CN116346462A - Method for setting effective time of token and method for secure authentication of request information - Google Patents
Method for setting effective time of token and method for secure authentication of request information Download PDFInfo
- Publication number
- CN116346462A CN116346462A CN202310308300.5A CN202310308300A CN116346462A CN 116346462 A CN116346462 A CN 116346462A CN 202310308300 A CN202310308300 A CN 202310308300A CN 116346462 A CN116346462 A CN 116346462A
- Authority
- CN
- China
- Prior art keywords
- token information
- information
- initial token
- target client
- time point
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 59
- 238000012545 processing Methods 0.000 claims abstract description 38
- 238000013475 authorization Methods 0.000 claims abstract description 13
- 230000007246 mechanism Effects 0.000 claims abstract description 10
- 238000004891 communication Methods 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 12
- 238000004806 packaging method and process Methods 0.000 claims description 9
- 238000010586 diagram Methods 0.000 description 9
- 230000003287 optical effect Effects 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000011144 upstream manufacturing Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a method for setting effective time of a token and a method for carrying out security authentication on request information, wherein the method for setting the effective time of the token comprises the following steps: acquiring generated initial token information, wherein the initial token information is information which is generated by an authorization mechanism and is sent to a security authentication system together with request information of a target client; determining a generation time point of initial token information; determining a failure time point of the initial token information according to the generation time point and the preset validity period of the initial token information; and under the condition that the actual time reaches the failure time point, processing a preset validity period or a target client page according to preset logic, and redefining the validity time of the initial token information. By the method and the device, the technical scheme that the effective time of the token is easy to expire and is designed is solved.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method for setting effective time of a token and a method for securely authenticating request information.
Background
At present, a system responsible for an enterprise information platform center is a sensitive financial information system, and an upstream business access center system is a mode of directly calling an interface, however, the interface exposed by the center to the outside is somewhat not authenticated and checked, and the interface can be randomly called, so that safety risks exist.
In order to solve the problems, the prior art adopts some authorization authentication protocols to make an authentication gateway system for a financial system, realizes the access of a package client to an SDK, provides integrated use of a customer service end, firstly connects an authentication gateway when a service line sends a request, and then forwards the request to the financial system from the gateway to access corresponding downstream services after the authentication passes. However, when the authentication protocol generates a token to access the authentication gateway, the condition that the token authority is invalid often occurs, and a technical scheme for solving the problem that the effective time of the token is easy to expire is not available at present.
Disclosure of Invention
The application provides a method for setting effective time of a token and a method for carrying out security authentication on request information, which at least solve the problem that at present, a technical scheme designed for solving the problem that the effective time of the token is easy to expire is not available.
According to an aspect of the embodiments of the present application, there is provided a method for setting a valid time of a token, including:
acquiring generated initial token information, wherein the initial token information is information which is generated by an authorization mechanism and is sent to a security authentication system together with request information of a target client;
determining a generation time point of the initial token information;
determining a failure time point of the initial token information according to the generation time point and a preset validity period of the initial token information;
and under the condition that the actual time reaches the failure time point, processing the preset validity period or the target client page according to preset logic, and redefining the validity time of the initial token information.
According to another aspect of the embodiment of the present application, there is further provided a method for securely authenticating request information, where the method uses the method for setting the validity time of the token in the foregoing embodiment to securely authenticate request information, and the method includes:
generating initial token information under the condition that access request information sent by a service system is received, wherein the initial token information carries an effective period, the effective period is obtained by processing the preset effective period or a target client page according to preset logic under the condition that the actual time reaches an expiration time point, and the expiration time point is determined by the generation time point of the initial token information and the preset effective period of the initial token information;
packaging and encapsulating the request access information and the initial token information to obtain an encapsulated data packet;
sending the encapsulated data packet to a security authentication system, so that the security authentication system performs authentication and authority authentication of the initial token information on the encapsulated data;
receiving a feedback calling result of the security authentication system;
and sending the feedback calling result to the service system.
According to still another aspect of the embodiments of the present application, there is further provided a device for setting a valid time of a token, including:
the acquisition module is used for acquiring the generated initial token information, wherein the initial token information is information which is generated by an authorization mechanism and is sent to the security authentication system together with the request information of the target client;
a first determining module, configured to determine a generation time point of the initial token information;
the second determining module is used for determining a failure time point of the initial token information according to the generation time point and the preset validity period of the initial token information;
and the processing module is used for processing the preset validity period or the target client page according to preset logic under the condition that the actual time reaches the failure time point, and redefining the validity time of the initial token information.
Optionally, the processing module includes:
and the delay unit is used for carrying out delay processing on the preset validity period under the condition that the actual time reaches the failure time point so as to realize the setting of the validity time of the initial token information.
Optionally, the processing module includes:
the refreshing unit is used for refreshing the target client page and acquiring new token information under the condition that the actual time reaches the failure time point;
and the sending unit is used for sending the new token information to the target client according to the identification information which can be associated with the target client, so as to realize the setting of the effective time of the initial token information.
Optionally, the transmitting unit includes:
the first acquisition sub-module is used for acquiring account information used for uniquely characterizing the target client;
and the first sending sub-module is used for sending the new token information to the target client according to the account information.
Optionally, the transmitting unit includes:
a second obtaining sub-module, configured to obtain the target client corresponding to the initial token information according to a key value pair, where the key value pair is used to associate the initial token information with the target client;
and the second sending sub-module is used for sending the new token information obtained by the initial token information to the target client.
According to still another aspect of the embodiments of the present application, there is further provided an apparatus for securely authenticating request information, where the apparatus performs secure authentication on request information by using the method for setting the validity time of the token in the above embodiment, and the apparatus includes:
the generation module is used for generating initial token information under the condition that access request information sent by the service system is received, wherein the initial token information carries an effective period, the effective period is obtained by processing the preset effective period or a target client page according to preset logic under the condition that the actual time reaches an expiration time point, and the expiration time point is determined by the generation time point of the initial token information and the preset effective period of the initial token information;
the packaging and encapsulating module is used for packaging and encapsulating the request access information and the initial token information to obtain an encapsulated data packet;
the first sending module is used for sending the encapsulated data packet to a security authentication system so that the security authentication system can carry out authentication and authority authentication of the initial token information on the encapsulated data;
the receiving module is used for receiving a feedback calling result of the security authentication system;
and the second sending module is used for sending the feedback calling result to the service system.
According to yet another aspect of the embodiments of the present application, there is also provided an electronic device including a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory complete communication with each other through the communication bus; wherein the memory is used for storing a computer program; a processor for performing the method steps of any of the embodiments described above by running the computer program stored on the memory.
According to a further aspect of the embodiments of the present application, there is also provided a computer-readable storage medium having stored therein a computer program, wherein the computer program is arranged to perform the method steps of any of the embodiments described above when run.
In the embodiment of the application, the generation time point when the initial token information is generated and the preset validity period set by the initial token information are obtained, so that the invalidation time point of the initial token information is determined, when the actual time reaches the invalidation time point, the preset validity period or the target client page is processed according to preset logic, and the validity time of the initial token information is redefined, so that the validity time of the initial token can be flexibly defined according to the actual requirement, no gap is reserved between the initial token information and the newly updated token information, the system stability is ensured, and the problem that a technical scheme designed for solving the problem that the validity time of the token is easy to expire is solved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the description of the embodiments or the prior art will be briefly described below, and it will be obvious to those skilled in the art that other drawings can be obtained from these drawings without inventive effort.
FIG. 1 is a flow chart of an alternative method of setting token validity time according to embodiments of the present application;
FIG. 2 is a flow chart of an alternative method of securely authenticating requested information according to an embodiment of the present application;
FIG. 3 is a schematic diagram of an alternative authentication gateway architecture according to an embodiment of the present application;
fig. 4 is an overall flowchart of an alternative authentication gateway according to an embodiment of the present application;
FIG. 5 is an alternative authentication system overall data flow diagram according to an embodiment of the present application;
FIG. 6 is a block diagram of an alternative token valid time setting device according to an embodiment of the present application;
FIG. 7 is a block diagram of an alternative apparatus for securely authenticating requested information according to an embodiment of the present application;
fig. 8 is a block diagram of an alternative electronic device according to an embodiment of the present application.
Detailed Description
In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description and claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The token authority is a safety protection barrier of the whole information system, but when an authorization authentication protocol generates a token to access an authentication gateway, the condition that the token authority is invalid often occurs, and a technical scheme for solving the problem that the effective time of the token is easy to expire does not exist at present. In order to solve the above-mentioned problem, an embodiment of the present application proposes a method for setting a valid time of a token, as shown in fig. 1, where the method may be applied to an electronic device that performs information processing, such as a system server, and the method includes:
step S101, acquiring generated initial token information, wherein the initial token information is information which is generated by an authorization mechanism and is sent to a security authentication system together with request information of a target client;
step S102, determining a generation time point of initial token information;
step S103, determining a failure time point of the initial token information according to the generation time point and the preset validity period of the initial token information;
and step S104, under the condition that the actual time reaches the failure time point, processing a preset validity period or a target client page according to preset logic, and redefining the validity time of the initial token information.
Alternatively, in the embodiment of the present application, the token information may be generated by a token authorization mechanism, such as oauth2.0, and the token information generated at present is used as initial token information, and is sent to the security authentication system together with the request information sent by the target client. The initial token information is provided with a preset validity period, such as 10 minutes, and the generation time point of the initial token information is acquired at the moment, and the failure time point of the initial token information is determined by the generation time point and the preset validity period. For example, the generation time is 10:00, the preset validity period is 10 minutes, that 10:10:01, the point in time of failure is entered.
After the actual time, such as the network time, reaches the expiration time point, the validity time of the initial token information is redefined according to preset logic, such as a mode of processing a preset validity period or processing a target client page.
In the embodiment of the application, the generation time point when the initial token information is generated and the preset validity period set by the initial token information are obtained, so that the invalidation time point of the initial token information is determined, when the actual time reaches the invalidation time point, the preset validity period or the target client page is processed according to preset logic, and the validity time of the initial token information is redefined, so that the validity time of the initial token can be flexibly defined according to the actual requirement, no gap is reserved between the initial token information and the newly updated token information, the system stability is ensured, and the problem that a technical scheme designed for solving the problem that the validity time of the token is easy to expire is solved.
As an alternative embodiment, processing the preset validity period or the target client page according to preset logic, redefining the validity time of the initial token information includes:
and under the condition that the actual time reaches the failure time point, carrying out delay processing on the preset validity period, and setting the validity time of the initial token information.
Optionally, the embodiment of the application may combine the redis database to perform the preset validity period of the initial token information, that is, perform the delay processing, so as to obtain a new validity time. Therefore, no gap is reserved between the initial token information and the new token information obtained after the preset valid period is delayed, and the system stability is ensured.
As an alternative embodiment, processing the preset validity period or the target client page according to preset logic, redefining the validity time of the initial token information includes:
under the condition that the actual time reaches the failure time point, refreshing the target client page to acquire new token information;
and according to the identification information which can be associated with the target clients, the new token information is sent to the target clients, so that the effective time of the initial token information is set.
Optionally, in the embodiment of the present application, the validity time may be guaranteed not to expire by refreshing the target client page. Specifically, when the actual time reaches the failure time point, refreshing the target client page, acquiring new token information, and simultaneously associating the new token information with the target client according to the identification information of the target client, so that the new token information can be sent to the target client to ensure continuous update of the effective time of the initial token information, and setting of the effective time of the initial token information is realized.
As an alternative embodiment, the sending the new token information to the target client according to the identification information capable of generating the association with the target client includes:
acquiring account information for uniquely characterizing a target client;
and sending the new token information to the target client according to the account information.
Optionally, when the identification information characterizing the target client is obtained, the account information of the target client can be used as a unique identification, and then the purpose that the new token information is sent to the target client can be achieved according to the account information. In addition, there is a key-value pair algorithm that associates the initial token information with the target client, where the initial token information may be a key and the target client may be a value.
Since the new token information is obtained after the initial token information is changed by the preset validity period, in the embodiment of the application, the new token information can also be a key in the key value pair, so that the new token information can be generated or sent to the target client according to the relation of the key value pair under the condition that the value is unchanged.
According to another aspect of the embodiments of the present application, there is further provided a method for securely authenticating request information, where the method is used for securely authenticating request information in embodiments of a method for setting a valid time of a token, as shown in fig. 2, and the method may be applied to a gateway side, and the method may include the following steps:
step S201, under the condition that access request information sent by a service system is received, initial token information is generated, wherein the initial token information carries an effective period, the effective period is obtained by processing a preset effective period or a target client page according to preset logic under the condition that the actual time reaches an expiration time point, and the expiration time point is determined by the generation time point of the initial token information and the preset effective period of the initial token information;
step S202, packaging and encapsulating the request access information and the initial token information to obtain an encapsulated data packet;
step S203, the package data packet is sent to a security authentication system, so that the security authentication system performs authentication and authority authentication of initial token information on the package data;
step S204, receiving a feedback calling result of the security authentication system;
step S205, the feedback calling result is sent to the service system.
Optionally, as shown in fig. 3, a terminal on the service system side, such as a computer, a mobile phone, and the like, sends request access information to the gateway side, and after receiving the request access information, the gateway side generates initial token information, where the initial token information carries an validity period, where the validity period is obtained by processing a preset validity period or a target client page according to preset logic when an actual time reaches a expiration time point, and the expiration time point is determined by the generation time point of the initial token information and the preset validity period of the initial token information. Reference may be made here to the description of the above embodiments, and details are not repeated here.
The gateway side packages and encapsulates the request access information and the initial token information to obtain an encapsulated data packet, and sends the encapsulated data packet to a security authentication system, namely an authentication center in fig. 3, the security authentication system can perform authentication and authority authentication of the initial token information on the encapsulated data packet, and a symmetric encryption algorithm or an asymmetric encryption algorithm can be adopted in the authentication to obtain a final authentication result.
The security authentication system sends the authentication result to the gateway, and if the authentication is passed, the gateway receives the feedback calling result of the security authentication system and forwards the feedback calling result to the service system; if the authentication fails, returning failure information to the gateway.
Further, when the security authentication system authenticates the initial token information and the authority authentication are performed on the encapsulated data packet, as shown in fig. 4, under the condition that the security authentication system allocates the authority, the encapsulated data packet is obtained to obtain the initial token information, authentication verification is performed on the initial token information, and after the authentication is passed, the service interface is obtained, and then the service interface is returned.
As shown in fig. 5, fig. 5 is an overall data flow diagram of an optional authentication system according to an embodiment of the present application, specifically including the following steps:
1. the enterprise information platform center registers application and service to the authentication center;
2. the service line system applies access authorization to an authentication center, creates APPID and security secret keys in the authentication center, generates a secret key of an access gateway, and then associates the accessed resource with the APPID;
3. token information is generated and updated periodically by oauth 2.0. The effective time of the token information is 10 minutes, and the effective time of the token information is redefined by combining with redis;
4. the service line integrated SDK accesses the authentication center to update the token information at regular time, stores the token information in an http request header, accesses a gateway, and obtains request header information from a request to the authentication center for token information authentication and authority authentication;
5. the authentication passes, the gateway requests forwarding and feeds back the calling result;
6. if the authentication fails, the unauthorized is returned directly, and if the unauthorized passes, the unauthorized access is returned.
In the embodiment of the application, the access entrance of the enterprise information platform center is unified, authentication access is realized, the security of the upstream service system for accessing the downstream system is ensured, and the data security and accuracy of the enterprise information platform center are ensured.
It should be noted that, for simplicity of description, the foregoing method embodiments are all expressed as a series of action combinations, but it should be understood by those skilled in the art that the present application is not limited by the order of actions described, as some steps may be performed in other order or simultaneously in accordance with the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required in the present application.
From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (such as ROM (Read-Only Memory)/RAM (Random Access Memory), magnetic disk, optical disk), including instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method of the embodiments of the present application.
According to another aspect of the embodiment of the application, there is also provided a token valid time setting device for implementing the token valid time setting method. Fig. 6 is a block diagram of an alternative token valid time setting device according to an embodiment of the present application, and as shown in fig. 6, the device may include:
the acquiring module 601 is configured to acquire generated initial token information, where the initial token information is information that is generated by an authorization mechanism and is sent to a security authentication system together with request information of a target client;
a first determining module 602, configured to determine a generation time point of the initial token information;
a second determining module 603, configured to determine a failure time point of the initial token information according to the generation time point and a preset validity period of the initial token information;
and the processing module 604 is configured to process a preset validity period or a target client page according to preset logic and redefine the validity time of the initial token information when the actual time reaches the failure time point.
It should be noted that, the acquiring module 601 in this embodiment may be configured to perform the above-mentioned step S101, the first determining module 602 in this embodiment may be configured to perform the above-mentioned step S102, the second determining module 603 in this embodiment may be configured to perform the above-mentioned step S103, and the processing module 604 in this embodiment may be configured to perform the above-mentioned step S104.
Through the module, the generation time point when the initial token information is generated and the preset validity period set by the initial token information are obtained, so that the invalidation time point of the initial token information is determined, when the actual time reaches the invalidation time point, the preset validity period or a target client page is processed according to preset logic, and the validity time of the initial token information is redefined, so that the validity time of the initial token can be flexibly defined according to actual requirements, no gap exists between the initial token information and the newly updated token information, the stability of the system is ensured, and the problem that a technical scheme designed for solving the problem that the validity time of the token is easy to expire is solved.
As an alternative embodiment, the processing module includes:
and the delay unit is used for carrying out delay processing on the preset validity period under the condition that the actual time reaches the failure time point, so as to realize the setting of the validity time of the initial token information.
As an alternative embodiment, the processing module includes:
the refreshing unit is used for refreshing the target client page to acquire new token information under the condition that the actual time reaches the failure time point;
and the sending unit is used for sending the new token information to the target client according to the identification information which can be associated with the target client, so as to realize the setting of the effective time of the initial token information.
As an alternative embodiment, the transmitting unit comprises:
the first acquisition sub-module is used for acquiring account information used for uniquely characterizing the target client;
and the first sending sub-module is used for sending the new token information to the target client according to the account information.
As an alternative embodiment, the transmitting unit comprises:
the second acquisition sub-module is used for acquiring a target client corresponding to the initial token information according to a key value pair, wherein the key value pair is used for associating the initial token information with the target client;
and the second sending sub-module is used for sending the new token information obtained from the initial token information to the target client.
According to still another aspect of the embodiments of the present application, there is also provided an apparatus for securely authenticating request information for implementing the above-mentioned method for securely authenticating request information. Fig. 7 is a block diagram of an alternative apparatus for securely authenticating request information according to an embodiment of the present application, as shown in fig. 7, the apparatus may include:
the generating module 701 is configured to generate initial token information when access request information sent by a service system is received, where the initial token information carries an validity period, and the validity period is obtained by processing a preset validity period or a target client page according to preset logic when an actual time reaches a failure time point, and the failure time point is determined by the generation time point of the initial token information and the preset validity period of the initial token information;
the packaging and encapsulation module 702 is configured to package the request access information and the initial token information to obtain an encapsulated data packet;
a first sending module 703, configured to send the encapsulated data packet to a security authentication system, so that the security authentication system performs authentication of initial token information and authority authentication on the encapsulated data;
a receiving module 704, configured to receive a feedback call result of the security authentication system;
and the second sending module 705 is configured to send the feedback calling result to the service system.
It should be noted that, the generating module 701 in this embodiment may be configured to perform the above step S201, the packaging and encapsulating module 702 in this embodiment may be configured to perform the above step S202, the first transmitting module 703 in this embodiment may be configured to perform the above step S203, the receiving module 704 in this embodiment may be configured to perform the above step S204, and the second transmitting module 705 in this embodiment may be configured to perform the above step S205.
In the embodiment of the application, the access entrance of the enterprise information platform center is unified, authentication access is realized, the security of the upstream service system for accessing the downstream system is ensured, and the data security and accuracy of the enterprise information platform center are ensured.
According to still another aspect of the embodiments of the present application, there is further provided an electronic device for implementing the method for setting the validity time of the token, where the electronic device may be a server, a terminal, or a combination thereof.
Fig. 8 is a block diagram of an alternative electronic device, according to an embodiment of the present application, including a processor 801, a communication interface 802, a memory 803, and a communication bus 804, as shown in fig. 8, wherein the processor 801, the communication interface 802, and the memory 803 communicate with each other via the communication bus 804,
a memory 803 for storing a computer program;
the processor 801, when executing the computer program stored in the memory 803, performs the following steps:
acquiring generated initial token information, wherein the initial token information is information which is generated by an authorization mechanism and is sent to a security authentication system together with request information of a target client;
determining a generation time point of initial token information;
determining a failure time point of the initial token information according to the generation time point and the preset validity period of the initial token information;
and under the condition that the actual time reaches the failure time point, processing a preset validity period or a target client page according to preset logic, and redefining the validity time of the initial token information.
Alternatively, in the present embodiment, the above-described communication bus may be a PCI (Peripheral Component Interconnect, peripheral component interconnect standard) bus, or an EISA (Extended Industry Standard Architecture ) bus, or the like. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, only one thick line is shown in fig. 8, but not only one bus or one type of bus.
The communication interface is used for communication between the electronic device and other devices.
The memory may include RAM or may include non-volatile memory (non-volatile memory), such as at least one disk memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.
As an example, as shown in fig. 8, the memory 803 may include, but is not limited to, an acquisition module 601, a first determination module 602, a second determination module 603, and a processing module 604 in the token valid time setting device. In addition, other module units in the token valid time setting device may be further included, but are not limited to, and are not described in detail in this example.
The processor may be a general purpose processor and may include, but is not limited to: CPU (Central Processing Unit ), NP (Network Processor, network processor), etc.; but also DSP (Digital Signal Processing, digital signal processor), ASIC (Application Specific Integrated Circuit ), FPGA (Field-Programmable Gate Array, field programmable gate array) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components.
In addition, the electronic device further includes: and the display is used for displaying the setting result of the effective time of the token.
Alternatively, specific examples in this embodiment may refer to examples described in the foregoing embodiments, and this embodiment is not described herein.
It will be understood by those skilled in the art that the structure shown in fig. 8 is only schematic, and the device implementing the method for setting the valid time of the token may be a terminal device, and the terminal device may be a smart phone (such as an Android mobile phone, an iOS mobile phone, etc.), a tablet computer, a palm computer, a mobile internet device (Mobile Internet Devices, MID), a PAD, etc. Fig. 8 is not limited to the structure of the electronic device described above. For example, the terminal device may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in fig. 8, or have a different configuration than shown in fig. 8.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of the above embodiments may be implemented by a program for instructing a terminal device to execute in association with hardware, the program may be stored in a computer readable storage medium, and the storage medium may include: flash disk, ROM, RAM, magnetic or optical disk, etc.
According to yet another aspect of embodiments of the present application, there is also provided a storage medium. Alternatively, in the present embodiment, the above-described storage medium may be used for executing the program code of the method of setting the token valid time.
Alternatively, in this embodiment, the storage medium may be located on at least one network device of the plurality of network devices in the network shown in the above embodiment.
Alternatively, in the present embodiment, the storage medium is configured to store program code for performing the steps of:
acquiring generated initial token information, wherein the initial token information is information which is generated by an authorization mechanism and is sent to a security authentication system together with request information of a target client;
determining a generation time point of initial token information;
determining a failure time point of the initial token information according to the generation time point and the preset validity period of the initial token information;
and under the condition that the actual time reaches the failure time point, processing a preset validity period or a target client page according to preset logic, and redefining the validity time of the initial token information.
Alternatively, specific examples in the present embodiment may refer to examples described in the above embodiments, which are not described in detail in the present embodiment.
Alternatively, in the present embodiment, the storage medium may include, but is not limited to: various media capable of storing program codes, such as a U disk, ROM, RAM, a mobile hard disk, a magnetic disk or an optical disk.
According to yet another aspect of embodiments of the present application, there is also provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium; the processor of the computer device reads the computer instructions from the computer readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the method steps of setting the validity time of the token in any of the embodiments described above.
The foregoing embodiment numbers of the present application are merely for describing, and do not represent advantages or disadvantages of the embodiments.
The integrated units in the above embodiments may be stored in the above-described computer-readable storage medium if implemented in the form of software functional units and sold or used as separate products. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or all or part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing one or more computer devices (which may be personal computers, servers or network devices, etc.) to perform all or part of the steps of the method for setting the validity time of the token of the various embodiments of the present application.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and are merely a logical functional division, and there may be other manners of dividing the apparatus in actual implementation, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution provided in the present embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application and are intended to be comprehended within the scope of the present application.
Claims (10)
1. A method for setting a valid time of a token, the method comprising:
acquiring generated initial token information, wherein the initial token information is information which is generated by an authorization mechanism and is sent to a security authentication system together with request information of a target client;
determining a generation time point of the initial token information;
determining a failure time point of the initial token information according to the generation time point and a preset validity period of the initial token information;
and under the condition that the actual time reaches the failure time point, processing the preset validity period or the target client page according to preset logic, and redefining the validity time of the initial token information.
2. The method of claim 1, wherein the processing the preset validity period or the target client page according to preset logic redefines the validity time of the initial token information, comprising:
and under the condition that the actual time reaches the failure time point, carrying out delay processing on the preset validity period to realize the setting of the validity time of the initial token information.
3. The method of claim 1, wherein the processing the preset validity period or the target client page according to preset logic redefines the validity time of the initial token information, comprising:
under the condition that the actual time reaches the failure time point, refreshing a target client page to acquire new token information;
and sending the new token information to the target client according to the identification information which can be associated with the target client, so as to realize the setting of the effective time of the initial token information.
4. A method according to claim 3, wherein said sending the new token information to the target client based on identification information capable of generating an association with the target client comprises:
acquiring account information for uniquely characterizing the target client;
and sending the new token information to the target client according to the account information.
5. A method according to claim 3, wherein said sending the new token information to the target client based on identification information capable of generating an association with the target client comprises:
acquiring the target client corresponding to the initial token information according to a key value pair, wherein the key value pair is used for associating the initial token information with the target client;
and sending the new token information obtained from the initial token information to the target client.
6. A method for secure authentication of request information, the method using the token validity time setting method of claim 1 to secure authentication of request information, the method comprising:
generating initial token information under the condition that access request information sent by a service system is received, wherein the initial token information carries an effective period, the effective period is obtained by processing the preset effective period or a target client page according to preset logic under the condition that the actual time reaches an expiration time point, and the expiration time point is determined by the generation time point of the initial token information and the preset effective period of the initial token information;
packaging and encapsulating the request access information and the initial token information to obtain an encapsulated data packet;
sending the encapsulated data packet to a security authentication system, so that the security authentication system performs authentication and authority authentication of the initial token information on the encapsulated data;
receiving a feedback calling result of the security authentication system;
and sending the feedback calling result to the service system.
7. A token validity time setting device, characterized in that the device comprises:
the acquisition module is used for acquiring the generated initial token information, wherein the initial token information is information which is generated by an authorization mechanism and is sent to the security authentication system together with the request information of the target client;
a first determining module, configured to determine a generation time point of the initial token information;
the second determining module is used for determining a failure time point of the initial token information according to the generation time point and the preset validity period of the initial token information;
and the processing module is used for processing the preset validity period or the target client page according to preset logic under the condition that the actual time reaches the failure time point, and redefining the validity time of the initial token information.
8. An apparatus for secure authentication of request information, the apparatus for secure authentication of request information using the token validity time setting method of claim 1, the apparatus comprising:
the generation module is used for generating initial token information under the condition that access request information sent by the service system is received, wherein the initial token information carries an effective period, the effective period is obtained by processing the preset effective period or a target client page according to preset logic under the condition that the actual time reaches an expiration time point, and the expiration time point is determined by the generation time point of the initial token information and the preset effective period of the initial token information;
the packaging and encapsulating module is used for packaging and encapsulating the request access information and the initial token information to obtain an encapsulated data packet;
the first sending module is used for sending the encapsulated data packet to a security authentication system so that the security authentication system can carry out authentication and authority authentication of the initial token information on the encapsulated data;
the receiving module is used for receiving a feedback calling result of the security authentication system;
and the second sending module is used for sending the feedback calling result to the service system.
9. An electronic device comprising a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory communicate with each other via the communication bus, characterized in that,
the memory is used for storing a computer program;
the processor is configured to perform the method steps of any of claims 1 to 5 or 6 by running the computer program stored on the memory.
10. A computer-readable storage medium, characterized in that the storage medium has stored therein a computer program, wherein the computer program, when executed by a processor, implements the method steps of any of claims 1 to 5 or 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310308300.5A CN116346462A (en) | 2023-03-27 | 2023-03-27 | Method for setting effective time of token and method for secure authentication of request information |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310308300.5A CN116346462A (en) | 2023-03-27 | 2023-03-27 | Method for setting effective time of token and method for secure authentication of request information |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116346462A true CN116346462A (en) | 2023-06-27 |
Family
ID=86887376
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310308300.5A Pending CN116346462A (en) | 2023-03-27 | 2023-03-27 | Method for setting effective time of token and method for secure authentication of request information |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116346462A (en) |
-
2023
- 2023-03-27 CN CN202310308300.5A patent/CN116346462A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10965772B2 (en) | Interface invocation method and apparatus for hybrid cloud | |
| CN109067728B (en) | Access control method and device for application program interface, server and storage medium | |
| EP3439230B1 (en) | Method and device for registering biometric identity and authenticating biometric identity | |
| CN107124431B (en) | Authentication method, device, computer readable storage medium and authentication system | |
| CN113114624B (en) | Identity authentication method and device based on biological characteristics | |
| CN110213276B (en) | Authorization verification method under micro-service architecture, server, terminal and medium | |
| CN110213223B (en) | Service management method, device, system, computer equipment and storage medium | |
| CN105991614B (en) | It is a kind of it is open authorization, resource access method and device, server | |
| US20160360403A1 (en) | Procedure for generating a digital identity of a user of a mobile device, digital identity of the user, and authentication procedure using said digital identity of the user | |
| CN111131416B (en) | Service providing method and device, storage medium and electronic device | |
| CN106302346A (en) | The safety certifying method of API Calls, device, system | |
| CN104753674B (en) | A kind of verification method and equipment of application identity | |
| CN108512845B (en) | Interface calling verification method and device | |
| CN112953745B (en) | Service calling method, system, computer device and storage medium | |
| EP3178221A1 (en) | Device identification in service authorization | |
| CN110908786A (en) | Intelligent contract calling method, device and medium | |
| CN109992976B (en) | Access credential verification method, device, computer equipment and storage medium | |
| CN111880919B (en) | Data scheduling method, system and computer equipment | |
| CN111818088A (en) | Authorization mode management method and device, computer equipment and readable storage medium | |
| CN112948802A (en) | Single sign-on method, device, equipment and storage medium | |
| CN112235301A (en) | Method and device for verifying access authority and electronic equipment | |
| CN112099964A (en) | Interface calling method and device, storage medium and electronic device | |
| CN105577606B (en) | A kind of method and apparatus for realizing authenticator registration | |
| CN111698196A (en) | Authentication method and micro-service system | |
| CN113761498A (en) | Third party login information hosting method, system, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |