, a password mode and a client mode;
configuring a Handle server of the Handle system, and storing an address and a port of the authorization server, and a user identifier and a user key which are distributed to a Handle client by the authorization server;
establishing a user information table based on role access control on the authorization server, expanding the user information table, and adding Handle identity information of the Handle system; the Handle identity information comprises a Handle code and a Handle index;
inputting a user name and a password at the Handle client based on the configured Handle server and the expanded user information table, and enabling the Handle client to send an authorization code to the authorization server according to the user name and the password;
applying for the user temporary token from the authorization server according to the authorization code;
allowing a user to access a resource server after the authorization server passes the authorization code authentication, and realizing the interoperability between the resource servers according to the user temporary token; the resource server comprises the Handle system and an information system.
2. The method for sharing user identity authentication between a Handle system and an information system according to claim 1, wherein modifying source codes of a Handle system and expanding an OAuth 2-based identity authentication type specifically comprises:
acquiring the communication protocol types of the Handle client and the Handle server;
and modifying the source code of the Handle system according to the communication protocol type, and expanding the identity authentication type based on OAuth 2.
3. The method for sharing user identity authentication between a Handle system and an information system according to claim 1, wherein, based on a configured Handle server and an expanded user information table, a user name and a password are input to the Handle client, and the Handle client is caused to send an authorization code to the authorization server according to the user name and the password, specifically comprising:
verifying whether the user name, the password, the user identification and the user key are correct or not based on the configured Handle server and the expanded user information table;
if the user name, the password, the user identifier and the user key pass verification, inquiring whether the user is authorized;
if the user agrees to authorize, the Handle client sends the authorization code to the authorization server.
4. The method for sharing user identity authentication between a handle system and an information system according to claim 1, wherein applying the temporary token for the user to the authorization server according to the authorization code further comprises:
setting verification content, verifying the authorization code according to the verification content, generating a verification result, and returning the verification result to the Handle client;
if the verification result shows that the verification is successful, allowing the Handle client to access the Handle server; and if the verification result shows that the verification fails, rejecting the Handle client to the Handle server.
5. The method for sharing user identity authentication between a handle system and an information system according to claim 1, wherein the interoperation between the resource servers is implemented according to the user temporary token, further comprising:
checking the user temporary token with the authorization server and returning a token check result to the resource server;
and if the token check result is expressed as a valid token, allowing the user to access the resource server.
6. A user identity authentication sharing system between a handle system and an information system, comprising:
the program expansion module is used for modifying the source code of the Handle system, expanding the identity authentication type based on OAuth2 and establishing an independent authorization server based on the OAuth2 framework outside the Handle system; the authorization server is used for issuing and verifying a user temporary token; the authorization server supports an authorization code mode, a password mode and a client mode;
the server expansion module is used for configuring a Handle server of the Handle system, and storing an address and a port of the authorization server, and a user identifier and a user key which are distributed to a Handle client by the authorization server;
the user information table expansion module is used for establishing a user information table based on role access control on the authorization server, expanding the user information table and adding the Handle identity information of the Handle system; the Handle identity information comprises a Handle code and a Handle index;
the authorization code sending module is used for inputting a user name and a password at the Handle client based on the configured Handle server and the expanded user information table, and enabling the Handle client to send an authorization code to the authorization server according to the user name and the password;
the user temporary token application module is used for applying the user temporary token to the authorization server according to the authorization code;
the interoperation module is used for allowing a user to access the resource servers after the authorization server authenticates the authorization code, and realizing interoperation among the resource servers according to the user temporary token; the resource server comprises the Handle system and an information system.
7. The shared system for user identity authentication between a handle system and an information system according to claim 6, wherein the program extension module specifically comprises:
the communication protocol type acquisition unit is used for acquiring the communication protocol types of the Handle client and the Handle server;
the program expansion unit is used for modifying the source code of the Handle system according to the communication protocol type and expanding the identity authentication type based on OAuth 2.
8. The shared system for user identity authentication between a handle system and an information system according to claim 6, wherein the authorization code sending module specifically comprises:
the verification unit is used for verifying whether the user name, the password, the user identifier and the user key are correct or not based on the configured Handle server and the expanded user information table;
the inquiring unit is used for inquiring whether the user is authorized if the user name, the password, the user identification and the user key pass verification;
and the authorization code sending unit is used for enabling the Handle client to send the authorization code to the authorization server if the user agrees to authorization.
9. An electronic device comprising a memory and a processor, the memory configured to store a computer program, the processor configured to cause the electronic device to perform the method of sharing user identity authentication between a handle system and an information system as claimed in any one of claims 1-5.
10. A computer readable storage medium, characterized in that it stores a computer program, which when executed by a processor implements a method for sharing user identity authentication between a handle system and an information system according to any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310214113.0A CN116257827B (en) | 2023-02-28 | 2023-02-28 | User identity authentication sharing method and system between handle system and information system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310214113.0A CN116257827B (en) | 2023-02-28 | 2023-02-28 | User identity authentication sharing method and system between handle system and information system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116257827A true CN116257827A (en) | 2023-06-13 |
| CN116257827B CN116257827B (en) | 2024-07-09 |
Family
ID=86682306
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310214113.0A Active CN116257827B (en) | 2023-02-28 | 2023-02-28 | User identity authentication sharing method and system between handle system and information system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116257827B (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140189797A1 (en) * | 2012-12-27 | 2014-07-03 | Microsoft Corporation | Authorization messaging with integral delegation data |
| US20160294803A1 (en) * | 2015-03-31 | 2016-10-06 | Cisco Technology, Inc. | Token delegation for third-party authorization in computer networking |
| US20180046753A1 (en) * | 2015-03-23 | 2018-02-15 | Robert Shelton | System, method and apparatus to enhance privacy and enable broad sharing of bioinformatic data |
| CN111935078A (en) * | 2020-06-23 | 2020-11-13 | 深圳奥联信息安全技术有限公司 | Handle-based open authentication method, device and system |
| CN113312653A (en) * | 2021-06-25 | 2021-08-27 | 中国农业银行股份有限公司 | Open platform authentication and authorization method, device and storage medium |
| CN113645247A (en) * | 2021-08-17 | 2021-11-12 | 武汉众邦银行股份有限公司 | Authority authentication control method based on HTTP (hyper text transport protocol) and storage medium |
| CN113924551A (en) * | 2019-05-07 | 2022-01-11 | 思杰***有限公司 | Method and system for accessing remotely stored files using virtual applications |
| CN113992415A (en) * | 2021-10-28 | 2022-01-28 | 重庆忽米网络科技有限公司 | Unified authentication and authorization method based on OAuth2 protocol |
| CN114090996A (en) * | 2021-11-23 | 2022-02-25 | 中国银行股份有限公司 | Multi-party system mutual trust authentication method and device |
| CN114385995A (en) * | 2022-01-06 | 2022-04-22 | 徐工汉云技术股份有限公司 | Handle-based method for accessing identifier analysis micro-service to industrial Internet and identifier service system |
| CN115589295A (en) * | 2022-08-31 | 2023-01-10 | 品茗科技股份有限公司 | Security authentication method, system, device and medium based on gateway Token |
-
2023
- 2023-02-28 CN CN202310214113.0A patent/CN116257827B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140189797A1 (en) * | 2012-12-27 | 2014-07-03 | Microsoft Corporation | Authorization messaging with integral delegation data |
| US20180046753A1 (en) * | 2015-03-23 | 2018-02-15 | Robert Shelton | System, method and apparatus to enhance privacy and enable broad sharing of bioinformatic data |
| US20160294803A1 (en) * | 2015-03-31 | 2016-10-06 | Cisco Technology, Inc. | Token delegation for third-party authorization in computer networking |
| CN113924551A (en) * | 2019-05-07 | 2022-01-11 | 思杰***有限公司 | Method and system for accessing remotely stored files using virtual applications |
| CN111935078A (en) * | 2020-06-23 | 2020-11-13 | 深圳奥联信息安全技术有限公司 | Handle-based open authentication method, device and system |
| CN113312653A (en) * | 2021-06-25 | 2021-08-27 | 中国农业银行股份有限公司 | Open platform authentication and authorization method, device and storage medium |
| CN113645247A (en) * | 2021-08-17 | 2021-11-12 | 武汉众邦银行股份有限公司 | Authority authentication control method based on HTTP (hyper text transport protocol) and storage medium |
| CN113992415A (en) * | 2021-10-28 | 2022-01-28 | 重庆忽米网络科技有限公司 | Unified authentication and authorization method based on OAuth2 protocol |
| CN114090996A (en) * | 2021-11-23 | 2022-02-25 | 中国银行股份有限公司 | Multi-party system mutual trust authentication method and device |
| CN114385995A (en) * | 2022-01-06 | 2022-04-22 | 徐工汉云技术股份有限公司 | Handle-based method for accessing identifier analysis micro-service to industrial Internet and identifier service system |
| CN115589295A (en) * | 2022-08-31 | 2023-01-10 | 品茗科技股份有限公司 | Security authentication method, system, device and medium based on gateway Token |
Non-Patent Citations (1)
| Title |
|---|
| 芮坤坤 等: "基于edX平台的云计算课程***开发研究", 长春工程学院学报(自然科学版), vol. 21, no. 02, pages 84 - 87 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116257827B (en) | 2024-07-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111212075B (en) | Service request processing method and device, electronic equipment and computer storage medium | |
| US10594695B2 (en) | Authentication arrangement | |
| US8495720B2 (en) | Method and system for providing multifactor authentication | |
| EP3917106B1 (en) | Method and apparatus for providing authentication session sharing | |
| CN112491881B (en) | Cross-platform single sign-on method, system, electronic equipment and storage medium | |
| CN113347206B (en) | Network access method and device | |
| CN106170964B (en) | User virtual identity based on different identity services | |
| US11296881B2 (en) | Using IP heuristics to protect access tokens from theft and replay | |
| EP2887615A1 (en) | Cloud-based scalable authentication for electronic devices | |
| CN112131021B (en) | Access request processing method and device | |
| AU2015247929A1 (en) | Systems, apparatus and methods for improved authentication | |
| WO2009130370A1 (en) | Methods, apparatuses, and computer program products for providing a single service sign-on | |
| WO2017041562A1 (en) | Method and device for identifying user identity of terminal device | |
| CN102217280A (en) | Method, system, and server for user service authentication | |
| CN111784887A (en) | Authorization releasing method, device and system for user access | |
| CN111404695B (en) | Token request verification method and device | |
| WO2020025056A1 (en) | Method, device, system, and mobile terminal for security authorization | |
| CN104348786A (en) | Method, device and system for password recovery | |
| CN115065703B (en) | Internet of things system, authentication and communication method thereof and related equipment | |
| KR102308859B1 (en) | Surrogate authentication service system and method based on biometric information | |
| CN107453872A (en) | A kind of unified safety authentication method and system based on Mesos container cloud platforms | |
| CN109769249A (en) | A kind of authentication method, system and its apparatus | |
| US10129263B2 (en) | Tokenization for network authorization routing | |
| CN110610418B (en) | Transaction state query method, system, device and storage medium based on block chain | |
| CN116257827B (en) | User identity authentication sharing method and system between handle system and information system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |