WO2024114636A1 - Authentication method and apparatus, service platform, and storage medium - Google Patents

Authentication method and apparatus, service platform, and storage medium Download PDF

Info

Publication number
WO2024114636A1
WO2024114636A1 PCT/CN2023/134739 CN2023134739W WO2024114636A1 WO 2024114636 A1 WO2024114636 A1 WO 2024114636A1 CN 2023134739 W CN2023134739 W CN 2023134739W WO 2024114636 A1 WO2024114636 A1 WO 2024114636A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
information
service
authentication
login
Prior art date
Application number
PCT/CN2023/134739
Other languages
French (fr)
Chinese (zh)
Inventor
付丽琴
张勇
刘先
李骏霖
李�浩
Original Assignee
中移(成都)信息通信科技有限公司
***通信集团有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中移(成都)信息通信科技有限公司, ***通信集团有限公司 filed Critical 中移(成都)信息通信科技有限公司
Publication of WO2024114636A1 publication Critical patent/WO2024114636A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication

Definitions

  • the present application relates to the field of communications, and in particular to an authentication method, device, service platform and storage medium.
  • OAuth Open Authorization
  • the embodiments of the present application provide an authentication method, device, service platform and storage medium.
  • the present application embodiment provides an authentication method, which is applied to a service platform, including:
  • determining first information the first information including user authentication related information of the first client
  • determining a target first service from at least two first services of the business platform Based on the first information, determining a target first service from at least two first services of the business platform; the first service is used to authenticate the user, and different first services correspond to different user types;
  • authorization information is generated and sent to the first client.
  • the second service of the business platform uses the target first service to authenticate the user; the second service is at least used to manage the login of the user;
  • the third service of the business platform uses the target first service to authenticate the user; the third service is at least used to manage the authorization of the user.
  • the method further comprises:
  • the second information indicating whether to manage the login of the user
  • the user is authenticated using the target first service.
  • the step of authenticating the user by using the target first service based on the second information includes one of the following:
  • the second service in the business platform manages the login of the user, and in the login management process, uses the target first service to authenticate the user; in the case where the identity authentication is passed, the third service in the business platform generates the authorization information for the user;
  • the second service in the business platform manages the login of the user, and in the login management process, uses the target first service to perform login identity authentication on the user; if the login identity authentication passes, the third service in the business platform performs authorization identity authentication for the user; if the authorization identity authentication passes, the third service generates the authorization information for the user;
  • the third service in the business platform uses the target first service to authenticate the user; when the authentication is successful, the third service generates the authorization information for the user.
  • the determining the second information includes:
  • Second information is determined.
  • the third information indicates that the authorization mode of the first client includes the authorization code authorization mode or the implicit authorization mode
  • the second information indicates that the login of the user is managed
  • the second information indicates that login of the user is not to be managed.
  • the method further comprises:
  • the second information indicates that the login of the user is to be managed, based on the first information, Determining a target second service from at least two second services of the business platform; different second services correspond to different user types;
  • the target second service is used to communicate with the first client at least for user login.
  • the first information includes at least one of the following information:
  • the user authentication interface information includes one of the following:
  • the determining the first information includes:
  • First information is obtained from the first request.
  • the method further comprises:
  • the present application also provides an authentication device, including:
  • a receiving unit configured to receive a first request sent by a first client, wherein the first request is used to request authorization for a user;
  • a determining unit configured to determine first information in response to the first request, the first information including user authentication related information of the first client; based on the first information, determine a target first service from at least two first services of the business platform; the first service is used to authenticate the user, and different first services correspond to different user types;
  • an authentication unit configured to perform identity authentication on the user using the target first service
  • the authorization unit is configured to generate authorization information and send the authorization information to the first client when the identity authentication is passed; the authorization information is used by the first client to obtain resources from the business platform.
  • the embodiment of the present application also provides a service platform, including: a communication interface and a processor; wherein:
  • the communication interface is configured to receive a first request sent by a first client, where the first request is used to request authorization for a user;
  • the processor is configured to, in response to the first request, determine first information, the first information including user authentication related information of the first client; based on the first information, determine a target first service from at least two first services of the business platform; the first service is used to authenticate the user, and different first services correspond to different user types; authenticate the user using the target first service; if the authentication is successful, generate authorization information and send the authorization information to the first client through the communication interface; the authorization The authority information is used by the first client to obtain resources from the service platform.
  • the embodiment of the present application also provides a service platform, including: a processor and a memory configured to store a computer program that can be run on the processor;
  • the processor is configured to execute the steps of any of the above methods when running the computer program.
  • An embodiment of the present application further provides a storage medium having a computer program stored thereon, wherein the computer program implements the steps of any of the above methods when executed by a processor.
  • the authentication method, device, service platform and storage medium provided in the embodiment of the present application are as follows: the service platform receives a first request sent by a first client, the first request is used to request authorization for a user; in response to the first request, determines first information, the first information includes user authentication related information of the first client; based on the first information, determines a target first service from at least two first services of the service platform; the first service is used to authenticate the user, and different first services correspond to different user types; uses the target first service to authenticate the user; if the authentication is successful, generates authorization information and sends the authorization information to the first client; the authorization information is used by the first client to obtain resources from the service platform.
  • the service platform can determine the authentication end corresponding to the user according to the authentication related information of the user, thereby using the corresponding authentication end to authenticate the user, and then can use different authentication ends to authenticate different types of users in one service platform, realize effective authentication and authorization for different types of users, and thus provide different service jumps or authentications for different types of users.
  • FIG1 is a schematic diagram of a method flow chart of authentication in an embodiment of the present application.
  • FIG2 is a schematic diagram of the architecture of a login management module in the authentication method according to an embodiment of the present application.
  • FIG3 is a schematic diagram of the process of non-logged-in management in the authentication method according to an embodiment of the present application.
  • FIG4 is a schematic diagram of the authorization information issuance process of the authorization module in the authorization acquisition method according to an embodiment of the present application.
  • FIG5 is a schematic diagram of the medical service platform architecture of the application example of this application.
  • FIG6 is a schematic diagram of the information structure of the user authentication terminal in the medical service platform of the application example of this application;
  • FIG7 is a schematic diagram of the authentication information structure in the user authentication terminal information of the application example of the present application.
  • FIG8 is a schematic diagram of the structure of an authentication device according to an embodiment of the present application.
  • FIG. 9 is a schematic diagram of the business platform structure of an embodiment of the present application.
  • the business platform can receive access from different types of users.
  • the business platform provides services to corresponding types of users through different service modules.
  • the business platform can authenticate and authorize users based on the OAuth protocol.
  • the OAuth protocol For example, in the application scenario of the Hospital Information System (HIS), the doctor user of Hospital A can jump to the business platform of Hospital B through single sign-on (SSO). During this process, the business platform of Hospital A authenticates and authorizes the doctor user based on the OAuth protocol.
  • HIS Hospital Information System
  • SSO single sign-on
  • the business platform of hospital A can provide services for users of the Web-side account system and the C-side account system, where the Web-side account system includes doctor users, and the C-side account system includes patient users, which can be specifically implemented as a mini-program end, an application (APP) end, a fifth-generation hypertext markup language (H5) end, a public account, etc.
  • the business platform of hospital A authenticates and authorizes users of the Web-side account system, or authenticates and authorizes users of the C-side account system.
  • the business platform needs to support access from different types of users at the same time.
  • Doctors can jump to B Hospital's business platform through A Hospital's business platform (Web side) single sign-on (SSO), or use B Hospital's business platform account authorization to log in to A Hospital's business platform.
  • SSO single sign-on
  • a Hospital's business platform needs to use the authentication service for the Web side account system to authenticate and authorize the doctor.
  • the patient side (C side, such as the mobile side) can also use the patient account to log in to the patient services provided by the business platform of Hospital A, and then jump to other patient services provided by the business platform of Hospital B through SSO (for example, after the patient logs in to the patient services provided by the business platform of Hospital A, in addition to enjoying the registration and other services provided by the business platform of Hospital A, he can also jump to the patient services provided by the business platform of Hospital B through SSO to enjoy the graphic consultation service).
  • the business platform of Hospital A also needs to use the authentication service for the C-side account system to authenticate and authorize the patient.
  • the business platform needs to support multiple different types of user authentication and authorization.
  • the business platform can determine the authentication end corresponding to the user based on the user authentication related information, and thereby use the corresponding authentication end to authenticate the user, and then can use different authentication ends to authenticate different types of users within a business platform, thereby achieving effective authentication and authorization of different types of users, thereby providing different service jumps or authentications for different types of users.
  • the authentication system provided in the embodiment of the present application includes a service platform and a first client.
  • the specific processing process of the service platform and the first client is described in detail below.
  • the embodiment of the present application provides an authentication method, which is applied to a business platform, such as a medical business platform, etc. As shown in FIG1 , the method includes:
  • Step 101 Receive a first request sent by a first client, wherein the first request is used to request a User authorization;
  • Step 102 In response to the first request, determine first information, where the first information includes user authentication related information of the first client;
  • Step 103 Based on the first information, determine a target first service from at least two first services of the business platform; the first service is used to authenticate the user, and different first services correspond to different user types;
  • Step 104 Utilize the target first service to authenticate the user
  • Step 105 When the identity authentication is successful, generate authorization information and send the authorization information to the first client; the authorization information is used for the first client to obtain resources from the service platform.
  • the authorization information can also be called access token.
  • the embodiment of the present application does not limit this, as long as its function can be achieved.
  • the first client can be understood as a platform that needs authorization or SSO, including the front-end application and back-end platform service of the platform; in actual application, the first client can also be called an authorization client, or an OAuth client, and the embodiment of the present application does not limit this, as long as its function can be achieved; wherein, the front-end application of the first client runs on the terminal, and the receiving of the first request sent by the first client can be understood as receiving the first request sent by the front-end application of the first client on the terminal; the terminal can specifically be a terminal device such as a mobile phone, a computer, or a tablet computer.
  • the first information may also be referred to as user authentication terminal information, which is not limited in the present application embodiment as long as its function can be realized.
  • the first information may be understood as user authentication information configured by the service platform for the first client.
  • the first information may include information related to the first service authentication, so that the service platform can determine the first service for authenticating the first client.
  • the service platform needs to configure the first information for the first client.
  • the method may further include:
  • the business platform configures corresponding user authentication related information for the first client according to the user type corresponding to the first client, that is, according to the object served by the first client; specifically, the business platform determines the user type served by the first client according to the identifier of the first client (for example, the client identifier (client_id)), and generates corresponding user authentication related information, wherein the user authentication related information is used to determine the first service to authenticate the first client.
  • the identifier of the first client for example, the client identifier (client_id)
  • the business platform when the business platform determines that the first client provides services to the user (doctor user) of the Web-side account system according to the client_id of the first client, the business platform will generate user authentication information corresponding to the Web-side account system for the first client, so that when the business platform receives the request sent by the first client, it will jump to the first service associated with the Web-side account system according to the user authentication information to perform user identity authentication; when the business platform root When the first client is determined to be a user (patient user) serving the C-end account system according to the client_id of the first client, the business platform will generate user authentication information corresponding to the C-end account system for the first client, so that when the business platform receives the request sent by the first client, it will jump to the first service associated with the C-end account system for user identity authentication according to the user authentication information.
  • the user type can also be called the user authentication end type, or the user account system. This embodiment of the application does not limit this, as long as its
  • the user type can be classified by the business platform according to the specific application requirements of the service.
  • the Web-side account system includes doctor users, and the C-side account system includes patient users.
  • the Web-side account system includes doctor users and patient users, and the C-side account system includes caregiver users.
  • the specific classification is determined by the business platform according to actual usage requirements, and the embodiments of the present application do not limit this.
  • the service platform can obtain the first information from the user authentication information stored in the local database according to the identifier of the first client (for example, client_id) when receiving the request sent by the first client; based on this, in one embodiment, determining the first information can include: determining the first information from the user authentication related information of the client stored locally.
  • the service platform can also send the configured user authentication related information to the first client, and when the first client sends the first request, the corresponding user authentication related information can be carried in the first request, so that the service platform obtains the first information in the first request; based on this, in one embodiment, determining the first information can include: obtaining the first information from the first request.
  • the first information may be composed of one or more types of information that can represent a first service, so that the service platform can determine the first service for authenticating the user according to the first information.
  • the first information includes at least one of the following information:
  • the first service identifier is used by the business platform to identify the first service corresponding to the user; the first service identifier can be generated by the business platform, such as a universally unique identifier (UUID) or a globally unique identifier (GUID), or a database identity document (ID), that is, the ID of the first information in the database storing the registration information.
  • UUID universally unique identifier
  • GUID globally unique identifier
  • ID database identity document
  • the first service identifier can also be called a unique identifier of the user authentication end, and the embodiment of the present application does not limit this, as long as its function can be realized.
  • the user type is associated with the first service, and the business platform can determine the first service corresponding to the user according to the association between the user type and the first service; in actual application, the user type can be reflected in different forms; for example, the user type It may include administrators (admin in English) or users (user in English), where admin represents the doctor side, and the corresponding first service is the first service corresponding to the Web account system; user represents the patient side, and the corresponding first service is the first service corresponding to the C-end account system; for another example, the user type may also include 1 or 2, where 1 represents the doctor side, and the corresponding first service is the first service corresponding to the Web account system; 2 represents the patient side, and the corresponding first service is the first service corresponding to the C-end account system; the specific form of expression of the user type may be determined based on actual application requirements, and the embodiments of the present application do not limit this.
  • the user type may include administrators (admin in English) or users (user in English), where admin represents the doctor side, and the corresponding
  • the user authentication interface information may include interface-related information for the business platform to authenticate the user, which is used for the business platform to verify the user authentication status, for example, whether the user exists, whether the user is locked, whether the user name and password are correct, etc.
  • the user authentication interface information may include one of the following:
  • the business platform can call the authentication interface by using an interface call or a method call, that is, use the interface call method or the method call method to call the corresponding information from the database to perform authentication verification on the user, or determine the verification path according to the pre-configured user authentication login path related information, thereby jumping to the corresponding service;
  • the remote call related information indicates that when the remote call method is used to call the first service, the relevant information of the remote call interface, such as application program interface (API) information, etc., wherein the API information may include relevant information of remote procedure call (RPC, Remote Procedure Call) interfaces such as restful interfaces or feign interfaces;
  • the internal call The relevant information represents the relevant information of the internal call interface when the first service is called in an internal call manner, such as the interface information of the service call, microservice call or module method call, wherein the method call information may include class name, method name and other information;
  • the user authentication login related information represents the relevant information of the user authentication logic, such as user authentication login path information, wherein the user authentication
  • the business platform in the process of configuring the user authentication interface information, for the same access method (i.e., remote call method, internal call method, or access based on configured user authentication login related information), the interface definition used during access is also the same, for example, the definition of output parameters and input parameters.
  • the first information may also include information related to user login interaction, such as the URL of the user login interaction interface, etc., which is not limited in this embodiment of the present application.
  • the first service is used to authenticate the user; specifically, after the business platform classifies the users, it determines different user types and corresponding first services, and the first service can implement authentication services for users of corresponding user types, for example, determining whether the user exists, Whether the user identity is valid, etc.; the first service may also be referred to as a user authentication terminal, or an authentication terminal, which is not limited in the embodiment of the present application.
  • all the first services can be implemented together, that is, through one functional module, or they can be implemented separately, that is, through different functional modules, which is not limited in the embodiments of the present application; the number of the first services can be determined according to the number of network architectures that the business platform needs to support, which is not limited in the embodiments of the present application.
  • the OAuth protocol defines fields such as client type, client_id, and client password (client_secret); the embodiment of the present application adds the first information on the basis of the original fields defined in the OAuth protocol to achieve the allocation of corresponding first services to clients (i.e., first clients) in different demand scenarios, so that the business platform can jump to different first services according to the first information of the first client after receiving the request of the first client, and then authenticate and authorize different users;
  • the client type defined in the OAuth protocol refers to a confidential client or a public client, which is different from the first information and the user type.
  • the first information can be stored as a whole with the corresponding field information defined in the OAuth protocol, or it can be stored separately from the corresponding field information and associated, and the embodiment of the present application does not limit this.
  • the identity authentication of the user by the service platform may include login identity authentication and authorization identity authentication, or may only include login identity authentication, or may only include authorization identity authentication.
  • the using the target first service to authenticate the user may include:
  • the second service of the business platform uses the target first service to authenticate the user; the second service is at least used to manage the login of the user;
  • the third service of the business platform uses the target first service to authenticate the user; the third service is at least used to manage the authorization of the user.
  • the login identity authentication is performed during the login stage of the OAuth client, and can be implemented through the login management module and the corresponding first service in the business platform;
  • the authorization identity authentication is performed during the authorization stage of the OAuth client, and can be implemented through the authorization module and the corresponding first service in the business platform;
  • the login management module is configured to manage the login of the user, and the login identity authentication can be understood as the login management module authenticating the user's information, and the authorization module is configured to manage the authorization of the user, and the authorization identity authentication can be understood as the authorization module authenticating the user's information;
  • authenticating the user's information can include authenticating the user's identity information and login information, such as determining whether the user exists, whether the login status is correct, whether the user account password is correct, etc.;
  • the first service is used to perform corresponding authentication operations when called by the login management module or the authorization module.
  • the login management module and the authorization module are deployed on the business platform
  • the first service and the authentication center may be independent microservice architectures, in a small system or a unified user center, or may be implemented in the same service, which is not limited in the embodiments of the present application.
  • the method may further include:
  • the second information indicating whether to manage the login of the user
  • the user is authenticated using the target first service.
  • the authenticating the user by using the target first service based on the second information includes one of the following:
  • the second service in the business platform manages the login of the user, and in the management process, uses the target first service to authenticate the identity of the user; in the case where the identity authentication is passed, the third service in the business platform generates the authorization information for the user;
  • the second service in the business platform manages the login of the user, and in the login management process, uses the target first service to perform login identity authentication on the user; in the case where the login identity authentication passes, the third service in the business platform performs authorization identity authentication for the user; in the case where the authorization identity authentication passes, the third service generates the authorization information for the user;
  • the third service in the business platform uses the target first service to authenticate the user; when the authentication is successful, the third service generates the authorization information for the user.
  • whether the login of the user needs to be managed may be determined by the authorization mode of the first client.
  • determining the second information includes:
  • Second information is determined.
  • the second information indicates that the login of the user is managed
  • the second information indicates that login of the user is not to be managed.
  • the business platform has different logics for managing the user's login. Therefore, in order to determine the login authentication logic in different scenarios, for each user type, the login management module can implement the second service corresponding to the user type. Now manage the login authentication of corresponding types of users.
  • the method may further include:
  • a target second service is determined from at least two second services of the business platform; different second services correspond to different user types;
  • the target second service is used to communicate with the first client at least for logging in.
  • the using the target first service to authenticate the user includes:
  • the target second service calls the target first service to perform identity authentication on the user.
  • the second service may also be referred to as a login management function, which is not limited in the embodiments of the present application, as long as the function can be realized.
  • the at least two second services can be implemented separately, that is, through different functional modules, or can be implemented together, that is, through the same functional module, and identified and processed through different information.
  • the embodiment of the present application is not limited to this.
  • the at least two second services are implemented together, that is, different second services are implemented through the same functional module.
  • the client type (client_type) parameter in the OAuth protocol is defined as doctor (doctor).
  • the client_type parameter in the OAuth protocol is defined as patient (patient).
  • the login management mainly includes two operations: login status verification and non-logged-in processing; specifically, the login management module first determines the login status of the user, and when the user has not logged in to the business platform, performs non-logged-in processing on the user to guide the user to perform the corresponding login operation; the non-logged-in processing includes login user interaction, login verification and login authentication; wherein, the user interaction includes the login page presented by the first client, that is, the human-computer interaction interface, such as the doctor login page presented to the doctor end, and the patient login page presented to the patient; the login verification includes the security verification of the logged-in user, such as the graphic verification code verification, the SMS random code verification, etc.; the login identity authentication includes the verification of the user login information, such as the verification of whether the user exists, whether it is in the login state, whether the user name and password are correct, etc.; when the login identity authentication passes, the authorization module directly generates authorization information, or the authorization module performs authorization identity authentication on the user. Correspondingly, when the user interaction includes the
  • the second service manages the login of the user, which may include:
  • the second service confirms the login status of the user, and performs non-logged-in processing on the user if the user is not logged in; the non-logged-in processing includes login user interaction, login verification and login authentication.
  • the login verification and the login authentication can be implemented separately or in Now, the embodiments of the present application are not limited to this.
  • the service modules and authentication logics corresponding to different user types are different, that is, the management methods of different second services are different; specifically, different second services define different non-logged in processing logics, such as login method logic, login verification logic, login authentication logic, etc., so that when performing non-logged in processing, different types of users can be processed according to the corresponding processing logic.
  • the login management module includes two second services, which are respectively used to manage the logins of users of the Web account system and the C-end account system; wherein, the non-logged-in processing flow of one second service includes a first logged-in user interaction, a first login verification and a first login authentication, and the non-logged-in processing flow of another second service includes a second logged-in user interaction, a second login verification and a second login authentication; when the business platform receives the first request sent by the first client, for users who need to perform non-logged-in processing, the second service required for login management, i.e., the target second service, is determined based on the first information.
  • the second service required for login management i.e., the target second service
  • the process of not logging in includes:
  • Step 301 The target second service obtains login interaction related information from the client management module of the service platform according to the first information;
  • the login interaction related information is obtained from the OAuth client management module, which may also be referred to as login user interaction information, which is not limited in the embodiment of the present application; here, the login interaction related information includes parameter information during the interaction between the target second service and the first client, such as the login method selected by the user, relevant parameters of the login page, etc.;
  • Step 302 Based on the login interaction related information, execute corresponding user interaction, that is, execute the first login user interaction or the second login user interaction;
  • Step 303 Based on the login interaction related information, perform corresponding login verification, that is, perform the first login verification or the second login verification;
  • Step 304 Based on the login interaction related information, call the user authentication interface information of the corresponding authentication end (i.e., the first service) to verify the user's login information, that is, perform the first login authentication or the second login authentication; specifically, verify whether the user exists, whether he is in the login status, whether the user name and password are correct, etc.
  • the user authentication interface information of the corresponding authentication end i.e., the first service
  • the authorization module authenticates the user.
  • the authorization mode of the first client is the authorization code authorization mode or the implicit authorization mode
  • the authorization module can obtain the user information of the user from the logged in user information, generate authorization information and send it to the first client;
  • the authorization mode of the first client is the password authorization mode or the client authorization module
  • the authorization module can directly call the corresponding first service to authenticate the user password information of the user, and send the authorization information to the first client when the authentication is passed.
  • the user password information can be carried in the first Requesting.
  • the authorization information issuance process of the authorization module includes:
  • Step 401 determining the authorization mode of the first client based on the user authentication interface information, that is, obtaining the authorization mode and data from the authorization interface, that is, determining the third information;
  • Step 402 Determine whether identity authentication is required, that is, determine the second information based on the third information; when identity authentication is required, execute step 403, and when identity authentication is not required, execute step 405;
  • Step 403 Obtain user authentication terminal information according to the unique identifier (i.e., unique identification) of the first client (i.e., OAuth client);
  • Step 404 Perform corresponding identity authentication according to the user authentication terminal information, that is, perform identity authentication on the OAuth client, and if the identity authentication passes, execute step 405;
  • calling the corresponding first service to authenticate the first client for example, when the authorization mode of the first client is the password authorization mode, verifying whether the user name and password are correct, whether the user exists, whether the user password is valid, etc.;
  • Step 405 Issue an access token to the first client.
  • an access token is issued to logged-in users or authenticated users.
  • the authentication method provided in the embodiment of the present application is as follows: the business platform receives a first request sent by a first client, the first request is used to request authorization for a user; in response to the first request, first information is determined, the first information includes user authentication related information of the first client; based on the first information, a target first service is determined from at least two first services of the business platform; the first service is used to authenticate the user, and different first services correspond to different user types; the user is authenticated using the target first service; if the authentication is successful, authorization information is generated and sent to the first client; the authorization information is used by the first client to obtain resources from the business platform.
  • the business platform distinguishes different types of users based on user authentication related information, and authenticates the corresponding types of users through different authentication services, thereby enabling the business platform to authenticate and authorize multiple types of users.
  • FIG. 5 is a schematic diagram of the structure of the medical business platform of the application example of this application.
  • the medical business platform mainly includes: Authorization Server, Resource Server, a first authentication terminal 501 and a second authentication terminal 502; wherein, the Authorization Server and the Resource Server constitute a unified authentication/authorization center of the medical business platform.
  • the functions of the OAuth client, Authorization Server, Resource Server, the first authentication terminal 501 and the second authentication terminal 502 are described in detail below.
  • the OAuth client is configured to request an access token from the business platform; the specific implementation can be the B-end or the C-end.
  • the first authentication terminal 501 is configured to perform login authentication and identity authentication on the doctor terminal.
  • the second authentication terminal 502 is configured to perform login authentication and identity authentication on the patient terminal.
  • the Authorization Server is configured to authenticate the OAuth client and issue an access token to the OAuth client;
  • the Authorization Server includes a login management module 503, an authorization code management module 504, an authorization module 505 and an OAuth client management module 506; wherein,
  • the login management module 503 is configured to perform login management on the OAuth client, for example, verify the login status of the OAuth client, and call the first authentication end or the second authentication end to perform login authentication on the OAuth client; wherein the login management module 503 includes a first login management function and a second login management function, i.e., a second service, wherein the first login management function is used to perform login management on the doctor end, and the second login management function is used to perform login management on the patient end;
  • An authorization module 505 is configured to authenticate the OAuth client and issue an access token to the OAuth client;
  • the OAuth client management module 506 is configured to manage the user authentication terminal information.
  • the user authentication terminal information includes user information and authentication information, wherein the user information includes client_id and client_secret, and the authentication information includes the user authentication terminal unique identifier, the user authentication terminal type, and the user authentication interface information, as shown in FIG7 ; when storing the user authentication terminal information, the user information and the authentication information can be combined and stored together, or the user information and the authentication information can be stored separately and associated, so that the business platform can obtain the corresponding user authentication terminal information according to the user information.
  • user authentication end information is obtained from the OAuth client management module, and the user authentication end information includes user authentication interface information and login-related information.
  • the specific implementation of the user authentication end information is shown in Table 1; wherein, the user authentication API interface adopts an internal restful interface or a Feign interface of a microservice architecture.
  • This application example uses the access token acquisition method, including:
  • Step 1 When the doctor side (Web side) jumps to a third-party Web service through the SSO service, the OAuth client management module identifies the client identifier of the doctor side as web_client1, and generates a corresponding OAuth client identifier web_client2 for the third-party service, which is used to indicate that the authentication end type of the third-party service is a Web user authentication end, thereby forming an SSO closed loop for the web end user; wherein, the configurations of web_client1 and web_client2 are the same;
  • Step 2 Authorization Server obtains the authorization mode of the doctor from the interface information.
  • Right code authorization model
  • Step 3 The first login management function determines that the user is not logged in, and determines from the request parameters on the doctor's side that the client_id is web_client1;
  • Step 4 The first login management function obtains user authentication terminal information from the OAuth client management module, where the user authentication terminal information includes login information and API interface information. Exemplarily, the user authentication terminal information is shown in Table 2;
  • Step 5 The first login management function performs user login interaction and user verification based on the acquired information
  • Step 6 The first login management function calls the first authentication terminal to perform login authentication on the doctor terminal based on the user authentication terminal information, and executes step 7 if the login authentication passes; the login authentication specifically includes determining whether the user exists, whether the user is logged in, whether the user name and password are correct, etc.;
  • Step 7 Based on the user authentication information, the authorization module calls the first authentication terminal to perform identity authentication on the doctor, and if the identity authentication is passed, an access token is issued to the doctor; the identity authentication specifically includes determining whether the user exists, whether he is logged in, whether the username and password are correct, etc.
  • user authentication end information is obtained from the OAuth client management module, and the user authentication end information includes user authentication interface information and login-related information.
  • the specific implementation of the user authentication end information is shown in Table 1; wherein, the user authentication API interface adopts an internal restful interface or a Feign interface of a microservice architecture.
  • This application example uses the access token acquisition method, including:
  • Step 1 When the patient end (H5 end) jumps to a third-party H5 service through the SSO service, the OAuth client management module generates a corresponding OAuth client identifier h5_client1 for the third-party service, which is used to indicate that the authentication end type of the third-party H5 service is the C-end user authentication end, thereby forming an SSO closed loop for C-end users; wherein, the configuration of h5_client1 is the same as the configuration of the C-end user authentication system;
  • Step 2 Authorization Server obtains the authorization mode of the patient from the interface information as the authorization code authorization mode;
  • Step 3 The second login management function determines that the user is not logged in, and determines from the request parameters on the patient side that the client_id is H5_client1;
  • Step 4 The second login management function obtains user authentication terminal information from the OAuth client management module, where the user authentication terminal information includes login information and API interface information. Exemplarily, the user authentication terminal information is shown in Table 2;
  • Step 5 The second login management function performs user login interaction and user verification based on the acquired information
  • Step 6 The second login management function calls the second authentication terminal to authenticate the patient based on the user authentication terminal information.
  • the user terminal performs login authentication, and if the login authentication is passed, execute step 7; the login authentication specifically includes determining whether the user exists, whether the user is logged in, whether the user name and password are correct, etc.;
  • Step 7 Based on the user authentication information, the authorization module calls the second authentication terminal to authenticate the patient, and if the authentication is successful, issues an access token to the patient.
  • the authentication specifically includes determining whether the user exists, whether he is logged in, whether the username and password are correct, etc.
  • the medical business platform obtains user authentication information from the request sent by the OAuth client.
  • This application example uses the access token acquisition method, including:
  • Step 1 The doctor (Web client) sends an access token request to the Authorization Server.
  • the request carries the user authentication information, which includes client_Type.
  • client_Type is 1, which means that the user authentication end is a B-end user.
  • Step 2 The Authorization Server obtains the client_id in the request parameter as Web_client1 and client_Type as 1, determines that the OAuth client is the doctor's client, and determines that the user is not logged in, and transfers the request to the first login management function for processing;
  • Step 3 The first login management function performs login interaction and login verification on the patient side.
  • Step 4 The first login management function calls the first authentication terminal to perform user login authentication on the doctor terminal based on the user authentication terminal information, and executes step 5 if the login authentication passes; the login authentication specifically includes determining whether the user exists, whether the user is logged in, whether the user name and password are correct, etc.;
  • Step 5 Based on the user authentication information, the authorization module calls the first authentication terminal to perform identity authentication on the doctor, and if the identity authentication passes, an access token is issued to the doctor; the identity authentication specifically includes determining whether the user exists, whether he is logged in, whether the username and password are correct, etc.
  • the medical business platform obtains the user authentication end information from the request sent by the OAuth client.
  • This application example uses the access token acquisition method, including:
  • Step 1 The patient end (H5 end) sends an access token acquisition request to the Authorization Server.
  • the request carries the user authentication end information, which includes client_Type.
  • client_Type is 2, indicating that the user authentication end is a C-end user.
  • Step 2 The Authorization Server obtains the client_id in the request parameter as h5_client1 and the client_type as 2, determines that the OAuth client is the patient end, and determines that the user is not logged in, and transfers the request to the second login management function for processing;
  • Step 3 The second login management function performs login interaction and login verification on the patient side.
  • Step 4 Based on the user authentication terminal information, perform user login authentication on the patient terminal, and if the login authentication passes, execute step 5; the login authentication specifically includes determining whether the user exists, whether the user is logged in, whether the user name and password are correct, etc.;
  • Step 5 The authorization module calls the second authentication terminal to authenticate the patient terminal based on the user authentication terminal information, and issues an access token to the patient terminal if the authentication passes.
  • Identity authentication specifically includes determining whether the user exists, whether he is logged in, whether the username and password are correct, etc.
  • the application example of this application identifies and manages the login management processes of different account systems (doctor side and patient side) through the first login management function and the second login management function, and authenticates the OAuth clients of different account systems through the first authentication end and the second authentication end, thereby realizing that the same business platform supports authentication and authorization of multiple account systems at the same time.
  • the embodiment of the present application further provides an authentication device, which is arranged on a service platform, as shown in FIG8 , and includes:
  • the receiving unit 801 is configured to receive a first request sent by a first client, where the first request is used to request authorization for a user;
  • the determining unit 802 is configured to determine, in response to the first request, first information, the first information including user authentication related information of the first client; based on the first information, determine a target first service from at least two first services of the business platform; the first service is used to authenticate the user, and different first services correspond to different user types;
  • An authentication unit 803, configured to perform identity authentication on the user using the target first service
  • the authorization unit 804 is configured to generate authorization information and send the authorization information to the first client when the identity authentication is successful; the authorization information is used for the first client to obtain resources from the service platform.
  • the authentication unit 803 is configured as follows:
  • the second service is at least used to manage the login of the user
  • the user is authenticated by using the target first service through the third service of the business platform; the third service is at least used to manage the authorization of the user.
  • the determining unit 802 is further configured to:
  • the second information indicating whether to manage the login of the user
  • the user is authenticated using the target first service.
  • the second service in the business platform manages the login of the user
  • the determination unit 802 is configured to use the target first service to authenticate the user; when the authentication is successful, the authorization unit 804 generates the authorization information for the user through the third service in the business platform.
  • the second service in the service platform manages the user's login and manages the login of the user.
  • the determination unit 802 is configured to use the target first service to perform login authentication on the user; if the login authentication is successful, the authorization unit 804 performs authorization authentication for the user through the third service in the business platform; if the authorization authentication is successful, the authorization information is generated for the user through the third service.
  • the determination unit 802 is configured to authenticate the user using the target first service through the third service in the business platform; when the authentication is successful, the authorization unit 804 generates the authorization information for the user through the third service.
  • the determining unit 802 is configured to:
  • Second information is determined.
  • the second information indicates that the login of the user is managed
  • the second information indicates that login of the user is not to be managed.
  • the determining unit 802 is further configured to:
  • the second information indicates that the login of the user is to be managed, based on the first information, determining a target second service from at least two second services of the service platform; different second services correspond to different user types;
  • the target second service is used to communicate with the first client at least for user login.
  • the first information includes at least one of the following information:
  • the user authentication interface information includes one of the following:
  • the determining unit 802 is configured to:
  • First information is obtained from the first request.
  • the device further comprises:
  • a configuration unit is configured to configure and store user authentication related information of the first client.
  • the receiving unit 801 and the determining unit 802 can be implemented by a processor in the authentication device in combination with a communication interface
  • the authentication unit 803, the authorization unit 804 and the configuration unit can be implemented by a processor in the authentication device.
  • the authentication device provided in the above embodiment performs authentication
  • only the division of the above program modules is used as an example.
  • the above processing can be assigned to different program modules as needed, that is, the internal structure of the device is divided into different program modules to complete all or part of the above-described processing.
  • the authentication device provided in the above embodiment and the authentication method embodiment belong to the same concept, and the specific implementation process is detailed in the method embodiment, which will not be repeated here.
  • the embodiment of the present application further provides a service platform, as shown in FIG. 9 , the service platform 900 includes:
  • the communication interface 901 is capable of exchanging information with the first client; for example, receiving a first request sent by the first client and sending authorization information to the first client;
  • a processor 902 connected to the communication interface 901 to implement information interaction with the first client, and configured to execute the method provided by one or more technical solutions of the above-mentioned business platform side when running the computer program;
  • a memory 903 on which the computer program is stored.
  • the communication interface 901 is configured to receive a first request sent by a first client, where the first request is used to request authorization for a user;
  • the processor 902 is configured to determine first information in response to the first request, where the first information includes user authentication related information of the first client; based on the first information, determine a target first service from at least two first services of the business platform; the first service is used to authenticate the user, and different first services correspond to different user types; use the target first service to authenticate the user; if the authentication is successful, generate authorization information and send the authorization information to the first client using the communication interface 901; the authorization information is used by the first client to obtain resources from the business platform.
  • the processor 902 is configured to:
  • the second service is at least used to manage the login of the user
  • the user is authenticated by using the target first service through the third service of the business platform; the third service is at least used to manage the authorization of the user.
  • the processor 902 is further configured to:
  • the second information indicating whether to manage the login of the user
  • the user is authenticated using the target first service.
  • the second service in the service platform manages the user's login and manages the login of the user.
  • the processor 902 is configured to perform identity authentication on the user using the target first service; if the identity authentication is successful, the authorization information is generated for the user through the third service in the business platform.
  • the second service in the business platform manages the login of the user
  • the processor 902 is configured to use the target first service to perform login authentication on the user; when the login authentication passes, the third service in the business platform performs authorization authentication for the user; when the authorization authentication passes, the authorization information is generated for the user through the third service.
  • the processor 902 when the second information indicates that the login of the user is not to be managed, the processor 902 is configured so that the third service in the business platform uses the target first service to authenticate the user; if the authentication is successful, the authorization information is generated for the user through the third service.
  • the processor 902 is configured to:
  • Second information is determined.
  • the second information indicates that the login of the user is managed
  • the second information indicates that login of the user is not to be managed.
  • the processor 902 is further configured to:
  • the second information indicates that the login of the user is to be managed, based on the first information, determining a target second service from at least two second services of the service platform; different second services correspond to different user types;
  • the target second service is used to communicate with the first client at least for user login.
  • the processor 902 is configured to:
  • the target second service calls the target first service to perform login authentication on the first client.
  • the first information includes at least one of the following information:
  • the user authentication interface information includes one of the following:
  • the processor 902 is configured to:
  • the first information is determined from the locally stored information related to the user authentication of the client; or the first information is obtained from the first request.
  • the processor 902 may also be configured to:
  • bus system 904. the various components in the service platform 900 are coupled together through the bus system 904. It can be understood that the bus system 904 is configured to realize the connection and communication between these components. In addition to the data bus, the bus system 904 also includes a power bus, a control bus, and a status signal bus. However, for the sake of clarity, various buses are labeled as the bus system 904 in FIG. 9.
  • the memory 903 in the embodiment of the present application is configured to store various types of data to support the operation of the service platform 900. Examples of such data include: any computer program used to operate on the service platform 900.
  • the method disclosed in the above embodiment of the present application can be applied to the processor 902, or implemented by the processor 902.
  • the processor 902 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method can be completed by the hardware integrated logic circuit in the processor 902 or the instruction in the form of software.
  • the above-mentioned processor 902 may be a general-purpose processor, a digital signal processor (DSP, Digital Signal Processor), or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc.
  • DSP Digital Signal Processor
  • the processor 902 can implement or execute the various methods, steps and logic block diagrams disclosed in the embodiments of the present application.
  • a general-purpose processor may be a microprocessor or any conventional processor, etc.
  • the decoding processor 902 In combination with the steps of the method disclosed in the embodiment of the present application, it can be directly embodied as a hardware decoding processor to execute, or it can be executed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a storage medium, which is located in the memory 903.
  • the processor 902 reads the information in the memory 903 and completes the steps of the above method in combination with its hardware.
  • the business platform 900 can be implemented by one or more application specific integrated circuits (ASICs), DSPs, programmable logic devices (PLDs), complex programmable logic devices (CPLDs), field programmable gate arrays (FPGAs), general-purpose processors, controllers, microcontrollers (MCUs), microprocessors, or other electronic components, and configured to execute the aforementioned method.
  • ASICs application specific integrated circuits
  • DSPs digital signal processors
  • PLDs programmable logic devices
  • CPLDs complex programmable logic devices
  • FPGAs field programmable gate arrays
  • general-purpose processors controllers, microcontrollers (MCUs), microprocessors, or other electronic components, and configured to execute the aforementioned method.
  • the memory 903 of the embodiment of the present application can be a volatile memory or a non-volatile memory, or can include both volatile and non-volatile memories.
  • the non-volatile memory can be a read-only memory (ROM), a programmable read-only memory (PROM), an erasable programmable read-only memory (PROM), or a non-volatile memory.
  • EPROM Erasable Programmable Read-Only Memory
  • EEPROM Electrically Erasable Programmable Read-Only Memory
  • FRAM ferromagnetic random access memory
  • flash memory Flash Memory
  • magnetic surface storage optical disk, or read-only optical disk (CD-ROM, Compact Disc Read-Only Memory)
  • magnetic surface storage can be magnetic disk storage or tape storage.
  • Volatile memory can be random access memory (RAM, Random Access Memory), which is used as an external cache.
  • RAM random access memory
  • SRAM static random access memory
  • SSRAM synchronous static random access memory
  • DRAM dynamic random access memory
  • SDRAM synchronous dynamic random access memory
  • DDRSDRAM double data rate synchronous dynamic random access memory
  • ESDRAM enhanced synchronous dynamic random access memory
  • SLDRAM synchronous link dynamic random access memory
  • DRRAM direct memory bus random access memory
  • the embodiment of the present application further provides a storage medium, namely a computer storage medium, specifically a computer-readable storage medium, for example, a memory 903 storing a computer program, and the computer program can be executed by a processor 902 of a service platform 900 to complete the steps described in the aforementioned service platform side method.
  • the computer-readable storage medium can be a memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface storage, optical disk, or CD-ROM.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The present application discloses an authentication method and apparatus, a service platform, and a storage medium. The method comprises: a service platform receiving a first request sent by a first client, the first request being used for requesting to authorize a user; in response to the first request, determining first information, the first information comprising user authentication-related information of the first client; determining a target first service from at least two first services of the service platform on the basis of the first information, the types of users corresponding to different first services being different; performing identity authentication on the user by using the target first service; and when the identity authentication is successful, generating authorization information and sending the authorization information to the first client, the authorization information being used for the first client to obtain resources from the service platform.

Description

认证方法、装置、业务平台及存储介质Authentication method, device, service platform and storage medium
相关申请的交叉引用CROSS-REFERENCE TO RELATED APPLICATIONS
本申请基于申请号为202211528407.2、申请日为2022年11月30日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本申请作为参考。This application is based on the Chinese patent application with application number 202211528407.2 and application date of November 30, 2022, and claims the priority of the Chinese patent application. The entire content of the Chinese patent application is hereby introduced into this application as a reference.
技术领域Technical Field
本申请涉及通信领域,尤其涉及一种认证方法、装置、业务平台及存储介质。The present application relates to the field of communications, and in particular to an authentication method, device, service platform and storage medium.
背景技术Background technique
在开放授权(OAuth,Open Authorization)授权场景下,用户要获取OAuth资源服务器(Resource Server)的资源,需要先通过客户端从OAuth认证/授权服务器(Authorization Server)获取访问令牌(access token),再利用获取的access token从Resource Server获取资源。而OAuth Authorization Server在向用户发放access token之前,将会对登录的用户进行身份认证。In the OAuth (Open Authorization) authorization scenario, if a user wants to obtain resources from an OAuth resource server, he or she must first obtain an access token from the OAuth authentication/authorization server through the client, and then use the obtained access token to obtain resources from the resource server. Before issuing an access token to the user, the OAuth Authorization Server will authenticate the logged-in user.
然而,相关技术中的认证方案,不能有效实现多种类型用户的认证与授权。However, the authentication schemes in the related art cannot effectively implement authentication and authorization of various types of users.
发明内容Summary of the invention
为解决相关技术问题,本申请实施例提供一种认证方法、装置、业务平台及存储介质。To solve related technical problems, the embodiments of the present application provide an authentication method, device, service platform and storage medium.
本申请实施例的技术方案是这样实现的:The technical solution of the embodiment of the present application is implemented as follows:
本申请实施例提供一种认证方法,应用于业务平台,包括:The present application embodiment provides an authentication method, which is applied to a service platform, including:
接收第一客户端发送的第一请求,所述第一请求用于请求对用户进行授权;Receiving a first request sent by a first client, where the first request is used to request authorization for a user;
响应于所述第一请求,确定第一信息,所述第一信息包含所述第一客户端的用户认证相关信息;In response to the first request, determining first information, the first information including user authentication related information of the first client;
基于所述第一信息,从所述业务平台的至少两个第一服务中确定目标第一服务;所述第一服务用于对用户进行身份认证,不同第一服务对应的用户类型不同;Based on the first information, determining a target first service from at least two first services of the business platform; the first service is used to authenticate the user, and different first services correspond to different user types;
利用所述目标第一服务对所述用户进行身份认证; Authenticating the user using the target first service;
在身份认证通过的情况下,生成授权信息并将所述授权信息发送到所述第一客户端。When the identity authentication is successful, authorization information is generated and sent to the first client.
上述方案中,所述利用所述目标第一服务对所述用户进行身份认证,包括:In the above solution, the step of authenticating the user by using the target first service includes:
所述业务平台的第二服务利用所述目标第一服务对所述用户进行身份认证;所述第二服务至少用于对所述用户的登录进行管理;The second service of the business platform uses the target first service to authenticate the user; the second service is at least used to manage the login of the user;
和/或,and / or,
所述业务平台的第三服务利用所述目标第一服务对所述用户进行身份认证;所述第三服务至少用于对所述用户的授权进行管理。The third service of the business platform uses the target first service to authenticate the user; the third service is at least used to manage the authorization of the user.
上述方案中,所述方法还包括:In the above solution, the method further comprises:
确定第二信息,所述第二信息指示是否对所述用户的登录进行管理;determining second information, the second information indicating whether to manage the login of the user;
基于所述第二信息,利用所述目标第一服务对所述用户进行身份认证。Based on the second information, the user is authenticated using the target first service.
上述方案中,所述基于所述第二信息,利用所述目标第一服务对所述用户进行身份认证,包括以下之一:In the above solution, the step of authenticating the user by using the target first service based on the second information includes one of the following:
在所述第二信息指示对所述用户的登录进行管理的情况下,所述业务平台中的第二服务对所述用户的登录进行管理,并在登录管理过程中,利用所述目标第一服务对所述用户进行身份认证;在身份认证通过的情况下,所述业务平台中的第三服务为所述用户生成所述授权信息;In the case where the second information indicates that the login of the user is to be managed, the second service in the business platform manages the login of the user, and in the login management process, uses the target first service to authenticate the user; in the case where the identity authentication is passed, the third service in the business platform generates the authorization information for the user;
在所述第二信息指示对所述用户的登录进行管理,所述业务平台中的第二服务对所述用户的登录进行管理,并在登录管理过程中,利用所述目标第一服务对所述用户进行登录身份认证;在登录身份认证通过的情况下,所述业务平台中的第三服务为所述用户进行授权身份认证;在授权身份认证通过的情况下,所述第三服务为所述用户生成所述授权信息;When the second information indicates that the login of the user is to be managed, the second service in the business platform manages the login of the user, and in the login management process, uses the target first service to perform login identity authentication on the user; if the login identity authentication passes, the third service in the business platform performs authorization identity authentication for the user; if the authorization identity authentication passes, the third service generates the authorization information for the user;
在所述第二信息指示不对所述用户的登录进行管理的情况下,所述业务平台中的第三服务利用所述目标第一服务对所述用户进行身份认证;在身份认证通过的情况下,所述第三服务为所述用户生成所述授权信息。When the second information indicates that the user's login is not to be managed, the third service in the business platform uses the target first service to authenticate the user; when the authentication is successful, the third service generates the authorization information for the user.
上述方案中,所述确定第二信息,包括:In the above solution, the determining the second information includes:
确定第三信息,所述第三信息表征所述第一客户端的授权模式;Determining third information, where the third information represents an authorization mode of the first client;
基于所述第三信息,确定第二信息。Based on the third information, second information is determined.
上述方案中,在所述第三信息表征所述第一客户端的授权模式包括授权码授权模式或者隐式授权模式的情况下,所述第二信息指示对所述用户的登录进行管理;In the above solution, when the third information indicates that the authorization mode of the first client includes the authorization code authorization mode or the implicit authorization mode, the second information indicates that the login of the user is managed;
或者,or,
在所述第三信息表征所述第一客户端的授权模式包括密码授权模式或者客户凭证授权模式的情况下,所述第二信息指示不对所述用户的登录进行管理。In a case where the third information indicates that the authorization mode of the first client includes a password authorization mode or a client credential authorization mode, the second information indicates that login of the user is not to be managed.
上述方案中,所述方法还包括:In the above solution, the method further comprises:
在所述第二信息指示对所述用户的登录进行管理,基于所述第一信息, 从业务平台的至少两个第二服务中确定目标第二服务;不同第二服务对应的用户类型不同;The second information indicates that the login of the user is to be managed, based on the first information, Determining a target second service from at least two second services of the business platform; different second services correspond to different user types;
利用所述目标第二服务与所述第一客户端进行至少用于用户登录的通信。The target second service is used to communicate with the first client at least for user login.
上述方案中,所述第一信息包含以下信息至少之一:In the above solution, the first information includes at least one of the following information:
第一服务标识;First service logo;
用户类型;user type;
用户认证接口信息。User authentication interface information.
上述方案中,所述用户认证接口信息,包括以下之一:In the above solution, the user authentication interface information includes one of the following:
远程调用相关信息;Remote call related information;
内部调用相关信息;Internal call related information;
用户认证登录相关信息。User authentication and login related information.
上述方案中,所述确定第一信息,包括:In the above solution, the determining the first information includes:
从本地存储的客户端的用户认证相关信息中确定第一信息;Determine first information from the locally stored information related to user authentication of the client;
或者,or,
从所述第一请求中获取第一信息。First information is obtained from the first request.
上述方案中,所述方法还包括:In the above solution, the method further comprises:
配置所述第一客户端的用户认证相关信息并存储。Configure and store user authentication related information of the first client.
本申请实施例还提供一种认证装置,包括:The present application also provides an authentication device, including:
接收单元,配置为接收第一客户端发送的第一请求,所述第一请求用于请求对用户进行授权;A receiving unit, configured to receive a first request sent by a first client, wherein the first request is used to request authorization for a user;
确定单元,配置为响应于所述第一请求,确定第一信息,所述第一信息包含所述第一客户端的用户认证相关信息;基于所述第一信息,从所述业务平台的至少两个第一服务中确定目标第一服务;所述第一服务用于对用户进行身份认证,不同第一服务对应的用户类型不同;a determining unit configured to determine first information in response to the first request, the first information including user authentication related information of the first client; based on the first information, determine a target first service from at least two first services of the business platform; the first service is used to authenticate the user, and different first services correspond to different user types;
认证单元,配置为利用所述目标第一服务对所述用户进行身份认证;an authentication unit, configured to perform identity authentication on the user using the target first service;
授权单元,配置为在身份认证通过的情况下,生成授权信息并将所述授权信息发送到所述第一客户端;所述授权信息用于所述第一客户端从所述业务平台获取资源。The authorization unit is configured to generate authorization information and send the authorization information to the first client when the identity authentication is passed; the authorization information is used by the first client to obtain resources from the business platform.
本申请实施例还提供一种业务平台,包括:通信接口及处理器;其中,The embodiment of the present application also provides a service platform, including: a communication interface and a processor; wherein:
所述通信接口,配置为接收第一客户端发送的第一请求,所述第一请求用于请求对用户进行授权;The communication interface is configured to receive a first request sent by a first client, where the first request is used to request authorization for a user;
所述处理器,配置为响应于所述第一请求,确定第一信息,所述第一信息包含所述第一客户端的用户认证相关信息;基于所述第一信息,从所述业务平台的至少两个第一服务中确定目标第一服务;所述第一服务用于对用户进行身份认证,不同第一服务对应的用户类型不同;利用所述目标第一服务对所述用户进行身份认证;在身份认证通过的情况下,生成授权信息并将所述授权信息通过所述通信接口发送到所述第一客户端;所述授 权信息用于所述第一客户端从所述业务平台获取资源。The processor is configured to, in response to the first request, determine first information, the first information including user authentication related information of the first client; based on the first information, determine a target first service from at least two first services of the business platform; the first service is used to authenticate the user, and different first services correspond to different user types; authenticate the user using the target first service; if the authentication is successful, generate authorization information and send the authorization information to the first client through the communication interface; the authorization The authority information is used by the first client to obtain resources from the service platform.
本申请实施例还提供一种业务平台,包括:处理器和配置为存储能够在处理器上运行的计算机程序的存储器;The embodiment of the present application also provides a service platform, including: a processor and a memory configured to store a computer program that can be run on the processor;
其中,所述处理器配置为运行所述计算机程序时,执行上述任一方法的步骤。Wherein, the processor is configured to execute the steps of any of the above methods when running the computer program.
本申请实施例还提供一种存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现上述任一方法的步骤。An embodiment of the present application further provides a storage medium having a computer program stored thereon, wherein the computer program implements the steps of any of the above methods when executed by a processor.
本申请实施例提供的认证方法、装置、业务平台及存储介质,业务平台接收第一客户端发送的第一请求,所述第一请求用于请求对用户进行授权;响应于所述第一请求,确定第一信息,所述第一信息包含所述第一客户端的用户认证相关信息;基于所述第一信息,从所述业务平台的至少两个第一服务中确定目标第一服务;所述第一服务用于对用户进行身份认证,不同第一服务对应的而用户类型不同;利用所述目标第一服务对所述用户进行身份认证;在身份认证通过的情况下,生成授权信息并向所述第一客户端发送所述授权信息;所述授权信息用于所述第一客户端从所述业务平台获取资源。本申请实施例提供的方案,业务平台能够根据用户的认证相关信息确定用户对应的认证端,从而利用对应的认证端对用户进行身份认证,进而能够在一个业务平台内利用不同认证端对不同类型用户进行身份认证,实现对不同类型用户进行有效认证和授权,从而为不同类型用户提供不同服务跳转或认证。The authentication method, device, service platform and storage medium provided in the embodiment of the present application are as follows: the service platform receives a first request sent by a first client, the first request is used to request authorization for a user; in response to the first request, determines first information, the first information includes user authentication related information of the first client; based on the first information, determines a target first service from at least two first services of the service platform; the first service is used to authenticate the user, and different first services correspond to different user types; uses the target first service to authenticate the user; if the authentication is successful, generates authorization information and sends the authorization information to the first client; the authorization information is used by the first client to obtain resources from the service platform. In the scheme provided in the embodiment of the present application, the service platform can determine the authentication end corresponding to the user according to the authentication related information of the user, thereby using the corresponding authentication end to authenticate the user, and then can use different authentication ends to authenticate different types of users in one service platform, realize effective authentication and authorization for different types of users, and thus provide different service jumps or authentications for different types of users.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1为本申请实施例认证的方法流程示意图;FIG1 is a schematic diagram of a method flow chart of authentication in an embodiment of the present application;
图2为本申请实施例认证方法中登录管理模块架构示意图;FIG2 is a schematic diagram of the architecture of a login management module in the authentication method according to an embodiment of the present application;
图3为本申请实施例认证方法中未登录管理的流程示意图;FIG3 is a schematic diagram of the process of non-logged-in management in the authentication method according to an embodiment of the present application;
图4为本申请实施例授权获取方法中授权模块的授权信息颁发流程示意图;FIG4 is a schematic diagram of the authorization information issuance process of the authorization module in the authorization acquisition method according to an embodiment of the present application;
图5为本申请应用示例医疗业务平台架构示意图;FIG5 is a schematic diagram of the medical service platform architecture of the application example of this application;
图6为本申请应用示例医疗业务平台中用户认证端信息结构示意图;FIG6 is a schematic diagram of the information structure of the user authentication terminal in the medical service platform of the application example of this application;
图7为本申请应用示例用户认证端信息中认证信息结构示意图;FIG7 is a schematic diagram of the authentication information structure in the user authentication terminal information of the application example of the present application;
图8为本申请实施例认证装置结构示意图;FIG8 is a schematic diagram of the structure of an authentication device according to an embodiment of the present application;
图9为本申请实施例业务平台结构示意图。FIG. 9 is a schematic diagram of the business platform structure of an embodiment of the present application.
具体实施方式Detailed ways
下面结合附图及实施例对本申请再作进一步详细的描述。The present application is further described in detail below in conjunction with the accompanying drawings and embodiments.
业务平台作为综合性的应用平台,可以接收不同类型用户的访问,业务平台通过不同的服务模块为对应类型的用户提供服务。相关技术中,在 向用户提供资源之前,业务平台可以基于OAuth协议实现对用户的认证和授权。比如,在医院信息***(HIS,Hospital Information System)应用场景下,A医院的医生用户可以通过单点登录(SSO,Single Sign On)跳转到B医院业务平台,在此过程中,A医院的业务平台基于OAuth协议对医生用户进行认证和授权。As a comprehensive application platform, the business platform can receive access from different types of users. The business platform provides services to corresponding types of users through different service modules. Before providing resources to users, the business platform can authenticate and authorize users based on the OAuth protocol. For example, in the application scenario of the Hospital Information System (HIS), the doctor user of Hospital A can jump to the business platform of Hospital B through single sign-on (SSO). During this process, the business platform of Hospital A authenticates and authorizes the doctor user based on the OAuth protocol.
相关技术中,基于OAuth协议仅能够实现单一的用户认证和授权,即只支持一种OAuth认证路径,不能针对不同的OAuth客户端用户进行有效的认证和授权。比如,在HIS应用场景下,A医院业务平台能够为Web端账户体系和C端账户体系的用户提供服务,其中,Web端账户体系包含医生用户,C端账户体系包含患者用户,具体可以实现为小程序端、应用程序(APP)端、第5代超文本标记语言(H5)端、公众号等,根据OAuth协议定义的认证授权流程,A医院业务平台对Web端账户体系的用户进行认证和授权,或者对C端账户体系的用户进行认证和授权。In the related technology, only single user authentication and authorization can be achieved based on the OAuth protocol, that is, only one OAuth authentication path is supported, and effective authentication and authorization cannot be performed for different OAuth client users. For example, in the HIS application scenario, the business platform of hospital A can provide services for users of the Web-side account system and the C-side account system, where the Web-side account system includes doctor users, and the C-side account system includes patient users, which can be specifically implemented as a mini-program end, an application (APP) end, a fifth-generation hypertext markup language (H5) end, a public account, etc. According to the authentication and authorization process defined by the OAuth protocol, the business platform of hospital A authenticates and authorizes users of the Web-side account system, or authenticates and authorizes users of the C-side account system.
然而,业务平台作为综合性的应用平台,需要同时支持不同类型的用户访问。However, as a comprehensive application platform, the business platform needs to support access from different types of users at the same time.
比如,在医疗应用场景下:For example, in medical application scenarios:
医生端可以通过A医院业务平台(Web端)单点登录(SSO,Single Sign On)跳转到B医院业务平台,或者采用B医院业务平台的账号授权登录到A医院业务平台,在此SSO过程中,A医院业务平台需要利用针对Web端账户体系的认证服务对医生进行认证和授权;Doctors can jump to B Hospital's business platform through A Hospital's business platform (Web side) single sign-on (SSO), or use B Hospital's business platform account authorization to log in to A Hospital's business platform. During this SSO process, A Hospital's business platform needs to use the authentication service for the Web side account system to authenticate and authorize the doctor.
同时,患者端(C端,比如移动端)也可以在采用患者账号登录A医院业务平台提供的患者服务后,通过SSO跳转到B医院业务平台提供的其他患者服务(比如,患者登录A医院业务平台提供的患者服务后,除了可以享受A医院业务平台提供的挂号等业务外,还可以通过SSO跳转到B医院业务平台提供的患者业务享受图文问诊服务),在此SSO过程中,A医院业务平台还需要利用针对C端账户体系的认证服务对患者进行认证和授权。At the same time, the patient side (C side, such as the mobile side) can also use the patient account to log in to the patient services provided by the business platform of Hospital A, and then jump to other patient services provided by the business platform of Hospital B through SSO (for example, after the patient logs in to the patient services provided by the business platform of Hospital A, in addition to enjoying the registration and other services provided by the business platform of Hospital A, he can also jump to the patient services provided by the business platform of Hospital B through SSO to enjoy the graphic consultation service). In this SSO process, the business platform of Hospital A also needs to use the authentication service for the C-side account system to authenticate and authorize the patient.
因此,业务平台需要支持多种不同类型的用户认证和授权。Therefore, the business platform needs to support multiple different types of user authentication and authorization.
基于此,在本申请的各种实施例中,业务平台能够根据用户认证相关信息确定用户对应的认证端,从而利用对应的认证端对用户进行身份认证,进而能够在一个业务平台内利用不同认证端对不同类型用户进行身份认证,实现对不同类型用户进行有效认证和授权,从而为不同类型用户提供不同服务跳转或认证。Based on this, in various embodiments of the present application, the business platform can determine the authentication end corresponding to the user based on the user authentication related information, and thereby use the corresponding authentication end to authenticate the user, and then can use different authentication ends to authenticate different types of users within a business platform, thereby achieving effective authentication and authorization of different types of users, thereby providing different service jumps or authentications for different types of users.
本申请实施例提供的认证***中,包括业务平台和第一客户端。下面对业务平台和第一客户端的具体处理过程进行详细说明。The authentication system provided in the embodiment of the present application includes a service platform and a first client. The specific processing process of the service platform and the first client is described in detail below.
本申请实施例提供了一种认证方法,应用于业务平台,比如,医疗业务平台等;如图1所示,该方法包括:The embodiment of the present application provides an authentication method, which is applied to a business platform, such as a medical business platform, etc. As shown in FIG1 , the method includes:
步骤101:接收第一客户端发送的第一请求,所述第一请求用于请求对 用户进行授权;Step 101: Receive a first request sent by a first client, wherein the first request is used to request a User authorization;
步骤102:响应于所述第一请求,确定第一信息,所述第一信息包含所述第一客户端的用户认证相关信息;Step 102: In response to the first request, determine first information, where the first information includes user authentication related information of the first client;
步骤103:基于所述第一信息,从所述业务平台的至少两个第一服务中确定目标第一服务;所述第一服务用于对用户进行身份认证,不同第一服务对应的用户类型不同;Step 103: Based on the first information, determine a target first service from at least two first services of the business platform; the first service is used to authenticate the user, and different first services correspond to different user types;
步骤104:利用所述目标第一服务对所述用户进行身份认证;Step 104: Utilize the target first service to authenticate the user;
步骤105:在身份认证通过的情况下,生成授权信息并将所述授权信息发送到所述第一客户端;所述授权信息用于供所述第一客户端从所述业务平台获取资源。Step 105: When the identity authentication is successful, generate authorization information and send the authorization information to the first client; the authorization information is used for the first client to obtain resources from the service platform.
其中,实际应用时,所述授权信息也可以称为access token,本申请实施例对此不作限定,只要能实现其功能即可。In actual application, the authorization information can also be called access token. The embodiment of the present application does not limit this, as long as its function can be achieved.
实际应用时,所述第一客户端可理解为需要进行授权或SSO的平台,包括平台的前端应用和后端平台服务;实际应用时,所述第一客户端也可以称为授权客户端,还可以称为OAuth客户端,本申请实施例对此不作限定,只要能实现其功能即可;其中,所述第一客户端的前端应用运行在终端上,所述接收第一客户端发送的第一请求,可理解为,接收终端上第一客户端的前端应用发送的第一请求;所述终端具体可以是手机、计算机、平板电脑等终端设备。In actual application, the first client can be understood as a platform that needs authorization or SSO, including the front-end application and back-end platform service of the platform; in actual application, the first client can also be called an authorization client, or an OAuth client, and the embodiment of the present application does not limit this, as long as its function can be achieved; wherein, the front-end application of the first client runs on the terminal, and the receiving of the first request sent by the first client can be understood as receiving the first request sent by the front-end application of the first client on the terminal; the terminal can specifically be a terminal device such as a mobile phone, a computer, or a tablet computer.
实际应用时,在步骤102中,所述第一信息也可以称为用户认证端信息,本申请实施例对此不作限定,只要能实现其功能即可。所述第一信息可以理解为所述业务平台为所述第一客户端配置的用户认证信息,具体地,所述第一信息可以包含所述第一服务认证相关的信息,从而使所述业务平台能够确定用于对所述第一客户端进行认证的第一服务。In actual application, in step 102, the first information may also be referred to as user authentication terminal information, which is not limited in the present application embodiment as long as its function can be realized. The first information may be understood as user authentication information configured by the service platform for the first client. Specifically, the first information may include information related to the first service authentication, so that the service platform can determine the first service for authenticating the first client.
实际应用时,在得到所述第一信息之前,所述业务平台需要先为所述第一客户端配置所述第一信息。In actual application, before obtaining the first information, the service platform needs to configure the first information for the first client.
基于此,在一实施例中,所述方法还可以包括:Based on this, in one embodiment, the method may further include:
配置所述第一客户端的用户认证相关信息并存储。Configure and store user authentication related information of the first client.
实际应用时,所述业务平台根据所述第一客户端对应的用户类型,也就是根据所述第一客户端服务的对象,为所述第一客户端配置对应用户认证相关信息;具体地,所述业务平台根据第一客户端的标识(比如,客户端标识(client_id))确定第一客户端服务的用户类型,生成对应的用户认证相关信息,其中,用户认证相关信息用于确定对所述第一客户端进行认证的第一服务。示例性地,在HIS应用场景下,当业务平台根据第一客户端的client_id确定第一客户端对Web端账户体系的用户(医生用户)提供服务时,业务平台将为第一客户端生成Web端账户体系对应的用户认证信息,从而在业务平台接收到第一客户端发送的请求时,根据用户认证信息,跳转到Web端账户体系关联的第一服务进行用户身份认证;当业务平台根 据第一客户端的client_id确定第一客户端服务于C端账户体系的用户(患者用户)时,业务平台将为第一客户端生成C端账户体系对应的用户认证信息,从而在业务平台接收到第一客户端发送的请求时,根据用户认证信息,跳转到C端账户体系关联的第一服务进行用户身份认证。实际应用时,所述用户类型也可以称为用户认证端类型,还可以称为用户账户体系,本申请实施例对此不作限定,只要能实现其功能即可。In actual application, the business platform configures corresponding user authentication related information for the first client according to the user type corresponding to the first client, that is, according to the object served by the first client; specifically, the business platform determines the user type served by the first client according to the identifier of the first client (for example, the client identifier (client_id)), and generates corresponding user authentication related information, wherein the user authentication related information is used to determine the first service to authenticate the first client. Exemplarily, in the HIS application scenario, when the business platform determines that the first client provides services to the user (doctor user) of the Web-side account system according to the client_id of the first client, the business platform will generate user authentication information corresponding to the Web-side account system for the first client, so that when the business platform receives the request sent by the first client, it will jump to the first service associated with the Web-side account system according to the user authentication information to perform user identity authentication; when the business platform root When the first client is determined to be a user (patient user) serving the C-end account system according to the client_id of the first client, the business platform will generate user authentication information corresponding to the C-end account system for the first client, so that when the business platform receives the request sent by the first client, it will jump to the first service associated with the C-end account system for user identity authentication according to the user authentication information. In actual application, the user type can also be called the user authentication end type, or the user account system. This embodiment of the application does not limit this, as long as its function can be realized.
实际应用时,所述用户类型可以由所述业务平台根据服务具体应用需求进行分类,比如,在HIS应用场景下,可以配置为Web端账户体系包含医生用户,C端账户体系包含患者用户,也可以配置为Web端账户体系包含医生用户和患者用户,C端账户体系包含护工用户;具体如何分类,由所述业务平台根据实际使用需求确定,本申请实施例对此不作限定。In actual application, the user type can be classified by the business platform according to the specific application requirements of the service. For example, in the HIS application scenario, it can be configured that the Web-side account system includes doctor users, and the C-side account system includes patient users. It can also be configured that the Web-side account system includes doctor users and patient users, and the C-side account system includes caregiver users. The specific classification is determined by the business platform according to actual usage requirements, and the embodiments of the present application do not limit this.
实际应用时,所述业务平台在配置并存储所述第一客户端的用户认证信息后,当接收到所述第一客户端发送的请求时,可以根据所述第一客户端的标识(比如,client_id),从本地数据库存储的用户认证信息中获取所述第一信息;基于此,在一实施例中,所述确定第一信息,可以包括:从本地存储的客户端的用户认证相关信息中确定第一信息。当然,所述业务平台也可以将配置的用户认证相关信息发送到所述第一客户端,当所述第一客户端发送所述第一请求时,可以在所述第一请求中携带对应用户认证相关信息,从而使所述业务平台所述第一请求中获取所述第一信息;基于此,在一实施例中,所述确定第一信息,可以包括:从所述第一请求中获取第一信息。In actual application, after configuring and storing the user authentication information of the first client, the service platform can obtain the first information from the user authentication information stored in the local database according to the identifier of the first client (for example, client_id) when receiving the request sent by the first client; based on this, in one embodiment, determining the first information can include: determining the first information from the user authentication related information of the client stored locally. Of course, the service platform can also send the configured user authentication related information to the first client, and when the first client sends the first request, the corresponding user authentication related information can be carried in the first request, so that the service platform obtains the first information in the first request; based on this, in one embodiment, determining the first information can include: obtaining the first information from the first request.
实际应用时,所述第一信息可以由一种或多种能够表示第一服务的信息组成,从而使所述业务平台能够根据所述第一信息确定用于认证所述用户的第一服务。In actual application, the first information may be composed of one or more types of information that can represent a first service, so that the service platform can determine the first service for authenticating the user according to the first information.
基于此,在一实施例中,所述第一信息包含以下信息至少之一:Based on this, in one embodiment, the first information includes at least one of the following information:
第一服务标识;First service logo;
用户类型;user type;
用户认证接口信息。User authentication interface information.
其中,实际应用时,所述第一服务标识用于供所述业务平台识别所述用户对应的第一服务;所述第一服务标识可以由业务平台生成,比如,通用唯一识别码(UUID,Universally Unique Identifier)或者全局唯一标识符(GUID,Globally Unique Identifier),也可以是数据库身份标识号(ID,Identity document),即在存储注册信息的数据库中所述第一信息的ID。所述第一服务标识也可以称为用户认证端唯一识别符,本申请实施例对此不作限定,只要能实现其功能即可。In actual application, the first service identifier is used by the business platform to identify the first service corresponding to the user; the first service identifier can be generated by the business platform, such as a universally unique identifier (UUID) or a globally unique identifier (GUID), or a database identity document (ID), that is, the ID of the first information in the database storing the registration information. The first service identifier can also be called a unique identifier of the user authentication end, and the embodiment of the present application does not limit this, as long as its function can be realized.
实际应用时,所述用户类型与所述第一服务相关联,所述业务平台可以根据用户类型和第一服务的关联关系,确定所述用户对应的第一服务;实际应用时,所述用户类型可以通过不同形式体现;比如,所述用户类型 可以包括管理员(英文可以表达为admin)或用户(英文可以表达为user),其中,admin代表医生端,对应的第一服务是Web账户体系对应的第一服务,user代表患者端,对应的第一服务是C端账户体系对应的第一服务;再比如,所述用户类型也可以包括1或2,其中,1代表医生端,对应的第一服务是Web账户体系对应的第一服务,2代表患者端,对应的第一服务是C端账户体系对应的第一服务;所述用户类型具体采用哪种体现形式,可以根据实际应用需求来确定,本申请实施例对此不作限定。In actual application, the user type is associated with the first service, and the business platform can determine the first service corresponding to the user according to the association between the user type and the first service; in actual application, the user type can be reflected in different forms; for example, the user type It may include administrators (admin in English) or users (user in English), where admin represents the doctor side, and the corresponding first service is the first service corresponding to the Web account system; user represents the patient side, and the corresponding first service is the first service corresponding to the C-end account system; for another example, the user type may also include 1 or 2, where 1 represents the doctor side, and the corresponding first service is the first service corresponding to the Web account system; 2 represents the patient side, and the corresponding first service is the first service corresponding to the C-end account system; the specific form of expression of the user type may be determined based on actual application requirements, and the embodiments of the present application do not limit this.
实际应用时,所述用户认证接口信息可以包含所述业务平台对所述用户进行认证的接口相关信息,用于供业务平台对用户认证情况进行校验,比如,校验用户是否存在、用户是否被锁定、用户名及密码是否正确等。In actual application, the user authentication interface information may include interface-related information for the business platform to authenticate the user, which is used for the business platform to verify the user authentication status, for example, whether the user exists, whether the user is locked, whether the user name and password are correct, etc.
在一实施例中,所述用户认证接口信息,可以包括以下之一:In one embodiment, the user authentication interface information may include one of the following:
远程调用相关信息;Remote call related information;
内部调用相关信息;Internal call related information;
用户认证登录相关信息。User authentication and login related information.
具体地,所述业务平台可以采用接口调用或方法调用的方法调用认证接口,即采用接口调用方法或方法调用方法从数据库中调用对应的信息对用户进行认证校验,也可以根据预先配置的用户认证登录路径相关信息确定校验的路径,从而跳转到对应的服务;所述远程调用相关信息,表示当采用远程调用方法调用第一服务时,远程调用接口的相关信息,比如,应用程序接口(API)信息等,其中,API信息可以包括restful接口或feign接口等远程过程调用(RPC,Remote Procedure Call)接口的相关信息;所述内部调用相关信息,表示当采用内部调用方式调用第一服务时,内部调用接口的相关信息,比如,服务调用、微服务调用或模块的方法调用的接口信息,其中,方法调用信息可以包含类名、方法名等信息;所述用户认证登录相关信息,表示用户认证逻辑的相关信息,比如,用户认证登录路径信息,其中,用户认证登录路径相关信息可以包含跳转的统一资源定位符(URL,Uniform Resource Locator)等;实际应用时,所述用户认证登录路径相关信息可以由所述业务平台进行主动配置或内置,也可以通过请求传入,本申请实施例对此不作限定。Specifically, the business platform can call the authentication interface by using an interface call or a method call, that is, use the interface call method or the method call method to call the corresponding information from the database to perform authentication verification on the user, or determine the verification path according to the pre-configured user authentication login path related information, thereby jumping to the corresponding service; the remote call related information indicates that when the remote call method is used to call the first service, the relevant information of the remote call interface, such as application program interface (API) information, etc., wherein the API information may include relevant information of remote procedure call (RPC, Remote Procedure Call) interfaces such as restful interfaces or feign interfaces; the internal call The relevant information represents the relevant information of the internal call interface when the first service is called in an internal call manner, such as the interface information of the service call, microservice call or module method call, wherein the method call information may include class name, method name and other information; the user authentication login related information represents the relevant information of the user authentication logic, such as user authentication login path information, wherein the user authentication login path related information may include a jump uniform resource locator (URL, Uniform Resource Locator), etc.; in actual application, the user authentication login path related information may be actively configured or built-in by the business platform, or may be passed in through a request, which is not limited in the embodiments of the present application.
实际应用时,为了便于实现所述业务平台对所述用户进行身份认证,所述业务平台在配置用户认证接口信息的过程中,对于同一种访问方式(即远程调用方法、内部调用方法或根据配置的用户认证登录相关信息访问),访问时所采用的接口定义也相同,比如,输出的参数和输入的参数的定义。In actual application, in order to facilitate the business platform to authenticate the user, the business platform, in the process of configuring the user authentication interface information, for the same access method (i.e., remote call method, internal call method, or access based on configured user authentication login related information), the interface definition used during access is also the same, for example, the definition of output parameters and input parameters.
实际应用时,所述第一信息还可以包含用户登录交互相关的信息,比如,用户登录交互界面的URL等,本申请实施例对此不作限定。In actual application, the first information may also include information related to user login interaction, such as the URL of the user login interaction interface, etc., which is not limited in this embodiment of the present application.
实际应用时,所述第一服务用于对用户进行认证;具体地,所述业务平台将用户进行分类后,确定不同的用户类型和对应的第一服务,所述第一服务能够实现对应用户类型用户的认证服务,比如,确定用户是否存在, 用户身份是否有效等;所述第一服务也可以称为用户认证端,还可以称为认证端,本申请实施例对此不作限定。In actual application, the first service is used to authenticate the user; specifically, after the business platform classifies the users, it determines different user types and corresponding first services, and the first service can implement authentication services for users of corresponding user types, for example, determining whether the user exists, Whether the user identity is valid, etc.; the first service may also be referred to as a user authentication terminal, or an authentication terminal, which is not limited in the embodiment of the present application.
实际应用时,所有的第一服务可以实现在一起,即通过一个功能模块实现,也可以分别实现,即通过不同的功能模块实现,本申请实施例对此不作限定;所述第一服务的数量可以根据所述业务平台需要支持的网络架构数量确定,本申请实施例对此不作限定。In actual application, all the first services can be implemented together, that is, through one functional module, or they can be implemented separately, that is, through different functional modules, which is not limited in the embodiments of the present application; the number of the first services can be determined according to the number of network architectures that the business platform needs to support, which is not limited in the embodiments of the present application.
相关技术中,OAuth协议中定义了客户端类型、client_id、客户端密码(client_secret)等字段;本申请实施例通过在OAuth协议定义的原有字段的基础上,增加所述第一信息,实现为不同需求场景的客户端(即第一客户端)分配对应的第一服务,从而使业务平台能够在接收到第一客户端的请求后,根据第一客户端的第一信息,跳转到不同的第一服务,进而对不同用户进行认证和授权;其中,需要说明的是,OAuth协议中定义的客户端类型是指机密客户端或公开客户端,与所述第一信息不同,与所述用户类型也不相同。实际应用时,针对每个用户,所述第一信息可以与OAuth协议中定义的对应字段信息作为一个整体进行存储,也可以与对应字段信息分开存储并进行关联,本申请实施例对此不作限定。In the related art, the OAuth protocol defines fields such as client type, client_id, and client password (client_secret); the embodiment of the present application adds the first information on the basis of the original fields defined in the OAuth protocol to achieve the allocation of corresponding first services to clients (i.e., first clients) in different demand scenarios, so that the business platform can jump to different first services according to the first information of the first client after receiving the request of the first client, and then authenticate and authorize different users; it should be noted that the client type defined in the OAuth protocol refers to a confidential client or a public client, which is different from the first information and the user type. In actual application, for each user, the first information can be stored as a whole with the corresponding field information defined in the OAuth protocol, or it can be stored separately from the corresponding field information and associated, and the embodiment of the present application does not limit this.
实际应用时,根据应用场景的不同,所述业务平台对所述用户的身份认证可以包括登录身份认证和授权身份认证,也可以只包括登录身份认证,还可以只包括授权身份认证。In actual application, according to different application scenarios, the identity authentication of the user by the service platform may include login identity authentication and authorization identity authentication, or may only include login identity authentication, or may only include authorization identity authentication.
基于此,在一实施例中,所述利用所述目标第一服务对所述用户进行身份认证,可以包括:Based on this, in one embodiment, the using the target first service to authenticate the user may include:
所述业务平台的第二服务利用所述目标第一服务对所述用户进行身份认证;所述第二服务至少用于对所述用户的登录进行管理;The second service of the business platform uses the target first service to authenticate the user; the second service is at least used to manage the login of the user;
和/或,and / or,
所述业务平台的第三服务利用所述目标第一服务对所述用户进行身份认证;所述第三服务至少用于对所述用户的授权进行管理。The third service of the business platform uses the target first service to authenticate the user; the third service is at least used to manage the authorization of the user.
具体地,所述登录身份认证在所述OAuth客户端的登录阶段进行,可以通过在所述业务平台中的登录管理模块和对应第一服务实现;所述授权身份认证在所述OAuth客户端的授权阶段进行,可以通过所述业务平台中的授权模块和对应第一服务实现;其中,所述登录管理模块配置为对所述用户的登录进行管理,所述登录身份认证可以理解为所述登录管理模块对所述用户的信息进行认证,所述授权模块配置为对所述用户的授权进行管理,所述授权身份认证可以理解为所述授权模块对所述用户的信息进行认证;其中,对所述用户的信息进行认证,可以包括对所述用户的的身份信息和登录信息进行认证,比如,确定所述用户是否存在,登录状态是否正确、用户账号密码是否正确等;所述第一服务用于在被所述登录管理模块或所述授权模块的调用时,进行对应的认证操作。Specifically, the login identity authentication is performed during the login stage of the OAuth client, and can be implemented through the login management module and the corresponding first service in the business platform; the authorization identity authentication is performed during the authorization stage of the OAuth client, and can be implemented through the authorization module and the corresponding first service in the business platform; wherein, the login management module is configured to manage the login of the user, and the login identity authentication can be understood as the login management module authenticating the user's information, and the authorization module is configured to manage the authorization of the user, and the authorization identity authentication can be understood as the authorization module authenticating the user's information; wherein, authenticating the user's information can include authenticating the user's identity information and login information, such as determining whether the user exists, whether the login status is correct, whether the user account password is correct, etc.; the first service is used to perform corresponding authentication operations when called by the login management module or the authorization module.
实际应用时,所述登录管理模块和所述授权模块部署在所述业务平台 的认证中心,所述第一服务和所述认证中心可以为独立的微服务架构,在小型***或者统一用户中心中,也可以在同一个服务中实现,本申请实施例对此不作限定。In actual application, the login management module and the authorization module are deployed on the business platform The first service and the authentication center may be independent microservice architectures, in a small system or a unified user center, or may be implemented in the same service, which is not limited in the embodiments of the present application.
实际应用时,在认证过程中,为了确定需要将所述第一请求发送到所述登录管理模块或是所述授权模块,即确定认证流程的执行逻辑,需要先确定是否需要对所述用户进行登录管理。In actual application, during the authentication process, in order to determine whether the first request needs to be sent to the login management module or the authorization module, that is, to determine the execution logic of the authentication process, it is necessary to first determine whether login management of the user is required.
基于此,在一实施例中,所述方法还可以包括:Based on this, in one embodiment, the method may further include:
确定第二信息,所述第二信息指示是否对所述用户的登录进行管理;determining second information, the second information indicating whether to manage the login of the user;
基于所述第二信息,利用所述目标第一服务对所述用户进行身份认证。Based on the second information, the user is authenticated using the target first service.
其中,在一实施例中,所述基于所述第二信息,利用所述目标第一服务对所述用户进行身份认证,包括以下之一:In one embodiment, the authenticating the user by using the target first service based on the second information includes one of the following:
在所述第二信息指示对所述用户的登录进行管理的情况下,所述业务平台中的第二服务对所述用户的登录进行管理,并在管理过程中,利用所述目标第一服务对所述用户进行身份认证;在身份认证通过的情况下,所述业务平台中的第三服务为所述用户生成所述授权信息;In the case where the second information indicates that the login of the user is to be managed, the second service in the business platform manages the login of the user, and in the management process, uses the target first service to authenticate the identity of the user; in the case where the identity authentication is passed, the third service in the business platform generates the authorization information for the user;
在所述第二信息指示对所述用户的登录进行管理的情况下,所述业务平台中的第二服务对所述用户的登录进行管理,并在登录管理过程中,利用所述目标第一服务对所述用户进行登录身份认证;在登录身份认证通过的情况下,所述业务平台中的第三服务为所述用户进行授权身份认证;在授权身份认证通过的情况下,所述第三服务为所述用户生成所述授权信息;In the case where the second information indicates that the login of the user is to be managed, the second service in the business platform manages the login of the user, and in the login management process, uses the target first service to perform login identity authentication on the user; in the case where the login identity authentication passes, the third service in the business platform performs authorization identity authentication for the user; in the case where the authorization identity authentication passes, the third service generates the authorization information for the user;
在所述第二信息指示不对所述用户的登录进行管理的情况下,所述业务平台中的第三服务利用所述目标第一服务对所述用户进行身份认证;在身份认证通过的情况下,所述第三服务为所述用户生成所述授权信息。When the second information indicates that the user's login is not to be managed, the third service in the business platform uses the target first service to authenticate the user; when the authentication is successful, the third service generates the authorization information for the user.
实际应用时,是否需要对所述用户的登录进行管理,可以由所述第一客户端的授权模式确定。In actual application, whether the login of the user needs to be managed may be determined by the authorization mode of the first client.
基于此,在一实施例中,所述确定第二信息,包括:Based on this, in one embodiment, determining the second information includes:
确定第三信息,所述第三信息表征所述第一客户端的授权模式;Determining third information, where the third information represents an authorization mode of the first client;
基于所述第三信息,确定第二信息。Based on the third information, second information is determined.
在一实施例中,在所述第三信息表征所述第一客户端的授权模式包括授权码授权模式或者隐式授权模式的情况下,所述第二信息指示对所述用户的登录进行管理;In one embodiment, when the third information indicates that the authorization mode of the first client includes an authorization code authorization mode or an implicit authorization mode, the second information indicates that the login of the user is managed;
或者,or,
在所述第三信息表征所述第一客户端的授权模式包括密码授权模式或者客户端授权模式的情况下,所述第二信息指示不对所述用户的登录进行管理。In a case where the third information indicates that the authorization mode of the first client includes a password authorization mode or a client authorization mode, the second information indicates that login of the user is not to be managed.
实际应用时,针对不同用户类型,所述业务平台对所述用户的登录进行管理的逻辑也不相同。因此,为了在不同场景下实现确定登录认证逻辑,针对每种用户类型,所述登录管理模块可以通过建立对应的第二服务来实 现管理对应类型用户的登录认证。In actual application, for different user types, the business platform has different logics for managing the user's login. Therefore, in order to determine the login authentication logic in different scenarios, for each user type, the login management module can implement the second service corresponding to the user type. Now manage the login authentication of corresponding types of users.
基于此,在一实施例中,所述方法还可以包括:Based on this, in one embodiment, the method may further include:
在所述第二信息指示对所述用户的登录进行管理,基于所述第一信息,从业务平台的至少两个第二服务中确定目标第二服务;不同第二服务对应的用户类型不同;When the second information indicates that the login of the user is to be managed, based on the first information, a target second service is determined from at least two second services of the business platform; different second services correspond to different user types;
利用所述目标第二服务与所述第一客户端进行至少用于登录的通信。The target second service is used to communicate with the first client at least for logging in.
具体地,在一实施例中,所述利用所述目标第一服务对所述用户进行身份认证,包括:Specifically, in one embodiment, the using the target first service to authenticate the user includes:
所述目标第二服务调用所述目标第一服务对所述用户进行身份认证。The target second service calls the target first service to perform identity authentication on the user.
实际应用时,所述第二服务也可以称为登录管理功能,本申请实施例对此不作限定,只要能实现其功能即可。In actual application, the second service may also be referred to as a login management function, which is not limited in the embodiments of the present application, as long as the function can be realized.
实际应用时,所述至少两个第二服务可以分开实现,即通过不同的功能模块实现,也可以实现在一起,即通过同一个功能模块实现,并通过不同的信息进行识别和处理,本申请实施例对此不作限定。In actual application, the at least two second services can be implemented separately, that is, through different functional modules, or can be implemented together, that is, through the same functional module, and identified and processed through different information. The embodiment of the present application is not limited to this.
示例性地,在HIS应用场景下,所述至少两个第二服务实现在一起,即通过同一个功能模块实现不同的第二服务,当第二服务需要实现针对医生端的登录管理功能时,将OAuth协议中的客户端类型(client_type)参数定义为医生(doctor),当第二服务需要实现针对患者端的登录管理功能时,将OAuth协议中的client_type参数定义为患者(patient)。Exemplarily, in the HIS application scenario, the at least two second services are implemented together, that is, different second services are implemented through the same functional module. When the second service needs to implement the login management function for the doctor side, the client type (client_type) parameter in the OAuth protocol is defined as doctor (doctor). When the second service needs to implement the login management function for the patient side, the client_type parameter in the OAuth protocol is defined as patient (patient).
实际应用时,所述登录管理主要包含登录状态校验和未登录处理两种操作;具体地,所述登录管理模块先判断所述用户的登录状态,在所述用户未登录所述业务平台的情况下,对所述用户进行未登录处理,以引导用户进行对应的登录操作;所述未登录处理包括登录用户交互、登录校验和登录认证;其中,所述用户交互包括第一客户端呈现的登录页面,即人机交互界面,比如,针对医生端呈现的医生登录页面,针对患者呈现的患者登录页面;所述登录校验包括对登录用户的安全性校验,比如,图形验证码校验、短信随机码校验等;所述登录身份认证包括对用户登录信息的校验,比如,校验用户是否存在,是否为登录状态,用户名及密码是否正确等;当登录身份认证通过的情况下,所述授权模块直接生成授权信息,或者由所述授权模块对所述用户进行授权身份认证。相应地,当所述用户已登录所述业务平台的情况下,则无需再进行未登录身份处理,直接由所述授权模块直接进行授权身份认证。In actual application, the login management mainly includes two operations: login status verification and non-logged-in processing; specifically, the login management module first determines the login status of the user, and when the user has not logged in to the business platform, performs non-logged-in processing on the user to guide the user to perform the corresponding login operation; the non-logged-in processing includes login user interaction, login verification and login authentication; wherein, the user interaction includes the login page presented by the first client, that is, the human-computer interaction interface, such as the doctor login page presented to the doctor end, and the patient login page presented to the patient; the login verification includes the security verification of the logged-in user, such as the graphic verification code verification, the SMS random code verification, etc.; the login identity authentication includes the verification of the user login information, such as the verification of whether the user exists, whether it is in the login state, whether the user name and password are correct, etc.; when the login identity authentication passes, the authorization module directly generates authorization information, or the authorization module performs authorization identity authentication on the user. Correspondingly, when the user has logged in to the business platform, there is no need to perform non-logged-in identity processing, and the authorization module directly performs authorization identity authentication.
基于此,在一实施例中,所述第二服务对所述用户的登录进行管理,可以包括:Based on this, in one embodiment, the second service manages the login of the user, which may include:
所述第二服务确认所述用户的登录状态,并在所述用户未登录的情况下,对所述用户进行未登录处理;所述未登录处理包括登录用户交互、登录校验和登录认证。The second service confirms the login status of the user, and performs non-logged-in processing on the user if the user is not logged in; the non-logged-in processing includes login user interaction, login verification and login authentication.
实际应用时,所述登录校验和所述登录认证可以分开实现,也可以实 现在一起,本申请实施例对此不作限定。In actual application, the login verification and the login authentication can be implemented separately or in Now, the embodiments of the present application are not limited to this.
其中,对于需要进行未登录处理的用户,不同用户类型对应的服务模块和认证逻辑不同,即不同第二服务的管理方式不同;具体地,不同第二服务定义的未登录处理逻辑不同,比如,登录方式逻辑、登录校验逻辑、登录认证逻辑等,从而在进行未登录处理时,针对不同类型的用户,能够按照对应的处理逻辑进行处理。Among them, for users who need to be processed as not logged in, the service modules and authentication logics corresponding to different user types are different, that is, the management methods of different second services are different; specifically, different second services define different non-logged in processing logics, such as login method logic, login verification logic, login authentication logic, etc., so that when performing non-logged in processing, different types of users can be processed according to the corresponding processing logic.
示例性地,如图2所示,所述登录管理模块包括两个第二服务,分别用于对Web端账户体系和C端账户体系的用户的登录进行管理;其中,一个第二服务的未登录处理流程包括第一登录用户交互、第一登录校验和第一登录认证,另一个第二服务的未登录处理流程包括第二登录用户交互、第二登录校验和第二登录认证;当所述业务平台接收到所述第一客户端发送的第一请求后,对于需要进行未登录处理的用户,根据所述第一信息,确定进行登录管理需要使用的第二服务,即目标第二服务。Exemplarily, as shown in Figure 2, the login management module includes two second services, which are respectively used to manage the logins of users of the Web account system and the C-end account system; wherein, the non-logged-in processing flow of one second service includes a first logged-in user interaction, a first login verification and a first login authentication, and the non-logged-in processing flow of another second service includes a second logged-in user interaction, a second login verification and a second login authentication; when the business platform receives the first request sent by the first client, for users who need to perform non-logged-in processing, the second service required for login management, i.e., the target second service, is determined based on the first information.
如图3所示,所述未登录处理的过程包括:As shown in FIG3 , the process of not logging in includes:
步骤301:目标第二服务根据第一信息,从业务平台的客户端管理模块中获取登录交互相关信息;Step 301: The target second service obtains login interaction related information from the client management module of the service platform according to the first information;
具体地,根据第一信息中的第一服务标识、用户类型或用户认证接口信息,从OAuth客户端管理模块中获取登录交互相关信息,也可以称为登录用户交互信息,本申请实施例对此不作限定;这里,所述登录交互相关信息包括所述目标第二服务与所述第一客户端进行交互过程中的参数信息,比如,用户选择的登录方式、登录页面的相关参数等;Specifically, according to the first service identifier, user type or user authentication interface information in the first information, the login interaction related information is obtained from the OAuth client management module, which may also be referred to as login user interaction information, which is not limited in the embodiment of the present application; here, the login interaction related information includes parameter information during the interaction between the target second service and the first client, such as the login method selected by the user, relevant parameters of the login page, etc.;
步骤302:基于所述登录交互相关信息,执行对应的用户交互,即执行第一登录用户交互或第二登录用户交互;Step 302: Based on the login interaction related information, execute corresponding user interaction, that is, execute the first login user interaction or the second login user interaction;
步骤303:基于所述登录交互相关信息,执行对应的登录校验,即执行第一登录校验或第二登录校验;Step 303: Based on the login interaction related information, perform corresponding login verification, that is, perform the first login verification or the second login verification;
步骤304:基于所述登录交互相关信息,调用对应认证端(即第一服务)的用户认证接口信息,对用户的登录信息进行校验,即执行第一登录认证或第二登录认证;具体地,校验用户是否存在,是否为登录状态、用户名及密码是否正确等。Step 304: Based on the login interaction related information, call the user authentication interface information of the corresponding authentication end (i.e., the first service) to verify the user's login information, that is, perform the first login authentication or the second login authentication; specifically, verify whether the user exists, whether he is in the login status, whether the user name and password are correct, etc.
实际应用时,当所述用户通过登录身份认证,或者所述用户不需要进行登录管理,或者所述用户为已登录状态时,由所述授权模块对所述用户进行身份认证。其中,当所述用户需要进行登录管理时,即所述第一客户端的授权模式为授权码授权模式或隐式授权模式,所述授权模块可以从已登录的用户信息中获取所述用户的用户信息,生成授权信息并发送到所述第一客户端;当所述用户不需要进行登录管理时,即所述第一客户端的授权模式为密码授权模式或客户端授权模块,所述授权模块可以直接调用对应第一服务对所述用户的用户密码信息进行认证,并在认证通过时向所述第一客户端发送授权信息。其中,所述用户密码信息可以携带在所述第一 请求中。In actual application, when the user passes the login identity authentication, or the user does not need to perform login management, or the user is already logged in, the authorization module authenticates the user. Specifically, when the user needs to perform login management, that is, the authorization mode of the first client is the authorization code authorization mode or the implicit authorization mode, the authorization module can obtain the user information of the user from the logged in user information, generate authorization information and send it to the first client; when the user does not need to perform login management, that is, the authorization mode of the first client is the password authorization mode or the client authorization module, the authorization module can directly call the corresponding first service to authenticate the user password information of the user, and send the authorization information to the first client when the authentication is passed. Specifically, the user password information can be carried in the first Requesting.
示例性地,如图4所示,所述授权模块的授权信息颁发过程包括:Exemplarily, as shown in FIG4 , the authorization information issuance process of the authorization module includes:
步骤401:基于用户认证接口信息,确定所述第一客户端的授权模式,也就是说,从授权接口中获取授权模式和数据,即确定所述第三信息;Step 401: determining the authorization mode of the first client based on the user authentication interface information, that is, obtaining the authorization mode and data from the authorization interface, that is, determining the third information;
步骤402:确定是否需要进行身份认证,即基于所述第三信息,确定第二信息;当需要进行身份认证时,执行步骤403,当不需要进行身份认证时,执行步骤405;Step 402: Determine whether identity authentication is required, that is, determine the second information based on the third information; when identity authentication is required, execute step 403, and when identity authentication is not required, execute step 405;
步骤403:根据第一客户端(即OAuth客户端)唯一识别符(即唯一标识)获取用户认证端信息;Step 403: Obtain user authentication terminal information according to the unique identifier (i.e., unique identification) of the first client (i.e., OAuth client);
步骤404:根据所述用户认证端信息,执行对应的身份认证,即对OAuth客户端进行身份认证,并在身份认证通过的情况下,执行步骤405;Step 404: Perform corresponding identity authentication according to the user authentication terminal information, that is, perform identity authentication on the OAuth client, and if the identity authentication passes, execute step 405;
具体地,调用对应的第一服务对所述第一客户端进行身份认证;比如,当所述第一客户端的授权模式为密码授权模式的情况下,验证用户名及密码是否正确,用户是否存在,用户密码是否有效等;Specifically, calling the corresponding first service to authenticate the first client; for example, when the authorization mode of the first client is the password authorization mode, verifying whether the user name and password are correct, whether the user exists, whether the user password is valid, etc.;
步骤405:为所述第一客户端颁发access token。Step 405: Issue an access token to the first client.
具体地,为已登录的用户或认证通过的用户颁发access token。Specifically, an access token is issued to logged-in users or authenticated users.
本申请实施例提供的认证方法,业务平台接收第一客户端发送的第一请求,所述第一请求用于请求对用户进行授权;响应于所述第一请求,确定第一信息,所述第一信息包含所述第一客户端的用户认证相关信息;基于所述第一信息,从所述业务平台的至少两个第一服务中确定目标第一服务;所述第一服务用于对用户进行身份认证,不同第一服务对应的用户类型不同;利用所述目标第一服务对所述用户进行身份认证;在身份认证通过的情况下,生成授权信息并将所述授权信息发送到所述第一客户端;所述授权信息用于所述第一客户端从所述业务平台获取资源。本申请实施例提供的方案,业务平台根据用户认证相关信息区分不同类型的用户,并通过不同的认证服务实现对对应类型的用户进行身份认证,从而实现业务平台对多种类型用户的认证和授权。The authentication method provided in the embodiment of the present application is as follows: the business platform receives a first request sent by a first client, the first request is used to request authorization for a user; in response to the first request, first information is determined, the first information includes user authentication related information of the first client; based on the first information, a target first service is determined from at least two first services of the business platform; the first service is used to authenticate the user, and different first services correspond to different user types; the user is authenticated using the target first service; if the authentication is successful, authorization information is generated and sent to the first client; the authorization information is used by the first client to obtain resources from the business platform. In the solution provided in the embodiment of the present application, the business platform distinguishes different types of users based on user authentication related information, and authenticates the corresponding types of users through different authentication services, thereby enabling the business platform to authenticate and authorize multiple types of users.
下面结合应用示例对本申请再作进一步详细的描述。The present application is described in further detail below in conjunction with application examples.
图5为本申请应用示例医疗业务平台结构示意图,如图5所示,所述医疗业务平台主要包括:Authorization Server、Resource Server、第一认证端501和第二认证端502;其中,Authorization Server和Resource Server组成医疗业务平台的统一认证/授权中心。Figure 5 is a schematic diagram of the structure of the medical business platform of the application example of this application. As shown in Figure 5, the medical business platform mainly includes: Authorization Server, Resource Server, a first authentication terminal 501 and a second authentication terminal 502; wherein, the Authorization Server and the Resource Server constitute a unified authentication/authorization center of the medical business platform.
下面对OAuth客户端、Authorization Server、Resource Server、第一认证端501和第二认证端502的功能分别进行详细说明。The functions of the OAuth client, Authorization Server, Resource Server, the first authentication terminal 501 and the second authentication terminal 502 are described in detail below.
OAuth客户端,配置为请求从所述业务平台获取access token;具体实现可以是B端或C端。The OAuth client is configured to request an access token from the business platform; the specific implementation can be the B-end or the C-end.
第一认证端501,配置为对医生端进行登录认证和身份认证。The first authentication terminal 501 is configured to perform login authentication and identity authentication on the doctor terminal.
第二认证端502,配置为对患者端进行登录认证和身份认证。 The second authentication terminal 502 is configured to perform login authentication and identity authentication on the patient terminal.
Authorization Server,配置为对所述OAuth客户端进行认证和为所述OAuth客户端颁发access token;所述Authorization Server包括登录管理模块503、授权码(code)管理模块504、授权模块505和OAuth客户端管理模块506;其中,The Authorization Server is configured to authenticate the OAuth client and issue an access token to the OAuth client; the Authorization Server includes a login management module 503, an authorization code management module 504, an authorization module 505 and an OAuth client management module 506; wherein,
登录管理模块503,配置为对所述OAuth客户端进行登录管理,比如,验证所述OAuth客户端的登录状态,调用所述第一认证端或所述第二认证端对所述OAuth客户端进行登录认证;其中,所述登录管理模块503包括第一登录管理功能和第二登录管理功能,即第二服务,所述第一登录管理功能用于对医生端进行登录管理,所述第二登录管理功能用于对患者端进行登录管理;The login management module 503 is configured to perform login management on the OAuth client, for example, verify the login status of the OAuth client, and call the first authentication end or the second authentication end to perform login authentication on the OAuth client; wherein the login management module 503 includes a first login management function and a second login management function, i.e., a second service, wherein the first login management function is used to perform login management on the doctor end, and the second login management function is used to perform login management on the patient end;
code管理模块504,配置为对code进行管理;A code management module 504, configured to manage the code;
授权模块505,配置为对所述OAuth客户端进行身份认证,以及为所述OAuth客户端颁发access token;An authorization module 505 is configured to authenticate the OAuth client and issue an access token to the OAuth client;
OAuth客户端管理模块506,配置为对用户认证端信息进行管理。其中,如图6所示,所述用户认证端信息包括用户信息和认证信息,其中,用户信息包含client_id和client_secret,认证信息包含用户认证端唯一识别符、用户认证端类型和用户认证接口信息,如图7所示;将所述用户认证端信息进行存储时,可以将所述用户信息和所述认证信息进行组合后存储在一起,也可以将所述用户信息和所述认证信息分别存储,并进行关联,从而使所述业务平台可以根据所述用户信息获取对应的用户认证端信息。The OAuth client management module 506 is configured to manage the user authentication terminal information. As shown in FIG6 , the user authentication terminal information includes user information and authentication information, wherein the user information includes client_id and client_secret, and the authentication information includes the user authentication terminal unique identifier, the user authentication terminal type, and the user authentication interface information, as shown in FIG7 ; when storing the user authentication terminal information, the user information and the authentication information can be combined and stored together, or the user information and the authentication information can be stored separately and associated, so that the business platform can obtain the corresponding user authentication terminal information according to the user information.
下面基于上述架构图,结合不同的应用场景,对本申请应用示例进行进一步说明。Based on the above architecture diagram and combined with different application scenarios, the application examples of this application are further explained below.
应用示例一Application Example 1
本申请应用示例中,从OAuth客户端管理模块中获取用户认证端信息,所述用户认证端信息包含用户认证接口信息和登录相关的信息,示例性地,所述用户认证端信息的具体实现如表1所示;其中,用户认证API接口采用内部restful接口或微服务架构的Feign接口。
In the application example of this application, user authentication end information is obtained from the OAuth client management module, and the user authentication end information includes user authentication interface information and login-related information. Exemplarily, the specific implementation of the user authentication end information is shown in Table 1; wherein, the user authentication API interface adopts an internal restful interface or a Feign interface of a microservice architecture.
表1Table 1
本申请应用示例access token获取方法,包括:This application example uses the access token acquisition method, including:
步骤1:医生端(Web端)通过SSO服务跳转到某三方Web服务时,OAuth客户端管理模块识别该医生端的客户端标识为web_client1,为该三方服务生成一个对应的OAuth客户端标识web_client2,用于指示该三方服务的认证端类型为Web用户认证端,从而形成web端用户的SSO闭环;其中,web_client1与web_client2的配置相同;Step 1: When the doctor side (Web side) jumps to a third-party Web service through the SSO service, the OAuth client management module identifies the client identifier of the doctor side as web_client1, and generates a corresponding OAuth client identifier web_client2 for the third-party service, which is used to indicate that the authentication end type of the third-party service is a Web user authentication end, thereby forming an SSO closed loop for the web end user; wherein, the configurations of web_client1 and web_client2 are the same;
步骤2:Authorization Server从接口信息中获取医生端的授权模式为授 权码授权模;Step 2: Authorization Server obtains the authorization mode of the doctor from the interface information. Right code authorization model;
步骤3:第一登录管理功能确定用户未登录,从医生端的请求参数中确定client_id为web_client1;Step 3: The first login management function determines that the user is not logged in, and determines from the request parameters on the doctor's side that the client_id is web_client1;
步骤4:第一登录管理功能从OAuth客户端管理模块中获取用户认证端信息,用户认证端信息包括登录信息和API接口信息,示例性地,所述用户认证端信息如表2所示;
Step 4: The first login management function obtains user authentication terminal information from the OAuth client management module, where the user authentication terminal information includes login information and API interface information. Exemplarily, the user authentication terminal information is shown in Table 2;
表2Table 2
步骤5:第一登录管理功能基于获取的信息,进行用户登录交互和用户校验;Step 5: The first login management function performs user login interaction and user verification based on the acquired information;
步骤6:第一登录管理功能基于用户认证端信息,调用第一认证端对医生端进行登录认证,并在登录认证通过的情况下,执行步骤7;所述登录认证具体包括确定用户是否存在、是否登录、用户名密码是否正确等;Step 6: The first login management function calls the first authentication terminal to perform login authentication on the doctor terminal based on the user authentication terminal information, and executes step 7 if the login authentication passes; the login authentication specifically includes determining whether the user exists, whether the user is logged in, whether the user name and password are correct, etc.;
步骤7:授权模块基于用户认证端信息,调用第一认证端对医生端进行身份认证,并在身份认证通过的情况下,为医生端颁发access token;所述身份认证具体包括确定用户是否存在、是否登录、用户名密码是否正确等。Step 7: Based on the user authentication information, the authorization module calls the first authentication terminal to perform identity authentication on the doctor, and if the identity authentication is passed, an access token is issued to the doctor; the identity authentication specifically includes determining whether the user exists, whether he is logged in, whether the username and password are correct, etc.
应用示例二Application Example 2
本申请应用示例中,从OAuth客户端管理模块中获取用户认证端信息,所述用户认证端信息包含用户认证接口信息和登录相关的信息,示例性地,所述用户认证端信息具体实现如表1所示;其中,用户认证API接口采用内部restful接口或微服务架构的Feign接口。In the application example of this application, user authentication end information is obtained from the OAuth client management module, and the user authentication end information includes user authentication interface information and login-related information. Exemplarily, the specific implementation of the user authentication end information is shown in Table 1; wherein, the user authentication API interface adopts an internal restful interface or a Feign interface of a microservice architecture.
本申请应用示例access token获取方法,包括:This application example uses the access token acquisition method, including:
步骤1:患者端(H5端)通过SSO服务跳转到某三方H5服务时,OAuth客户端管理模块为该三方服务生成一个对应的OAuth客户端标识h5_client1,用于指示该三方H5服务的认证端类型为C端用户认证端,从而形成C端用户的SSO闭环;其中,h5_client1的配置与C端用户认证体系的配置相同;Step 1: When the patient end (H5 end) jumps to a third-party H5 service through the SSO service, the OAuth client management module generates a corresponding OAuth client identifier h5_client1 for the third-party service, which is used to indicate that the authentication end type of the third-party H5 service is the C-end user authentication end, thereby forming an SSO closed loop for C-end users; wherein, the configuration of h5_client1 is the same as the configuration of the C-end user authentication system;
步骤2:Authorization Server从接口信息中获取患者端的授权模式为授权码授权模;Step 2: Authorization Server obtains the authorization mode of the patient from the interface information as the authorization code authorization mode;
步骤3:第二登录管理功能确定用户未登录,从患者端的请求参数中确定client_id为H5_client1;Step 3: The second login management function determines that the user is not logged in, and determines from the request parameters on the patient side that the client_id is H5_client1;
步骤4:第二登录管理功能从OAuth客户端管理模块中获取用户认证端信息,用户认证端信息包括登录信息和API接口信息,示例性地,所述用户认证端信息如表2所示;Step 4: The second login management function obtains user authentication terminal information from the OAuth client management module, where the user authentication terminal information includes login information and API interface information. Exemplarily, the user authentication terminal information is shown in Table 2;
步骤5:第二登录管理功能基于获取的信息,进行用户登录交互和用户校验;Step 5: The second login management function performs user login interaction and user verification based on the acquired information;
步骤6:第二登录管理功能基于用户认证端信息,调用第二认证端对患 者端进行登录认证,并在登录认证通过的情况下,执行步骤7;所述登录认证具体包括确定用户是否存在、是否登录、用户名密码是否正确等;Step 6: The second login management function calls the second authentication terminal to authenticate the patient based on the user authentication terminal information. The user terminal performs login authentication, and if the login authentication is passed, execute step 7; the login authentication specifically includes determining whether the user exists, whether the user is logged in, whether the user name and password are correct, etc.;
步骤7:授权模块基于用户认证端信息,调用第二认证端对患者端进行身份认证,并在身份认证通过的情况下,为患者端颁发access token;所述身份认证具体包括确定用户是否存在、是否登录、用户名密码是否正确等。Step 7: Based on the user authentication information, the authorization module calls the second authentication terminal to authenticate the patient, and if the authentication is successful, issues an access token to the patient. The authentication specifically includes determining whether the user exists, whether he is logged in, whether the username and password are correct, etc.
应用示例3Application Example 3
本申请应用示例中,医疗业务平台从OAuth客户端发送的请求中获取用户认证端信息。In this application example, the medical business platform obtains user authentication information from the request sent by the OAuth client.
本申请应用示例access token获取方法,包括:This application example uses the access token acquisition method, including:
步骤1:医生端(Web端)向Authorization Server发送access token获取请求,请求中携带用户认证端信息,用户认证端信息包含client_Type;其中,client_Type为1,代表用户认证端是B端用户;Step 1: The doctor (Web client) sends an access token request to the Authorization Server. The request carries the user authentication information, which includes client_Type. Among them, client_Type is 1, which means that the user authentication end is a B-end user.
步骤2:Authorization Server获取请求参数中的client_id为Web_client1,client_Type为1,确定OAuth客户端为医生端,并判断用户未登录,将请求转至第一登录管理功能进行处理;Step 2: The Authorization Server obtains the client_id in the request parameter as Web_client1 and client_Type as 1, determines that the OAuth client is the doctor's client, and determines that the user is not logged in, and transfers the request to the first login management function for processing;
步骤3:第一登录管理功能对患者端进行登录交互和登录校验。Step 3: The first login management function performs login interaction and login verification on the patient side.
步骤4:第一登录管理功能基于用户认证端信息,调用第一认证端对医生端进行用户登录认证,并在登录认证通过的情况下,执行步骤5;所述登录认证具体包括确定用户是否存在、是否登录、用户名密码是否正确等;Step 4: The first login management function calls the first authentication terminal to perform user login authentication on the doctor terminal based on the user authentication terminal information, and executes step 5 if the login authentication passes; the login authentication specifically includes determining whether the user exists, whether the user is logged in, whether the user name and password are correct, etc.;
步骤5:授权模块基于用户认证端信息,调用第一认证端对医生端进行身份认证,并在身份认证通过的情况下,为医生端颁发access token;所述身份认证具体包括确定用户是否存在、是否登录、用户名密码是否正确等。Step 5: Based on the user authentication information, the authorization module calls the first authentication terminal to perform identity authentication on the doctor, and if the identity authentication passes, an access token is issued to the doctor; the identity authentication specifically includes determining whether the user exists, whether he is logged in, whether the username and password are correct, etc.
应用示例四Application Example 4
本申请应用示例中,医疗业务平台从OAuth客户端发送的请求中获取用户认证端信息。In this application example, the medical business platform obtains the user authentication end information from the request sent by the OAuth client.
本申请应用示例access token获取方法,包括:This application example uses the access token acquisition method, including:
步骤1:患者端(H5端)向Authorization Server发送access token获取请求,请求中携带用户认证端信息,用户认证端信息包含client_Type;其中,client_Type为2,代表用户认证端是C端用户;Step 1: The patient end (H5 end) sends an access token acquisition request to the Authorization Server. The request carries the user authentication end information, which includes client_Type. Among them, client_Type is 2, indicating that the user authentication end is a C-end user.
步骤2:Authorization Server获取请求参数中的client_id为h5_client1,client_Type为2,确定OAuth客户端为患者端,并判断用户未登录,将请求转至第二登录管理功能进行处理;Step 2: The Authorization Server obtains the client_id in the request parameter as h5_client1 and the client_type as 2, determines that the OAuth client is the patient end, and determines that the user is not logged in, and transfers the request to the second login management function for processing;
步骤3:第二登录管理功能对患者端进行登录交互和登录校验。Step 3: The second login management function performs login interaction and login verification on the patient side.
步骤4:基于用户认证端信息,对患者端进行用户登录认证,并在登录认证通过的情况下,执行步骤5;所述登录认证具体包括确定用户是否存在、是否登录、用户名密码是否正确等;Step 4: Based on the user authentication terminal information, perform user login authentication on the patient terminal, and if the login authentication passes, execute step 5; the login authentication specifically includes determining whether the user exists, whether the user is logged in, whether the user name and password are correct, etc.;
步骤5:授权模块基于用户认证端信息,调用第二认证端对患者端进行身份认证,并在身份认证通过的情况下,为患者端颁发access token;所述 身份认证具体包括确定用户是否存在、是否登录、用户名密码是否正确等。Step 5: The authorization module calls the second authentication terminal to authenticate the patient terminal based on the user authentication terminal information, and issues an access token to the patient terminal if the authentication passes. Identity authentication specifically includes determining whether the user exists, whether he is logged in, whether the username and password are correct, etc.
本申请应用示例通过第一登录管理功能和第二登录管理功能,对不同账户体系(医生端和患者端)的登录管理流程进行识别和管理,通过第一认证端和第二认证端对不同账户体系的OAuth客户端进行认证,从而实现同一个业务平台同时支持多种账户体系的认证和授权,同时,无需额外自定义开发业务平台,也无需部署多个认证/授权中心,且能够兼容针对多种账户体系的OAuth客户端的认证;进一步地,本申请应用示例在OAuth协议定义的字段的基础上,增加了用户认证端信息的定提升OAuth授权过程的安全性。The application example of this application identifies and manages the login management processes of different account systems (doctor side and patient side) through the first login management function and the second login management function, and authenticates the OAuth clients of different account systems through the first authentication end and the second authentication end, thereby realizing that the same business platform supports authentication and authorization of multiple account systems at the same time. At the same time, there is no need for additional customized development of the business platform, nor is there a need to deploy multiple authentication/authorization centers, and it is compatible with the authentication of OAuth clients for multiple account systems; further, based on the fields defined in the OAuth protocol, the application example of this application adds user authentication end information to improve the security of the OAuth authorization process.
为了实现本申请的方法,本申请实施例还提供了一种认证装置,设置在业务平台上,如图8所示,该装置包括:In order to implement the method of the present application, the embodiment of the present application further provides an authentication device, which is arranged on a service platform, as shown in FIG8 , and includes:
接收单元801,配置为接收第一客户端发送的第一请求,所述第一请求用于请求对用户进行授权;The receiving unit 801 is configured to receive a first request sent by a first client, where the first request is used to request authorization for a user;
确定单元802,配置为响应于所述第一请求,确定第一信息,所述第一信息包含所述第一客户端的用户认证相关信息;基于所述第一信息,从所述业务平台的至少两个第一服务中确定目标第一服务;所述第一服务用于对用户进行身份认证,不同第一服务对应的用户类型不同;The determining unit 802 is configured to determine, in response to the first request, first information, the first information including user authentication related information of the first client; based on the first information, determine a target first service from at least two first services of the business platform; the first service is used to authenticate the user, and different first services correspond to different user types;
认证单元803,配置为利用所述目标第一服务对所述用户进行身份认证;An authentication unit 803, configured to perform identity authentication on the user using the target first service;
授权单元804,配置为在身份认证通过的情况下,生成授权信息并将所述授权信息发送到第一客户端;所述授权信息用于供所述第一客户端从所述业务平台获取资源。The authorization unit 804 is configured to generate authorization information and send the authorization information to the first client when the identity authentication is successful; the authorization information is used for the first client to obtain resources from the service platform.
在一实施例中,所述认证单元803,配置为:In one embodiment, the authentication unit 803 is configured as follows:
通过所述业务平台的第二服务利用所述目标第一服务对所述用户进行身份认证;所述第二服务至少用于对所述用户的登录进行管理;Performing identity authentication on the user by using the target first service through the second service of the business platform; the second service is at least used to manage the login of the user;
和/或,and / or,
通过所述业务平台的第三服务利用所述目标第一服务对所述用户进行身份认证;所述第三服务至少用于对所述用户的授权进行管理。The user is authenticated by using the target first service through the third service of the business platform; the third service is at least used to manage the authorization of the user.
在一实施例中,所述确定单元802,还配置为:In one embodiment, the determining unit 802 is further configured to:
确定第二信息,所述第二信息指示是否对所述用户的登录进行管理;determining second information, the second information indicating whether to manage the login of the user;
基于所述第二信息,利用所述目标第一服务对所述用户进行身份认证。Based on the second information, the user is authenticated using the target first service.
在一实施例中,在所述第二信息指示对所述用户的登录进行管理,所述业务平台中的第二服务对所述用户的登录进行管理,并在登录管理过程中,所述确定单元802,配置为利用所述目标第一服务对所述用户进行身份认证;在身份认证通过的情况下,所述授权单元804通过所述业务平台中的第三服务为所述用户生成所述授权信息。In one embodiment, when the second information indicates that the login of the user is to be managed, the second service in the business platform manages the login of the user, and during the login management process, the determination unit 802 is configured to use the target first service to authenticate the user; when the authentication is successful, the authorization unit 804 generates the authorization information for the user through the third service in the business platform.
在一实施例中,在所述第二信息指示对所述用户的登录进行管理的情况下,所述业务平台中的第二服务对所述用户的登录进行管理,并在登录 管理过程中,所述确定单元802,配置为利用所述目标第一服务对所述用户进行登录身份认证;在登录身份认证通过的情况下,所述授权单元804通过所述业务平台中的第三服务为所述用户进行授权身份认证;在授权身份认证通过的情况下,通过所述第三服务为所述用户生成所述授权信息。In one embodiment, when the second information indicates that the user's login is to be managed, the second service in the service platform manages the user's login and manages the login of the user. During the management process, the determination unit 802 is configured to use the target first service to perform login authentication on the user; if the login authentication is successful, the authorization unit 804 performs authorization authentication for the user through the third service in the business platform; if the authorization authentication is successful, the authorization information is generated for the user through the third service.
在所述第二信息指示不对所述用户的登录进行管理的情况下,所述确定单元802配置为通过所述业务平台中的第三服务利用所述目标第一服务对所述用户进行身份认证;在身份认证通过的情况下,所述授权单元804通过所述第三服务为所述用户生成所述授权信息。When the second information indicates that the user's login is not to be managed, the determination unit 802 is configured to authenticate the user using the target first service through the third service in the business platform; when the authentication is successful, the authorization unit 804 generates the authorization information for the user through the third service.
在一实施例中,所述确定单元802,配置为:In one embodiment, the determining unit 802 is configured to:
确定第三信息,所述第三信息表征所述第一客户端的授权模式;Determining third information, where the third information represents an authorization mode of the first client;
基于所述第三信息,确定第二信息。Based on the third information, second information is determined.
在一实施例中,在所述第三信息表征所述第一客户端的授权模式包括授权码授权模式或者隐式授权模式的情况下,所述第二信息指示对所述用户的登录进行管理;In one embodiment, when the third information indicates that the authorization mode of the first client includes an authorization code authorization mode or an implicit authorization mode, the second information indicates that the login of the user is managed;
或者,or,
在所述第三信息表征所述第一客户端的授权模式包括密码授权模式或者客户凭证授权模式的情况下,所述第二信息指示不对所述用户的登录进行管理。In a case where the third information indicates that the authorization mode of the first client includes a password authorization mode or a client credential authorization mode, the second information indicates that login of the user is not to be managed.
在一实施例中,所述确定单元802,还配置为:In one embodiment, the determining unit 802 is further configured to:
在所述第二信息指示对所述用户的登录进行管理的情况下,基于所述第一信息,从业务平台的至少两个第二服务中确定目标第二服务;不同第二服务对应的用户类型不同;In the case where the second information indicates that the login of the user is to be managed, based on the first information, determining a target second service from at least two second services of the service platform; different second services correspond to different user types;
利用所述目标第二服务与所述第一客户端进行至少用于用户登录的通信。The target second service is used to communicate with the first client at least for user login.
在一实施例中,所述第一信息包含以下信息至少之一:In one embodiment, the first information includes at least one of the following information:
第一服务标识;First service logo;
用户类型;user type;
用户认证接口信息。User authentication interface information.
在一实施例中,所述用户认证接口信息,包括以下之一:In one embodiment, the user authentication interface information includes one of the following:
远程调用相关信息;Remote call related information;
内部调用相关信息;Internal call related information;
用户认证登录相关信息。User authentication and login related information.
在一实施例中,所述确定单元802,配置为:In one embodiment, the determining unit 802 is configured to:
从本地存储的客户端的用户认证相关信息中确定第一信息;Determine first information from the locally stored information related to user authentication of the client;
或者,or,
从所述第一请求中获取第一信息。First information is obtained from the first request.
在一实施例中,所述装置还包括:In one embodiment, the device further comprises:
配置单元,配置为配置所述第一客户端的用户认证相关信息并存储。 A configuration unit is configured to configure and store user authentication related information of the first client.
实际应用时,所述接收单元801、确定单元802可由认证装置中的处理器结合通信接口实现,所述认证单元803、授权单元804和配置单元可由认证装置中的处理器实现。In actual application, the receiving unit 801 and the determining unit 802 can be implemented by a processor in the authentication device in combination with a communication interface, and the authentication unit 803, the authorization unit 804 and the configuration unit can be implemented by a processor in the authentication device.
需要说明的是:上述实施例提供的认证装置在进行认证时,仅以上述各程序模块的划分进行举例说明,实际应用中,可以根据需要而将上述处理分配由不同的程序模块完成,即将装置的内部结构划分成不同的程序模块,以完成以上描述的全部或者部分处理。另外,上述实施例提供的认证装置与认证方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that: when the authentication device provided in the above embodiment performs authentication, only the division of the above program modules is used as an example. In actual applications, the above processing can be assigned to different program modules as needed, that is, the internal structure of the device is divided into different program modules to complete all or part of the above-described processing. In addition, the authentication device provided in the above embodiment and the authentication method embodiment belong to the same concept, and the specific implementation process is detailed in the method embodiment, which will not be repeated here.
基于上述程序模块的硬件实现,且为了实现本申请实施例业务平台侧的方法,本申请实施例还提供了一种业务平台,如图9所示,该业务平台900包括:Based on the hardware implementation of the above program modules, and in order to implement the method of the service platform side of the embodiment of the present application, the embodiment of the present application further provides a service platform, as shown in FIG. 9 , the service platform 900 includes:
通信接口901,能够与第一客户端进行信息交互;比如,接收第一客户端发送的第一请求,向第一客户端发送授权信息;The communication interface 901 is capable of exchanging information with the first client; for example, receiving a first request sent by the first client and sending authorization information to the first client;
处理器902,与所述通信接口901连接,以实现与第一客户端进行信息交互,配置为运行计算机程序时,执行上述业务平台侧一个或多个技术方案提供的方法;A processor 902, connected to the communication interface 901 to implement information interaction with the first client, and configured to execute the method provided by one or more technical solutions of the above-mentioned business platform side when running the computer program;
存储器903,所述计算机程序存储在所述存储器903上。A memory 903 , on which the computer program is stored.
具体地,所述通信接口901,配置为接收第一客户端发送的第一请求,所述第一请求用于请求为用户进行授权;Specifically, the communication interface 901 is configured to receive a first request sent by a first client, where the first request is used to request authorization for a user;
所述处理器902,配置为响应于所述第一请求,确定第一信息,所述第一信息包含所述第一客户端的用户认证相关信息;基于所述第一信息,从所述业务平台的至少两个第一服务中确定目标第一服务;所述第一服务用于对用户进行身份认证,不同第一服务对应的用户类型不同;利用所述目标第一服务对所述用户进行身份认证;在身份认证通过的情况下,生成授权信息并利用所述通信接口901将所述授权信息发送到所述第一客户端;所述授权信息用于所述第一客户端从所述业务平台获取资源。The processor 902 is configured to determine first information in response to the first request, where the first information includes user authentication related information of the first client; based on the first information, determine a target first service from at least two first services of the business platform; the first service is used to authenticate the user, and different first services correspond to different user types; use the target first service to authenticate the user; if the authentication is successful, generate authorization information and send the authorization information to the first client using the communication interface 901; the authorization information is used by the first client to obtain resources from the business platform.
在一实施例中,所述处理器902,配置为:In one embodiment, the processor 902 is configured to:
通过所述业务平台的第二服务利用所述目标第一服务对所述用户进行身份认证;所述第二服务至少用于对所述用户的登录进行管理;Performing identity authentication on the user by using the target first service through the second service of the business platform; the second service is at least used to manage the login of the user;
和/或,and / or,
通过所述业务平台的第三服务利用所述目标第一服务对所述用户进行身份认证;所述第三服务至少用于对所述用户的授权进行管理。The user is authenticated by using the target first service through the third service of the business platform; the third service is at least used to manage the authorization of the user.
在一实施例中,所述处理器902,还配置为:In one embodiment, the processor 902 is further configured to:
确定第二信息,所述第二信息指示是否对所述用户的登录进行管理;determining second information, the second information indicating whether to manage the login of the user;
基于所述第二信息,利用所述目标第一服务对所述用户进行身份认证。Based on the second information, the user is authenticated using the target first service.
在一实施例中,在所述第二信息指示对所述用户的登录进行管理的情况下,所述业务平台中的第二服务对所述用户的登录进行管理,并在登录 管理过程中,所述处理器902配置为利用所述目标第一服务对所述用户进行身份认证;在身份认证通过的情况下,通过所述业务平台中的第三服务为所述用户生成所述授权信息。In one embodiment, when the second information indicates that the user's login is to be managed, the second service in the service platform manages the user's login and manages the login of the user. During the management process, the processor 902 is configured to perform identity authentication on the user using the target first service; if the identity authentication is successful, the authorization information is generated for the user through the third service in the business platform.
在一实施例中,在所述第二信息指示对所述用户的登录进行管理的情况下,所述业务平台中的第二服务对所述用户的登录进行管理,并在登录管理过程中,所述处理器902配置为利用所述目标第一服务对所述用户进行登录身份认证;在登录身份认证通过的情况下,通过所述业务平台中的第三服务为所述用户进行授权身份认证;在授权身份认证通过的情况下,通过所述第三服务为所述用户生成所述授权信息。In one embodiment, when the second information indicates that the login of the user is to be managed, the second service in the business platform manages the login of the user, and during the login management process, the processor 902 is configured to use the target first service to perform login authentication on the user; when the login authentication passes, the third service in the business platform performs authorization authentication for the user; when the authorization authentication passes, the authorization information is generated for the user through the third service.
在一实施例中,在所述第二信息指示不对所述用户的登录进行管理的情况下,所述处理器902配置为所述业务平台中的第三服务利用所述目标第一服务对所述用户进行身份认证;在身份认证通过的情况下,通过所述第三服务为所述用户生成所述授权信息。In one embodiment, when the second information indicates that the login of the user is not to be managed, the processor 902 is configured so that the third service in the business platform uses the target first service to authenticate the user; if the authentication is successful, the authorization information is generated for the user through the third service.
在一实施例中,所述处理器902,配置为:In one embodiment, the processor 902 is configured to:
确定第三信息,所述第三信息表征所述第一客户端的授权模式;Determining third information, where the third information represents an authorization mode of the first client;
基于所述第三信息,确定第二信息。Based on the third information, second information is determined.
在一实施例中,所在所述第三信息表征所述第一客户端的授权模式包括授权码授权模式或者隐式授权模式的情况下,所述第二信息指示对所述用户的登录进行管理;In one embodiment, when the third information represents that the authorization mode of the first client includes an authorization code authorization mode or an implicit authorization mode, the second information indicates that the login of the user is managed;
或者,or,
在所述第三信息表征所述第一客户端的授权模式包括密码授权模式或者客户凭证授权模式的情况下,所述第二信息指示不对所述用户的登录进行管理。In a case where the third information indicates that the authorization mode of the first client includes a password authorization mode or a client credential authorization mode, the second information indicates that login of the user is not to be managed.
在一实施例中,所述处理器902,还配置为:In one embodiment, the processor 902 is further configured to:
在所述第二信息指示对所述用户的登录进行管理的情况下,基于所述第一信息,从业务平台的至少两个第二服务中确定目标第二服务;不同第二服务对应的用户类型不同;In the case where the second information indicates that the login of the user is to be managed, based on the first information, determining a target second service from at least two second services of the service platform; different second services correspond to different user types;
利用所述目标第二服务与所述第一客户端进行至少用于用户登录的通信。The target second service is used to communicate with the first client at least for user login.
在一实施例中,所述处理器902,配置为:In one embodiment, the processor 902 is configured to:
所述目标第二服务调用所述目标第一服务对第一客户端进行登录认证。The target second service calls the target first service to perform login authentication on the first client.
在一实施例中,所述第一信息包含以下信息至少之一:In one embodiment, the first information includes at least one of the following information:
第一服务标识;First service logo;
用户类型;user type;
用户认证接口信息。User authentication interface information.
在一实施例中,所述用户认证接口信息,包括以下之一:In one embodiment, the user authentication interface information includes one of the following:
远程调用相关信息; Remote call related information;
内部调用相关信息;Internal call related information;
用户认证登录相关信息。User authentication and login related information.
在一实施例中,所述处理器902,配置为:In one embodiment, the processor 902 is configured to:
从本地存储的客户端的用户认证相关信息中确定第一信息;或者,从所述第一请求中获取第一信息。The first information is determined from the locally stored information related to the user authentication of the client; or the first information is obtained from the first request.
在一实施例中,所述处理器902,还可以配置为:In one embodiment, the processor 902 may also be configured to:
配置所述第一客户端的用户认证相关信息并存储。Configure and store user authentication related information of the first client.
需要说明的是:处理器902和通信接口901的具体处理过程可参照上述方法理解。It should be noted that the specific processing process of the processor 902 and the communication interface 901 can be understood by referring to the above method.
当然,实际应用时,业务平台900中的各个组件通过总线***904耦合在一起。可理解,总线***904配置为实现这些组件之间的连接通信。总线***904除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚说明起见,在图9中将各种总线都标为总线***904。Of course, in actual application, the various components in the service platform 900 are coupled together through the bus system 904. It can be understood that the bus system 904 is configured to realize the connection and communication between these components. In addition to the data bus, the bus system 904 also includes a power bus, a control bus, and a status signal bus. However, for the sake of clarity, various buses are labeled as the bus system 904 in FIG. 9.
本申请实施例中的存储器903配置为存储各种类型的数据以支持业务平台900的操作。这些数据的示例包括:用于在业务平台900上操作的任何计算机程序。The memory 903 in the embodiment of the present application is configured to store various types of data to support the operation of the service platform 900. Examples of such data include: any computer program used to operate on the service platform 900.
上述本申请实施例揭示的方法可以应用于所述处理器902中,或者由所述处理器902实现。所述处理器902可能是一种集成电路芯片,具有信号的处理能力。在实现过程中,上述方法的各步骤可以通过所述处理器902中的硬件的集成逻辑电路或者软件形式的指令完成。上述的所述处理器902可以是通用处理器、数字信号处理器(DSP,Digital Signal Processor),或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。所述处理器902可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤,可以直接体现为硬件译码处理器执行完成,或者用译码处理器中的硬件及软件模块组合执行完成。软件模块可以位于存储介质中,该存储介质位于存储器903,所述处理器902读取存储器903中的信息,结合其硬件完成前述方法的步骤。The method disclosed in the above embodiment of the present application can be applied to the processor 902, or implemented by the processor 902. The processor 902 may be an integrated circuit chip with signal processing capabilities. In the implementation process, each step of the above method can be completed by the hardware integrated logic circuit in the processor 902 or the instruction in the form of software. The above-mentioned processor 902 may be a general-purpose processor, a digital signal processor (DSP, Digital Signal Processor), or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components, etc. The processor 902 can implement or execute the various methods, steps and logic block diagrams disclosed in the embodiments of the present application. A general-purpose processor may be a microprocessor or any conventional processor, etc. In combination with the steps of the method disclosed in the embodiment of the present application, it can be directly embodied as a hardware decoding processor to execute, or it can be executed by a combination of hardware and software modules in the decoding processor. The software module can be located in a storage medium, which is located in the memory 903. The processor 902 reads the information in the memory 903 and completes the steps of the above method in combination with its hardware.
在示例性实施例中,业务平台900可以被一个或多个应用专用集成电路(ASIC,Application Specific Integrated Circuit)、DSP、可编程逻辑器件(PLD,Programmable Logic Device)、复杂可编程逻辑器件(CPLD,Complex Programmable Logic Device)、现场可编程门阵列(FPGA,Field-Programmable Gate Array)、通用处理器、控制器、微控制器(MCU,Micro Controller Unit)、微处理器(Microprocessor)、或者其他电子元件实现,配置为执行前述方法。In an exemplary embodiment, the business platform 900 can be implemented by one or more application specific integrated circuits (ASICs), DSPs, programmable logic devices (PLDs), complex programmable logic devices (CPLDs), field programmable gate arrays (FPGAs), general-purpose processors, controllers, microcontrollers (MCUs), microprocessors, or other electronic components, and configured to execute the aforementioned method.
可以理解,本申请实施例的存储器903可以是易失性存储器或者非易失性存储器,也可包括易失性和非易失性存储器两者。其中,非易失性存储器可以是只读存储器(ROM,Read Only Memory)、可编程只读存储器(PROM,Programmable Read-Only Memory)、可擦除可编程只读存储器 (EPROM,Erasable Programmable Read-Only Memory)、电可擦除可编程只读存储器(EEPROM,Electrically Erasable Programmable Read-Only Memory)、磁性随机存取存储器(FRAM,ferromagnetic random access memory)、快闪存储器(Flash Memory)、磁表面存储器、光盘、或只读光盘(CD-ROM,Compact Disc Read-Only Memory);磁表面存储器可以是磁盘存储器或磁带存储器。易失性存储器可以是随机存取存储器(RAM,Random Access Memory),其用作外部高速缓存。通过示例性但不是限制性说明,许多形式的RAM可用,例如静态随机存取存储器(SRAM,Static Random Access Memory)、同步静态随机存取存储器(SSRAM,Synchronous Static Random Access Memory)、动态随机存取存储器(DRAM,Dynamic Random Access Memory)、同步动态随机存取存储器(SDRAM,Synchronous Dynamic Random Access Memory)、双倍数据速率同步动态随机存取存储器(DDRSDRAM,Double Data Rate Synchronous Dynamic Random Access Memory)、增强型同步动态随机存取存储器(ESDRAM,Enhanced Synchronous Dynamic Random Access Memory)、同步连接动态随机存取存储器(SLDRAM,SyncLink Dynamic Random Access Memory)、直接内存总线随机存取存储器(DRRAM,Direct Rambus Random Access Memory)。本申请实施例描述的存储器旨在包括但不限于这些和任意其它适合类型的存储器。It can be understood that the memory 903 of the embodiment of the present application can be a volatile memory or a non-volatile memory, or can include both volatile and non-volatile memories. Among them, the non-volatile memory can be a read-only memory (ROM), a programmable read-only memory (PROM), an erasable programmable read-only memory (PROM), or a non-volatile memory. (EPROM, Erasable Programmable Read-Only Memory), Electrically Erasable Programmable Read-Only Memory (EEPROM, Electrically Erasable Programmable Read-Only Memory), ferromagnetic random access memory (FRAM, ferromagnetic random access memory), flash memory (Flash Memory), magnetic surface storage, optical disk, or read-only optical disk (CD-ROM, Compact Disc Read-Only Memory); magnetic surface storage can be magnetic disk storage or tape storage. Volatile memory can be random access memory (RAM, Random Access Memory), which is used as an external cache. By way of example but not limitation, many forms of RAM are available, such as static random access memory (SRAM), synchronous static random access memory (SSRAM), dynamic random access memory (DRAM), synchronous dynamic random access memory (SDRAM), double data rate synchronous dynamic random access memory (DDRSDRAM), enhanced synchronous dynamic random access memory (ESDRAM), synchronous link dynamic random access memory (SLDRAM), direct memory bus random access memory (DRRAM). The memory described in the embodiments of the present application is intended to include but is not limited to these and any other suitable types of memory.
在示例性实施例中,本申请实施例还提供了一种存储介质,即计算机存储介质,具体为计算机可读存储介质,例如包括存储计算机程序的存储器903,上述计算机程序可由业务平台900的处理器902执行,以完成前述业务平台侧方法所述步骤。计算机可读存储介质可以是FRAM、ROM、PROM、EPROM、EEPROM、Flash Memory、磁表面存储器、光盘、或CD-ROM等存储器。In an exemplary embodiment, the embodiment of the present application further provides a storage medium, namely a computer storage medium, specifically a computer-readable storage medium, for example, a memory 903 storing a computer program, and the computer program can be executed by a processor 902 of a service platform 900 to complete the steps described in the aforementioned service platform side method. The computer-readable storage medium can be a memory such as FRAM, ROM, PROM, EPROM, EEPROM, Flash Memory, magnetic surface storage, optical disk, or CD-ROM.
需要说明的是:“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It should be noted that: "first", "second", etc. are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence.
另外,本申请实施例所记载的技术方案之间,在不冲突的情况下,可以任意组合。In addition, the technical solutions described in the embodiments of the present application can be combined arbitrarily without conflict.
以上所述,仅为本申请的较佳实施例而已,并非用于限定本申请的保护范围。 The above description is only a preferred embodiment of the present application and is not intended to limit the protection scope of the present application.

Claims (14)

  1. 一种认证方法,应用于业务平台,包括:An authentication method, applied to a business platform, comprising:
    接收第一客户端发送的第一请求,所述第一请求用于请求对用户进行授权;Receiving a first request sent by a first client, where the first request is used to request authorization for a user;
    响应于所述第一请求,确定第一信息,所述第一信息包含所述第一客户端的用户认证相关信息;In response to the first request, determining first information, the first information including user authentication related information of the first client;
    基于所述第一信息,从所述业务平台的至少两个第一服务中确定目标第一服务;所述第一服务用于对用户进行身份认证,不同第一服务对应的用户类型不同;Based on the first information, determining a target first service from at least two first services of the business platform; the first service is used to authenticate the user, and different first services correspond to different user types;
    利用所述目标第一服务对所述用户进行身份认证;Authenticating the user using the target first service;
    在身份认证通过的情况下,生成授权信息并将所述授权信息发送到所述第一客户端。When the identity authentication is successful, authorization information is generated and sent to the first client.
  2. 根据权利要求1所述的方法,其中,所述利用所述目标第一服务对所述用户进行身份认证,包括:The method according to claim 1, wherein the step of authenticating the user using the target first service comprises:
    所述业务平台的第二服务利用所述目标第一服务对所述用户进行身份认证;所述第二服务至少用于对所述用户的登录进行管理;The second service of the business platform uses the target first service to authenticate the user; the second service is at least used to manage the login of the user;
    和/或,and / or,
    所述业务平台的第三服务利用所述目标第一服务对所述用户进行身份认证;所述第三服务至少用于对所述用户的授权进行管理。The third service of the business platform uses the target first service to authenticate the user; the third service is at least used to manage the authorization of the user.
  3. 根据权利要求1所述的方法,其中,所述方法还包括:The method according to claim 1, wherein the method further comprises:
    确定第二信息,所述第二信息指示是否对所述用户的登录进行管理;determining second information, the second information indicating whether to manage the login of the user;
    基于所述第二信息,利用所述目标第一服务对所述用户进行身份认证。Based on the second information, the user is authenticated using the target first service.
  4. 根据权利要求3所述的方法,其中,所述基于所述第二信息,利用所述目标第一服务对所述用户进行身份认证,包括以下之一:The method according to claim 3, wherein the step of authenticating the user using the target first service based on the second information comprises one of the following:
    在所述第二信息指示对所述用户的登录进行管理的情况下,所述业务平台中的第二服务对所述用户的登录进行管理,并在登录管理过程中,利用所述目标第一服务对所述用户进行身份认证;在身份认证通过的情况下,所述业务平台中的第三服务为所述用户生成所述授权信息;In the case where the second information indicates that the login of the user is to be managed, the second service in the business platform manages the login of the user, and in the login management process, uses the target first service to authenticate the user; if the identity authentication is successful, the third service in the business platform generates the authorization information for the user;
    在所述第二信息指示对所述用户的登录进行管理的情况下,所述业务平台中的第二服务对所述用户的登录进行管理,并在登录管理过程中,利用所述目标第一服务对所述用户进行登录身份认证;在登录身份认证通过的情况下,所述业务平台中的第三服务为所述用户进行授权身份认证;在授权身份认证通过的情况下,所述第三服务为所述用户生成所述授权信息;In the case where the second information indicates that the login of the user is to be managed, the second service in the business platform manages the login of the user, and in the login management process, uses the target first service to perform login identity authentication on the user; in the case where the login identity authentication passes, the third service in the business platform performs authorization identity authentication for the user; in the case where the authorization identity authentication passes, the third service generates the authorization information for the user;
    在所述第二信息指示不对所述用户的登录进行管理的情况下,所述业务平台中的第三服务利用所述目标第一服务对所述用户进行身份认证;在身份认证通过的情况下,所述第三服务为所述用户生成所述授权信息。 When the second information indicates that the user's login is not to be managed, the third service in the business platform uses the target first service to authenticate the user; when the authentication is successful, the third service generates the authorization information for the user.
  5. 根据权利要求3所述的方法,其中,所述确定第二信息,包括:The method according to claim 3, wherein the determining the second information comprises:
    确定第三信息,所述第三信息表征所述第一客户端的授权模式;Determining third information, where the third information represents an authorization mode of the first client;
    基于所述第三信息,确定第二信息。Based on the third information, second information is determined.
  6. 根据权利要求5所述的方法,其中,The method according to claim 5, wherein
    在所述第三信息表征所述第一客户端的授权模式包括授权码授权模式或者隐式授权模式的情况下,所述第二信息指示对所述用户的登录进行管理;In a case where the third information indicates that the authorization mode of the first client includes an authorization code authorization mode or an implicit authorization mode, the second information indicates that the login of the user is to be managed;
    或者,or,
    在所述第三信息表征所述第一客户端的授权模式包括密码授权模式或者客户凭证授权模式的情况下,所述第二信息指示不对所述用户的登录进行管理。In a case where the third information indicates that the authorization mode of the first client includes a password authorization mode or a client credential authorization mode, the second information indicates that login of the user is not to be managed.
  7. 根据权利要求3所述的方法,其中,所述方法还包括:The method according to claim 3, wherein the method further comprises:
    在所述第二信息指示对所述用户的登录进行管理的情况下,基于所述第一信息,从业务平台的至少两个第二服务中确定目标第二服务;不同第二服务对应的用户类型不同;In the case where the second information indicates that the login of the user is to be managed, based on the first information, determining a target second service from at least two second services of the service platform; different second services correspond to different user types;
    利用所述目标第二服务与所述第一客户端进行至少用于用户登录的通信。The target second service is used to communicate with the first client at least for user login.
  8. 根据权利要求1所述的方法,其中,所述第一信息包含以下信息至少之一:The method according to claim 1, wherein the first information includes at least one of the following information:
    第一服务标识;First service logo;
    用户类型;user type;
    用户认证接口信息。User authentication interface information.
  9. 根据权利要求8所述的方法,其中,所述用户认证接口信息,包括以下之一:The method according to claim 8, wherein the user authentication interface information includes one of the following:
    远程调用相关信息;Remote call related information;
    内部调用相关信息;Internal call related information;
    用户认证登录相关信息。User authentication and login related information.
  10. 根据权利要求1至9任一项所述的方法,其中,所述确定第一信息,包括:The method according to any one of claims 1 to 9, wherein determining the first information comprises:
    从本地存储的客户端的用户认证相关信息中确定第一信息;Determine first information from the locally stored information related to user authentication of the client;
    或者,or,
    从所述第一请求中获取第一信息。First information is obtained from the first request.
  11. 根据权利要求10所述的方法,其中,所述方法还包括:The method according to claim 10, wherein the method further comprises:
    配置所述第一客户端的用户认证相关信息并存储。Configure and store user authentication related information of the first client.
  12. 一种认证装置,包括:An authentication device, comprising:
    接收单元,配置为接收第一客户端发送的第一请求,所述第一请求用于请求对用户进行授权;A receiving unit, configured to receive a first request sent by a first client, wherein the first request is used to request authorization for a user;
    确定单元,配置为响应于所述第一请求,确定第一信息,所述第一信 息包含所述第一客户端的用户认证相关信息;基于所述第一信息,从所述业务平台的至少两个第一服务中确定目标第一服务;所述第一服务用于对用户进行身份认证,不同第一服务对应的用户类型不同;A determining unit is configured to determine first information in response to the first request, wherein the first information The information includes user authentication related information of the first client; based on the first information, determining a target first service from at least two first services of the business platform; the first service is used to authenticate the user, and different first services correspond to different user types;
    认证单元,配置为利用所述目标第一服务对所述用户进行身份认证;an authentication unit, configured to perform identity authentication on the user using the target first service;
    授权单元,配置为在身份认证通过的情况下,生成授权信息并将所述授权信息发送到所述第一客户端;所述授权信息用于所述第一客户端从所述业务平台获取资源。The authorization unit is configured to generate authorization information and send the authorization information to the first client when the identity authentication is passed; the authorization information is used by the first client to obtain resources from the business platform.
  13. 一种业务平台,包括:处理器和配置为存储能够在处理器上运行的计算机程序的存储器;A service platform comprises: a processor and a memory configured to store a computer program capable of running on the processor;
    其中,所述处理器配置为运行所述计算机程序时,执行权利要求1至11任一项所述方法的步骤。Wherein, the processor is configured to execute the steps of the method described in any one of claims 1 to 11 when running the computer program.
  14. 一种存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现权利要求1至11任一项所述方法的步骤。 A storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the steps of the method according to any one of claims 1 to 11.
PCT/CN2023/134739 2022-11-30 2023-11-28 Authentication method and apparatus, service platform, and storage medium WO2024114636A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211528407.2A CN118114213A (en) 2022-11-30 2022-11-30 Authentication method, authentication device, service platform and storage medium
CN202211528407.2 2022-11-30

Publications (1)

Publication Number Publication Date
WO2024114636A1 true WO2024114636A1 (en) 2024-06-06

Family

ID=91207487

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/134739 WO2024114636A1 (en) 2022-11-30 2023-11-28 Authentication method and apparatus, service platform, and storage medium

Country Status (2)

Country Link
CN (1) CN118114213A (en)
WO (1) WO2024114636A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180075231A1 (en) * 2016-09-14 2018-03-15 Oracle International Corporation Single sign-on functionality for a multi-tenant identity and data security management cloud service
CN110826043A (en) * 2018-08-08 2020-02-21 腾讯科技(深圳)有限公司 Digital identity application system and method, identity authentication system and method
CN111541656A (en) * 2020-04-09 2020-08-14 中央电视台 Identity authentication method and system based on converged media cloud platform
CN114095266A (en) * 2021-11-19 2022-02-25 深圳市雷鸟网络传媒有限公司 Login authentication method and device, electronic equipment and readable storage medium
CN114745178A (en) * 2022-04-11 2022-07-12 中国南方电网有限责任公司 Identity authentication method, identity authentication device, computer equipment, storage medium and program product
CN115225299A (en) * 2021-04-19 2022-10-21 中国科学院计算机网络信息中心 User authentication method, server and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180075231A1 (en) * 2016-09-14 2018-03-15 Oracle International Corporation Single sign-on functionality for a multi-tenant identity and data security management cloud service
CN110826043A (en) * 2018-08-08 2020-02-21 腾讯科技(深圳)有限公司 Digital identity application system and method, identity authentication system and method
CN111541656A (en) * 2020-04-09 2020-08-14 中央电视台 Identity authentication method and system based on converged media cloud platform
CN115225299A (en) * 2021-04-19 2022-10-21 中国科学院计算机网络信息中心 User authentication method, server and system
CN114095266A (en) * 2021-11-19 2022-02-25 深圳市雷鸟网络传媒有限公司 Login authentication method and device, electronic equipment and readable storage medium
CN114745178A (en) * 2022-04-11 2022-07-12 中国南方电网有限责任公司 Identity authentication method, identity authentication device, computer equipment, storage medium and program product

Also Published As

Publication number Publication date
CN118114213A (en) 2024-05-31

Similar Documents

Publication Publication Date Title
US11736469B2 (en) Single sign-on enabled OAuth token
US9038138B2 (en) Device token protocol for authorization and persistent authentication shared across applications
TWI438642B (en) Provisioning of digital identity representations
US8353016B1 (en) Secure portable store for security skins and authentication information
TWI432000B (en) Provisioning of digital identity representations
US8220035B1 (en) System and method for trusted embedded user interface for authentication
US9391978B2 (en) Multiple access authentication
US8418234B2 (en) Authentication of a principal in a federation
US8555078B2 (en) Relying party specifiable format for assertion provider token
US9240886B1 (en) Authentication adaptation
US20160127352A1 (en) Step-up authentication for single sign-on
EP3694175B1 (en) System and method for delegating authority through coupled devices
CN115021991A (en) Single sign-on for unmanaged mobile devices
CN104255007A (en) Oauth framework
US7540020B1 (en) Method and apparatus for facilitating single sign-on to applications
US20160285843A1 (en) System and method for scoping a user identity assertion to collaborative devices
WO2024114636A1 (en) Authentication method and apparatus, service platform, and storage medium
CN114567446A (en) Login authentication method and device, electronic equipment and storage medium
CN113452677A (en) Request processing method, system, equipment and medium
WO2024067419A1 (en) Authorization information acquisition method and apparatus, related device, and storage medium
WO2023160632A1 (en) Method for setting cloud service access permissions of enclave instance, and cloud management platform
JP2004524591A (en) Systems, methods, and computer program products for providing integrated authentication services for online applications
Tanmoy Single Sign-On Feature for Customer Life-Cycle Management Application
CN117527414A (en) System single sign-on method, device, equipment and medium
CN112804224A (en) Authentication method, device, medium and electronic equipment based on micro service