+

CN113505397B - Authorization method, server, system and storage medium - Google Patents

Authorization method, server, system and storage medium Download PDF

Info

Publication number
CN113505397B
CN113505397B CN202110853651.5A CN202110853651A CN113505397B CN 113505397 B CN113505397 B CN 113505397B CN 202110853651 A CN202110853651 A CN 202110853651A CN 113505397 B CN113505397 B CN 113505397B
Authority
CN
China
Prior art keywords
authentication
authorization
server
authentication token
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110853651.5A
Other languages
Chinese (zh)
Other versions
CN113505397A (en
Inventor
冯宇东
李伟仁
马思雨
黄秀萍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202110853651.5A priority Critical patent/CN113505397B/en
Publication of CN113505397A publication Critical patent/CN113505397A/en
Application granted granted Critical
Publication of CN113505397B publication Critical patent/CN113505397B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

本公开提供了一种授权方法,应用于金融技术领域,包括:授权服务器响应于接收到的授权请求,生成鉴权令牌,该鉴权令牌包括该用户信息,该鉴权令牌中的用户信息缓存于预设存储空间;授权服务器向鉴权服务器发送鉴权请求,该鉴权请求携带该鉴权令牌;鉴权服务器基于该鉴权令牌进行鉴权,得到鉴权结果;鉴权服务器将该鉴权结果返回给该授权服务器,以及,鉴权服务器从该预设存储空间中删除该用户信息。本公开还提供了一种授权方法、授权服务器、鉴权服务器、授权系统、计算机系统及可读存储介质。

The present disclosure provides an authorization method, which is applied to the field of financial technology, including: the authorization server generates an authentication token in response to a received authorization request, the authentication token includes the user information, and the user information in the authentication token is cached in a preset storage space; the authorization server sends an authentication request to the authentication server, the authentication request carries the authentication token; the authentication server performs authentication based on the authentication token to obtain an authentication result; the authentication server returns the authentication result to the authorization server, and the authentication server deletes the user information from the preset storage space. The present disclosure also provides an authorization method, an authorization server, an authentication server, an authorization system, a computer system, and a readable storage medium.

Description

Authorization method, server, system and storage medium
Technical Field
The present disclosure relates to the field of internet technology, and more particularly, to an authorization method, an authorization server, an authentication server, an authorization system, a computer system, and a readable storage medium.
Background
With the popularity of internet applications, the opening and sharing of the internet become the main features of the current internet, the integration of different services provided by internet service providers is a necessary trend of internet development, and the opening of user information under the premise of permission of user authorization can be realized based on the oauth2.0 protocol.
In the process of realizing the conception of the present disclosure, the inventor finds that at least the following problems exist in the related art, the user performs authentication by providing login information, and after authentication is successful, the authorization server directly authorizes and then the login is successful, so that the security is low.
Disclosure of Invention
In view of this, the present disclosure provides an authorization method, an authorization server, an authentication server, an authorization system, a computer system, and a readable storage medium.
One aspect of the present disclosure provides an authorization method applied to an authorization server, including:
Generating an authentication token in response to the received authorization request, wherein the authentication token comprises the user information, and the user information in the authentication token is cached in a preset storage space;
and sending an authentication request to an authentication server, wherein the authentication request carries the authentication token so that the authentication server authenticates based on the authentication token to obtain an authentication result, returning the authentication result to the authorization server, and deleting the user information from the preset storage space.
In an embodiment, the authentication token further comprises first timestamp information indicating a generation time or a transmission time of the authentication token.
In an embodiment, the authorization request carries an identification of a sender of the authorization request, and the authentication token further comprises the identification of the sender.
In an embodiment, further comprising:
Acquiring login information input by a user;
verifying whether the login information is correct;
If the login information is correct, an authorization confirmation prompt message is returned to the resource client;
And receiving authorization confirmation information returned by the authorization client based on the authorization confirmation prompt information, and executing the operation of responding to the received authorization request and acquiring the user information from the preset storage space.
In one embodiment, wherein:
when the authentication result is that the authentication passes, receiving user information returned by the authentication server;
and sending the user information to a login client for calling the resource client to login so as to successfully login the login client.
In an embodiment, before sending the authentication request to the authentication server, the method includes:
and encrypting and signing the authentication token.
Another aspect of the present disclosure provides an authorization method applied to an authentication server, including:
Responding to a received authentication request carrying an authentication token, carrying out authentication based on the authentication token to obtain an authentication result, wherein the authentication token is generated by an authorization server and comprises the user information, and the user information in the authentication token is cached in a preset storage space;
returning the authentication result to the authorization server;
And deleting the user information from the preset storage space.
In an embodiment, the authentication token further includes first timestamp information, the first timestamp information indicates a generation time or a sending time of the authentication token, the authenticating based on the authentication token, and obtaining an authentication result includes:
Analyzing the authentication token to obtain first timestamp information;
acquiring a current time stamp;
calculating a difference between the current timestamp and the first timestamp;
judging whether the difference value meets a preset condition or not;
If the difference value does not meet the preset condition, the authentication result is authentication failure;
and if the difference value meets the preset condition, the authentication result is that the authentication passes.
In an embodiment, the authorization request carries an identifier of a sender of the authorization request, the authentication token further includes an identifier of the sender, and the authenticating based on the authentication token includes:
Searching the identifiers of the senders in a preset identifier library, wherein the identifiers of all legal senders are stored in the identifier library;
if the identification of the sender is not found, the authentication result is authentication failure;
If the identification of the sender is found, the authentication result is authentication passing.
In an embodiment, when the authentication result is that authentication passes, the returning the authentication result to the authorization server includes:
And sending the user information to the authorization server so that the authorization server sends the user information to a login client for calling the resource client to login so as to successfully login the login client.
In an embodiment, the authentication based on the authentication token includes, before obtaining an authentication result:
decrypting and verifying the authentication token;
If the decryption and signature verification processing is successful, executing the authentication based on the authentication token to obtain an authentication result;
and if the decryption and/or signature verification processing fails, sending prompt information of the failure of the decryption and/or signature verification processing to the authorization server.
Another aspect of the present disclosure provides an authorization server, comprising:
The authentication token generation module is used for responding to the received authorization request and generating an authentication token, wherein the authentication token comprises the user information, and the user information in the authentication token is cached in a preset storage space;
The request sending module is used for sending an authentication request to an authentication server, wherein the authentication request carries the authentication token so that the authentication server can authenticate based on the authentication token to obtain an authentication result, the authentication result is returned to the authorization server, and the user information is deleted from the preset storage space.
In an embodiment, the authentication token further comprises first timestamp information indicating a generation time or a transmission time of the authentication token.
In an embodiment, the authorization request carries an identification of a sender of the authorization request, and the authentication token further comprises the identification of the sender.
In an embodiment, further comprising:
The login information acquisition module is used for acquiring login information input by a user;
The login information verification module is used for verifying whether the login information is correct or not;
The confirmation information return module is used for returning authorization confirmation prompt information to the resource client if the login information is correct;
And the confirmation information receiving module is used for receiving the authorization confirmation information returned by the authorization client based on the authorization confirmation prompt information and executing the operation of responding to the received authorization request and acquiring the user information from the preset storage space.
In one embodiment, the user information receiving module is configured to receive user information returned by the authentication server when the authentication result is that the authentication passes;
And the user information sending module is used for sending the user information to a login client for calling the resource client to log in so as to successfully log in the login client.
In an embodiment, further comprising:
And the processing module is used for encrypting and signing the authentication token.
Another aspect of the present disclosure provides an authentication server, including:
The authentication module is used for responding to a received authentication request carrying an authentication token, authenticating based on the authentication token to obtain an authentication result, wherein the authentication token is generated by an authorization server and comprises the user information, and the user information in the authentication token is cached in a preset storage space;
the authentication result returning module is used for returning the authentication result to the authorization server;
and the user information deleting module is used for deleting the user information from the preset storage space.
In an embodiment, the authentication token further comprises first timestamp information indicating a generation time or a transmission time of the authentication token, the authentication module comprises:
the analysis sub-module is used for analyzing the authentication token to obtain first timestamp information;
The time stamp obtaining sub-module is used for obtaining the current time stamp;
A calculation sub-module for calculating a difference between the current timestamp and the first timestamp;
The judging submodule is used for judging whether the difference value meets a preset condition or not;
The first judging sub-module is used for judging whether the authentication result is failed or not if the difference value does not meet the preset condition;
and the second judging sub-module is used for judging that the authentication result is passing if the difference value meets the preset condition.
In an embodiment, the authorization request carries an identifier of a sender of the authorization request, the authentication token further includes the identifier of the sender, and the authentication module includes:
the searching sub-module is used for searching the identifiers of the senders in a preset identifier library, and the identifiers of all legal senders are stored in the identifier library;
the first judging sub-module is further used for judging whether the authentication result is failed if the identification of the sender is not found;
And the second judging sub-module is also used for judging that the authentication result is passing if the identification of the sender is found.
In an embodiment, when the authentication result is that the authentication passes, the authentication result return module specifically sends the user information to the authorization server, so that the authorization server sends the user information to a login client calling the resource client to log in, so as to successfully log in the login client.
In an embodiment, further comprising:
the solution processing module is used for decrypting the authentication token and checking the signature;
The authentication module is further used for executing the authentication based on the authentication token to obtain an authentication result if the decryption and the signature verification process are successful;
and the information sending module is used for sending prompt information of failure of decryption and/or signature verification processing to the authorization server if the decryption and/or signature verification processing fails.
Another aspect of the present disclosure provides an authorization system comprising an authorization server as described above and an authentication server as described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions that, when executed, are configured to implement a method as described above.
Another aspect of the present disclosure provides a computer program comprising computer executable instructions which when executed are for implementing a method as described above.
According to the embodiment of the disclosure, after receiving the authorization request, the resource client is not directly given permission, but an authentication token is generated in response to the received authorization request, the authentication token comprises the user information, the user information in the authentication token is cached in a preset storage space, the authentication request is sent to an authentication server, the authentication request carries the authentication token, so that the authentication server performs authentication based on the authentication token, an authentication result is obtained, the authentication result is returned to the authorization server, and the user information is deleted from the preset storage space. The authentication server is used for effectively carrying out security check on the user information, and deleting the user information cached in the preset storage space to prevent the authentication request from replaying.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments thereof with reference to the accompanying drawings in which:
FIG. 1 schematically illustrates an exemplary system architecture in which an authorization method may be applied, according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow chart of an authorization method according to an embodiment of the disclosure;
FIG. 3 schematically illustrates a flow chart of an authorization method according to an embodiment of the disclosure;
FIG. 4 schematically illustrates a flow chart of an authorization method according to an embodiment of the disclosure;
FIG. 5 schematically illustrates a flowchart of operation S401 in an authorization method according to an embodiment of the disclosure;
FIG. 6 schematically illustrates a flowchart of operation S401 in an authorization method according to an embodiment of the disclosure;
FIG. 7 schematically illustrates a block diagram of an authorization server according to an embodiment of the disclosure;
fig. 8 schematically illustrates a block diagram of an authentication server according to an embodiment of the present disclosure;
fig. 9 schematically illustrates a block diagram of a computer system according to an embodiment of the disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a convention should be interpreted in accordance with the meaning of one of skill in the art having generally understood the convention (e.g., "a system having at least one of A, B and C" would include, but not be limited to, systems having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a formulation similar to at least one of "A, B or C, etc." is used, in general such a formulation should be interpreted in accordance with the ordinary understanding of one skilled in the art (e.g. "a system with at least one of A, B or C" would include but not be limited to systems with a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
It should be noted that, the authorization method, the authorization server, the authentication server, the authorization system, the computer system and the storage medium of the present disclosure may be used in applications of the financial field in the internet, and may also be used in any field other than the financial field, and the application fields of the authorization method, the authorization server, the authentication server, the authorization system, the computer system and the storage medium of the present disclosure are not limited.
In the technical scheme of the disclosure, the acquisition, storage, application and the like of the related personal information of the user all conform to the regulations of related laws and regulations, necessary security measures are taken, and the public order harmony is not violated.
Embodiments of the present disclosure provide an authorization method. The method comprises the steps that an authorization server responds to a received authorization request to generate an authentication token, the authentication token comprises user information, the user information in the authentication token is cached in a preset storage space, the authorization server sends an authentication request to the authentication server, the authentication request carries the authentication token, the authentication server carries out authentication based on the authentication token to obtain an authentication result, the authentication server returns the authentication result to the authorization server, and the authentication server deletes the user information from the preset storage space.
Fig. 1 schematically illustrates an exemplary system architecture 100 in which an authorization method may be applied according to an embodiment of the disclosure. It should be noted that fig. 1 is only an example of a system architecture to which embodiments of the present disclosure may be applied to assist those skilled in the art in understanding the technical content of the present disclosure, but does not mean that embodiments of the present disclosure may not be used in other devices, systems, environments, or scenarios.
As shown in fig. 1, a system architecture 100 according to this embodiment may include a terminal device 101, a network 102, an authorization server 103, and an authentication server 104. The network 102 serves as a medium for providing a communication link between the terminal device 101, the authorization server 103 and the authentication server 104. Network 102 may include various connection types, such as wired and/or wireless communication links, and the like.
A user may interact with the authorization server 103 via the network 102 using the terminal device 101 to receive or send messages or the like. Various communication client applications may be installed on the terminal device 101, such as financial class applications, shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients and/or social platform software, to name a few.
The terminal device 101 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like. The terminal device 101 may be loaded with a resource client and a login client, and the resource client and the login client may be served by the same service provider, or may be served by different service providers but comply with oauth2.0 protocol. The user can adopt the login information of the resource client to log in through the login client. For example, a user opens a login client, selects to log in through a resource client, the login client calls the resource client, the user inputs corresponding login information in the resource client to perform authentication, and the user can log in the login client after the authentication is passed.
The authorization server 103 may be configured to authenticate the received login information of the user, and return the authentication result to the resource client of the terminal device 101. In the present disclosure, the authorization server 103 may be further configured to send a request including authentication to the authentication server 104 after authentication of login information of the user is passed, and allow the user to login to the login client in the terminal device 101 after authentication is passed.
The authentication server 104 may be configured to perform authentication after receiving the authentication request, and return an authentication result to the authorization server 103. Specifically, if the authentication is passed, the user is allowed to log in to the login client in the terminal apparatus 101.
It should be noted that, the authorization method provided by the embodiments of the present disclosure may be generally performed by the authorization server 103 and the authentication server 104. But may also be performed by other servers having respective functions performed by the authorization server 103 and the authentication server 104 in the present disclosure. More, the authorization server 103 and the authentication server 104 may also be a server or a server cluster.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Fig. 2 schematically illustrates a flow chart of an authorization method according to an embodiment of the disclosure.
As shown in FIG. 2, the method includes operations S201-S203 applied to an authorization server.
In operation S201, in response to the received authorization request, an authentication token is generated, the authentication token including the user information, the user information in the authentication token being cached in a preset storage space.
In operation S202, an authentication request is sent to an authentication server, where the authentication request carries the authentication token, so that the authentication server performs authentication based on the authentication token to obtain an authentication result, returns the authentication result to the authorization server, and deletes the user information from the preset storage space.
In the present disclosure, the user information corresponds to the authorization request, for example, after the user inputs login information at the resource client, the user requests authorization from the authorization server at the resource client, and the user information obtained from the preset storage space by the authorization server is the user information corresponding to the login information. Such as a user name and password, a cell phone number and authentication code, etc.
In the present disclosure, the preset storage space may be located in the authorization server, or may be located in the authentication server, or in a database, which is not limited in the present disclosure. The user information may be stored in the preset storage space in the form of a table or key value pairs, which is not limited by the present disclosure.
In the present disclosure, the user information may be deleted from the preset storage space after the authentication token is generated, or may be deleted from the preset storage space after the authentication request is sent to the authentication server, or may be deleted from the preset storage space during the authentication of the authentication server, or may be deleted from the preset storage space, which is not limited in the present disclosure. Further, the user information may be deleted from the preset storage space by an authorization server, an authentication server, or any other server or terminal, which is not limited in the present disclosure.
In an embodiment of the present disclosure, the authentication token further includes first timestamp information indicating a generation time or a transmission time of the authentication token. The authentication is performed based on the authentication token, and the authentication result can be specifically obtained by analyzing the authentication token to obtain first time stamp information, obtaining a current time stamp, calculating a difference value between the current time stamp and the first time stamp, judging whether the difference value meets a preset condition, if the difference value does not meet the preset condition, the authentication result is authentication failure, and if the difference value meets the preset condition, the authentication result is authentication passing.
In an embodiment of the disclosure, the authorization request carries an identification of a sender of the authorization request, and the authentication token further includes the identification of the sender. The authentication is performed based on the authentication token, and the authentication result can be specifically that the identification of the sender is searched in a preset identification library, all legal identifications of the sender are stored in the identification library, if the identification of the sender is not searched, the authentication result is authentication failure, and if the identification of the sender is searched, the authentication result is authentication passing.
In an embodiment of the present disclosure, before sending the authentication request to the authentication server, further includes:
the authentication token is encrypted and signed. In the present disclosure, encryption processing and signature processing may be performed in an existing manner, which is not limited in this disclosure.
According to the embodiment of the disclosure, after receiving the authorization request, the resource client is not directly given permission, but an authentication token is generated in response to the received authorization request, the authentication token comprises the user information, the user information in the authentication token is cached in a preset storage space, the authentication request is sent to an authentication server, the authentication request carries the authentication token, so that the authentication server performs authentication based on the authentication token, an authentication result is obtained, the authentication result is returned to the authorization server, and the user information is deleted from the preset storage space. The authentication server is used for effectively carrying out security check on the user information, and deleting the user information cached in the preset storage space to prevent the authentication request from replaying.
Fig. 3 schematically illustrates a flow chart of an authorization method according to an embodiment of the disclosure.
As shown in FIG. 3, the method includes operations S301-S303, which are applied to an authorization server.
In operation S301, login information input by a user is acquired.
In operation S302, it is verified whether the login information is correct.
In operation S303, if the login information is correct, an authorization confirmation prompt is returned to the resource client.
In operation S304, authorization confirmation information returned by the authorization client based on the authorization confirmation prompt information is received.
In operation S201, in response to the received authorization request, an authentication token is generated, the authentication token including the user information, the user information in the authentication token being cached in a preset storage space.
In operation S202, an authentication request is sent to an authentication server, where the authentication request carries the authentication token, so that the authentication server performs authentication based on the authentication token to obtain an authentication result, returns the authentication result to the authorization server, and deletes the user information from the preset storage space.
In one embodiment of the disclosure, when the authentication result is that the authentication passes, the authorization server receives the user information returned by the authentication server, and the authorization server sends the user information to a login client calling the resource client to log in so as to successfully log in the login client.
In the present disclosure, the login information input by the user may be a user name and password, a mobile phone number and a verification code, etc., which the present disclosure is not limited to. The login information input by the user corresponds to the user information, and both have global uniqueness.
In the present disclosure, if the login information is incorrect, the prompt information of authentication failure is directly returned to the resource client. Specifically, in the case where authentication failure is due to a password input error, the user may be prompted for a password input error. In the case where the authentication failure is due to the absence of a user name, the user may be prompted that the user name is absent.
Fig. 4 schematically illustrates a flowchart of an authorization method according to an embodiment of the disclosure.
As shown in FIG. 4, the method includes operations S301-S303 applied to an authentication server.
In operation S401, in response to a received authentication request carrying an authentication token, performing authentication based on the authentication token to obtain an authentication result, where the authentication token is generated by an authorization server, the authentication token includes the user information, and the user information in the authentication token is cached in a preset storage space;
returning the authentication result to the authorization server in operation S402;
in operation S403, the user information is deleted from the preset storage space.
According to the embodiment of the disclosure, the authentication server is used for effectively carrying out security check on the user information and deleting the user information cached in the preset storage space, so that the authentication request can be prevented from being replayed.
In an embodiment of the present disclosure, the authentication token further includes first timestamp information, where the first timestamp information indicates a generation time or a transmission time of the authentication token, as shown in fig. 5, operation S401 includes operations S501 to S506, where the first timestamp information is obtained by parsing the authentication token in operation S501, a current timestamp is obtained in operation S502, a difference between the current timestamp and the first timestamp is calculated in operation S503, whether the difference meets a preset condition is determined in operation S504, the authentication result is authentication failure if the difference does not meet the preset condition in operation S505, and the authentication result is authentication pass if the difference meets the preset condition in operation S506.
In the present disclosure, whether the difference satisfies the preset condition may be whether the difference is less than a preset threshold, or whether the difference is within a preset range, the preset threshold may be 1 minute, 2 minutes, 5 minutes, or the like. The preset range may be within 30 seconds, within 1 minute, etc., which the present disclosure does not limit.
In an embodiment of the present disclosure, the authorization request carries an identifier of a sender of the authorization request, and the authentication token further includes the identifier of the sender, as shown in fig. 6, operation S401 includes operations S601 to S603, in which the identifier of the sender is searched in a preset identifier library, identifiers of all legal senders are stored in the identifier library, in operation S602, if the identifier of the sender is not searched, the authentication result is authentication failure, and in operation S603, if the identifier of the sender is searched, the authentication result is authentication passing.
In the present disclosure, the manner shown in fig. 5 and fig. 6 may also be used to determine whether the authentication result passes, specifically, if any one of the authentication results in the manner shown in fig. 5 and the manner shown in fig. 6 is authentication failure, the authentication result in operation S401 is authentication failure, and if the authentication results in the manner shown in fig. 5 and the manner shown in fig. 6 are authentication success, the authentication result in operation S401 is authentication success.
In one embodiment of the present disclosure, when the authentication result is that authentication is passed, operation S402 includes transmitting the user information to the authorization server, so that the authorization server transmits the user information to a login client that invokes the resource client to login, so as to successfully login the login client.
In an embodiment of the present disclosure, before operation S402, decryption and signature verification processing are further performed on the authentication token, if the decryption and signature verification processing are successful, the operation of performing authentication based on the authentication token to obtain an authentication result is performed, and if the decryption and/or signature verification processing is failed, a prompt message indicating that the decryption and/or signature verification processing is failed is sent to the authorization server.
Fig. 7 schematically illustrates a block diagram of an authorization server according to an embodiment of the disclosure.
As shown in fig. 7, the authorization server 700 includes an authentication token generation module 710 and a request transmission module 720.
The authentication token generation module 710 is configured to generate an authentication token in response to the received authorization request, where the authentication token includes the user information, and the user information in the authentication token is cached in a preset storage space.
The request sending module 720 is configured to send an authentication request to an authentication server, where the authentication request carries the authentication token, so that the authentication server performs authentication based on the authentication token to obtain an authentication result, return the authentication result to the authorization server, and delete the user information from the preset storage space.
The authentication token further includes first timestamp information indicating a generation time or a transmission time of the authentication token.
In an embodiment of the disclosure, the authorization request carries an identification of a sender of the authorization request, and the authentication token further includes the identification of the sender.
In an embodiment of the present disclosure, further comprising:
The login information acquisition module is used for acquiring login information input by a user;
The login information verification module is used for verifying whether the login information is correct or not;
the confirmation information return module is used for returning authorization confirmation prompt information to the resource client if the login information is correct;
and the confirmation information receiving module is used for receiving the authorization confirmation information returned by the authorization client based on the authorization confirmation prompt information, and executing the operation of responding to the received authorization request and acquiring the user information from the preset storage space.
In an embodiment of the present disclosure, further comprising:
The user information receiving module is used for receiving the user information returned by the authentication server when the authentication result is that the authentication passes;
and the user information sending module is used for sending the user information to a login client for calling the resource client to log in so as to successfully log in the login client.
In one embodiment of the disclosure, the method further comprises a processing module for encrypting and signing the authentication token.
Fig. 8 schematically illustrates a block diagram of an authentication server according to an embodiment of the present disclosure.
As shown in fig. 8, the authentication server 800 includes an authentication module 810, an authentication result return module 820, and a user information deletion module 830.
The authentication module 810 is configured to respond to a received authentication request carrying an authentication token, perform authentication based on the authentication token, obtain an authentication result, generate the authentication token through an authorization server, and buffer the user information in the authentication token in a preset storage space, where the authentication token includes the user information;
An authentication result returning module 820, configured to return the authentication result to the authorization server;
The user information deleting module 830 is configured to delete the user information from the preset storage space.
In an embodiment of the present disclosure, the authentication token further includes first timestamp information indicating a generation time or a transmission time of the authentication token, and the authentication module 810 includes:
The analysis sub-module is used for analyzing the authentication token to obtain first timestamp information;
The time stamp obtaining sub-module is used for obtaining the current time stamp;
A calculation sub-module for calculating a difference between the current timestamp and the first timestamp;
The judging submodule is used for judging whether the difference value meets a preset condition or not;
the first judging sub-module is used for judging whether the difference value does not meet the preset condition or not, if so, the authentication result is authentication failure;
And the second judging sub-module is used for judging that the authentication result is passing if the difference value meets the preset condition.
In an embodiment of the present disclosure, the authorization request carries an identifier of a sender of the authorization request, the authentication token further includes the identifier of the sender, and the authentication module 810 includes:
The searching sub-module is used for searching the identifiers of the sender in a preset identifier library, and the identifiers of all legal senders are stored in the identifier library;
the first judging sub-module is further used for judging that the authentication result is failed if the identification of the sender is not found;
And the second judging sub-module is also used for judging that the authentication result is passing if the identification of the sender is found.
In an embodiment of the present disclosure, when the authentication result is that authentication passes, the authentication result return module specifically sends the user information to the authorization server, so that the authorization server sends the user information to a login client that invokes the resource client to log in, so as to successfully log in the login client.
In an embodiment of the present disclosure, further comprising:
the solution processing module is used for decrypting the authentication token and checking the signature;
The authentication module is also used for executing the operation of authenticating based on the authentication token to obtain an authentication result if the decryption and the verification processing are successful;
And the information sending module is used for sending prompt information of failure of decryption and/or signature verification processing to the authorization server if the decryption and/or signature verification processing fails.
The embodiment of the disclosure also provides an authorization system comprising the authorization server and the authentication server.
Any number of modules, sub-modules, units, sub-units, or at least some of the functionality of any number of the sub-units according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented as split into multiple modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system-on-chip, a system-on-substrate, a system-on-package, an Application Specific Integrated Circuit (ASIC), or in any other reasonable manner of hardware or firmware that integrates or encapsulates the circuit, or in any one of or a suitable combination of three of software, hardware, and firmware. Or one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be at least partially implemented as computer program modules, which, when executed, may perform the corresponding functions.
For example, any number of the authentication token generation module 710 and the request transmission module 720 may be combined in one module/unit/sub-unit or any one of them may be split into a plurality of modules/units/sub-units. Or at least some of the functionality of one or more of these modules/units/sub-units may be combined with at least some of the functionality of other modules/units/sub-units and implemented in one module/unit/sub-unit. According to embodiments of the present disclosure, at least one of the authentication token generation module 710 and the request transmission module 720 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system-on-chip, a system-on-substrate, a system-on-package, an Application Specific Integrated Circuit (ASIC), or in hardware or firmware, such as any other reasonable way of integrating or packaging the circuitry, or in any one of or a suitable combination of any of the three. Or at least one of the authentication token generation module 710 and the request transmission module 720 may be at least partially implemented as a computer program module which, when executed, may perform the corresponding functions.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to the related descriptions of other embodiments.
Fig. 9 schematically illustrates a block diagram of a computer system suitable for implementing the above-described method according to an embodiment of the present disclosure. The computer system illustrated in fig. 9 is merely an example, and should not be construed as limiting the functionality and scope of use of the embodiments of the present disclosure.
As shown in fig. 9, a computer system 900 according to an embodiment of the present disclosure includes a processor 901, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 902 or a program loaded from a storage portion 908 into a Random Access Memory (RAM) 903. The processor 901 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Processor 901 may also include on-board memory for caching purposes. Processor 901 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 903, various programs and data necessary for the operation of the system 900 are stored. The processor 901, the ROM 902, and the RAM 903 are connected to each other by a bus 904. The processor 901 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 902 and/or the RAM 903. Note that the program may be stored in one or more memories other than the ROM 902 and the RAM 903. The processor 901 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the disclosure, the system 900 may also include an input/output (I/O) interface 905, the input/output (I/O) interface 905 also being connected to the bus 904. The system 900 may also include one or more of an input portion 906 including a keyboard, mouse, etc., an output portion 907 including a display such as a Cathode Ray Tube (CRT), liquid Crystal Display (LCD), etc., and speakers, etc., a storage portion 908 including a hard disk, etc., and a communication portion 909 including a network interface card such as a LAN card, modem, etc., connected to the I/O interface 905. The communication section 909 performs communication processing via a network such as the internet. The drive 910 is also connected to the I/O interface 905 as needed. A removable medium 911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on the drive 910 so that a computer program read out therefrom is installed into the storage section 908 as needed.
According to embodiments of the present disclosure, the method flow according to embodiments of the present disclosure may be implemented as a computer software program. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from the network via the communication portion 909 and/or installed from the removable medium 911. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 901. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
The present disclosure also provides a computer-readable storage medium that may be included in the apparatus/device/system described in the above embodiments, or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium. Such as, but not limited to, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 902 and/or RAM 903 and/or one or more memories other than ROM 902 and RAM 903 described above.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be combined in various combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. These examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.

Claims (19)

1.一种授权方法,应用于授权服务器,包括:1. An authorization method, applied to an authorization server, comprising: 获取用户输入的登录信息;Get the login information entered by the user; 验证所述登录信息是否正确;Verify that the login information is correct; 若所述登录信息正确,则向资源客户端返回授权确认提示信息;If the login information is correct, an authorization confirmation prompt message is returned to the resource client; 接收授权客户端基于所述授权确认提示信息返回的授权确认信息;Receiving authorization confirmation information returned by the authorization client based on the authorization confirmation prompt information; 响应于接收到的授权请求,生成鉴权令牌,所述鉴权令牌包括用户信息,所述鉴权令牌中的用户信息缓存于预设存储空间;In response to the received authorization request, generating an authentication token, the authentication token including user information, the user information in the authentication token being cached in a preset storage space; 向鉴权服务器发送鉴权请求,所述鉴权请求携带所述鉴权令牌,以使所述鉴权服务器基于所述鉴权令牌进行鉴权,得到鉴权结果,将所述鉴权结果返回给所述授权服务器,以及,从所述预设存储空间中删除所述用户信息;Sending an authentication request to an authentication server, wherein the authentication request carries the authentication token, so that the authentication server performs authentication based on the authentication token, obtains an authentication result, returns the authentication result to the authorization server, and deletes the user information from the preset storage space; 当所述鉴权结果为鉴权通过时,接收所述鉴权服务器返回的用户信息;When the authentication result is that the authentication is passed, receiving the user information returned by the authentication server; 将所述用户信息发送给调用所述资源客户端进行登录的登录客户端,以成功登录所述登录客户端。The user information is sent to the login client that calls the resource client for login, so as to successfully log in the login client. 2.根据权利要求1所述的方法,所述鉴权令牌还包括第一时间戳信息,所述第一时间戳信息指示所述鉴权令牌的生成时间或发送时间。2 . The method according to claim 1 , wherein the authentication token further comprises first timestamp information, wherein the first timestamp information indicates a generation time or a sending time of the authentication token. 3.根据权利要求1所述的方法,所述授权请求携带授权请求发送方的标识,所述鉴权令牌还包括所述发送方的标识。3. According to the method of claim 1, the authorization request carries the identifier of the sender of the authorization request, and the authentication token also includes the identifier of the sender. 4.根据权利要求1至3任意一项所述的方法,所述向鉴权服务器发送鉴权请求之前,包括:4. The method according to any one of claims 1 to 3, before sending the authentication request to the authentication server, comprising: 对所述鉴权令牌进行加密和签名处理。The authentication token is encrypted and signed. 5.一种授权方法,应用于鉴权服务器,包括:5. An authorization method, applied to an authentication server, comprising: 响应于接收到的携带鉴权令牌的鉴权请求,基于所述鉴权令牌进行鉴权,得到鉴权结果,所述鉴权令牌通过授权服务器生成,所述鉴权令牌包括用户信息,所述鉴权令牌中的用户信息缓存于预设存储空间;In response to a received authentication request carrying an authentication token, performing authentication based on the authentication token to obtain an authentication result, wherein the authentication token is generated by an authorization server, the authentication token includes user information, and the user information in the authentication token is cached in a preset storage space; 将所述鉴权结果返回给所述授权服务器;Returning the authentication result to the authorization server; 从所述预设存储空间中删除所述用户信息;Deleting the user information from the preset storage space; 当所述鉴权结果为鉴权通过时,所述将所述鉴权结果返回给所述授权服务器包括:When the authentication result is that the authentication is passed, returning the authentication result to the authorization server includes: 将所述用户信息发送给所述授权服务器,以使所述授权服务器将所述用户信息发送给调用资源客户端进行登录的登录客户端,以成功登录所述登录客户端。The user information is sent to the authorization server, so that the authorization server sends the user information to the login client that calls the resource client for login, so as to successfully log in the login client. 6.根据权利要求5所述的方法,所述鉴权令牌还包括第一时间戳信息,所述第一时间戳信息指示所述鉴权令牌的生成时间或发送时间,所述基于所述鉴权令牌进行鉴权,得到鉴权结果包括:6. The method according to claim 5, wherein the authentication token further comprises first timestamp information, wherein the first timestamp information indicates a generation time or a sending time of the authentication token, and the performing authentication based on the authentication token to obtain an authentication result comprises: 解析所述鉴权令牌,得到第一时间戳信息;Parsing the authentication token to obtain first timestamp information; 获取当前时间戳;Get the current timestamp; 计算所述当前时间戳与所述第一时间戳之间的差值;Calculating a difference between the current timestamp and the first timestamp; 判断所述差值是否满足预设条件;Determining whether the difference satisfies a preset condition; 若所述差值不满足所述预设条件,则所述鉴权结果为鉴权失败;If the difference does not meet the preset condition, the authentication result is authentication failure; 若所述差值满足所述预设条件,则所述鉴权结果为鉴权通过。If the difference satisfies the preset condition, the authentication result is authentication passed. 7.根据权利要求5所述的方法,所述鉴权令牌还包括发送方的标识,所述基于所述鉴权令牌进行鉴权,得到鉴权结果包括:7. The method according to claim 5, wherein the authentication token further includes an identifier of the sender, and the authentication based on the authentication token to obtain an authentication result comprises: 在预设的标识库中查找所述发送方的标识,所述标识库中存储所有合法的发送方的标识;Searching for the sender's identifier in a preset identifier library, wherein the identifier library stores all valid sender identifiers; 若没有查找到所述发送方的标识,则所述鉴权结果为鉴权失败;If the sender's identifier is not found, the authentication result is authentication failure; 若查找到所述发送方的标识,则所述鉴权结果为鉴权通过。If the sender's identifier is found, the authentication result is authentication passed. 8.根据权利要求5至7任意一项所述的方法,所述基于所述鉴权令牌进行鉴权,得到鉴权结果之前,包括:8. The method according to any one of claims 5 to 7, wherein before performing authentication based on the authentication token and obtaining the authentication result, the method comprises: 对所述鉴权令牌进行解密和验签处理;Decrypting and verifying the authentication token; 若所述解密和验签处理成功,则执行所述基于所述鉴权令牌进行鉴权,得到鉴权结果的操作;If the decryption and signature verification process is successful, then the operation of performing authentication based on the authentication token to obtain an authentication result is performed; 若所述解密和/或验签处理失败,则向所述授权服务器发送解密和/或验签处理失败的提示信息。If the decryption and/or signature verification process fails, a prompt message indicating the decryption and/or signature verification process failure is sent to the authorization server. 9.一种授权服务器,包括:9. An authorization server, comprising: 登录信息获取模块,用于获取用户输入的登录信息;A login information acquisition module is used to obtain the login information input by the user; 登录信息验证模块,用于验证所述登录信息是否正确;A login information verification module, used to verify whether the login information is correct; 确认信息返回模块,用于若所述登录信息正确,则向资源客户端返回授权确认提示信息;A confirmation information return module is used to return authorization confirmation prompt information to the resource client if the login information is correct; 确认信息接收模块,用于接收授权客户端基于所述授权确认提示信息返回的授权确认信息,执行响应于接收到的授权请求,从预设存储空间中获取用户信息的操作;A confirmation information receiving module, used to receive the authorization confirmation information returned by the authorization client based on the authorization confirmation prompt information, and execute an operation of obtaining user information from a preset storage space in response to the received authorization request; 鉴权令牌生成模块,用于响应于接收到的授权请求,生成鉴权令牌,所述鉴权令牌包括所述用户信息,所述鉴权令牌中的用户信息缓存于预设存储空间;An authentication token generation module, configured to generate an authentication token in response to a received authorization request, wherein the authentication token includes the user information, and the user information in the authentication token is cached in a preset storage space; 请求发送模块,用于向鉴权服务器发送鉴权请求,所述鉴权请求携带所述鉴权令牌,以使所述鉴权服务器基于所述鉴权令牌进行鉴权,得到鉴权结果,将所述鉴权结果返回给所述授权服务器,以及,从所述预设存储空间中删除所述用户信息;A request sending module, configured to send an authentication request to an authentication server, wherein the authentication request carries the authentication token, so that the authentication server performs authentication based on the authentication token, obtains an authentication result, returns the authentication result to the authorization server, and deletes the user information from the preset storage space; 用户信息接收模块,用于当所述鉴权结果为鉴权通过时,接收所述鉴权服务器返回的用户信息;A user information receiving module, used for receiving the user information returned by the authentication server when the authentication result is authentication passed; 用户信息发送模块,用于将所述用户信息发送给调用所述资源客户端进行登录的登录客户端,以成功登录所述登录客户端。The user information sending module is used to send the user information to the login client that calls the resource client for login, so as to successfully log in to the login client. 10.根据权利要求9所述的授权服务器,所述鉴权令牌还包括第一时间戳信息,所述第一时间戳信息指示所述鉴权令牌的生成时间或发送时间。10. The authorization server according to claim 9, wherein the authentication token further comprises first timestamp information, and the first timestamp information indicates a generation time or a sending time of the authentication token. 11.根据权利要求9所述的授权服务器,所述授权请求携带授权请求发送方的标识,所述鉴权令牌还包括所述发送方的标识。11. The authorization server according to claim 9, wherein the authorization request carries an identifier of a sender of the authorization request, and the authentication token further comprises the identifier of the sender. 12.根据权利要求9至11任意一项所述的授权服务器,还包括:12. The authorization server according to any one of claims 9 to 11, further comprising: 处理模块,用于对所述鉴权令牌进行加密和签名处理。A processing module is used to encrypt and sign the authentication token. 13.一种鉴权服务器,包括:13. An authentication server, comprising: 鉴权模块,用于响应于接收到的携带鉴权令牌的鉴权请求,基于所述鉴权令牌进行鉴权,得到鉴权结果,所述鉴权令牌通过授权服务器生成,所述鉴权令牌包括用户信息,所述鉴权令牌中的用户信息缓存于预设存储空间;An authentication module, configured to respond to a received authentication request carrying an authentication token, perform authentication based on the authentication token, and obtain an authentication result, wherein the authentication token is generated by an authorization server, the authentication token includes user information, and the user information in the authentication token is cached in a preset storage space; 鉴权结果返回模块,用于将所述鉴权结果返回给所述授权服务器,当所述鉴权结果为鉴权通过时,所述鉴权结果返回模块具体由于将所述用户信息发送给所述授权服务器,以使所述授权服务器将所述用户信息发送给调用资源客户端进行登录的登录客户端,以成功登录所述登录客户端;An authentication result returning module is used to return the authentication result to the authorization server. When the authentication result is authentication passed, the authentication result returning module specifically sends the user information to the authorization server, so that the authorization server sends the user information to the login client that calls the resource client for login, so as to successfully log in the login client; 用户信息删除模块,用于从所述预设存储空间中删除所述用户信息。The user information deleting module is used to delete the user information from the preset storage space. 14.根据权利要求13所述的鉴权服务器,所述鉴权令牌还包括第一时间戳信息,所述第一时间戳信息指示所述鉴权令牌的生成时间或发送时间,所述鉴权模块包括:14. The authentication server according to claim 13, wherein the authentication token further comprises first timestamp information, wherein the first timestamp information indicates a generation time or a sending time of the authentication token, and the authentication module comprises: 解析子模块,用于解析所述鉴权令牌,得到第一时间戳信息;A parsing submodule, used for parsing the authentication token to obtain first timestamp information; 时间戳获取子模块,用于获取当前时间戳;Timestamp acquisition submodule, used to obtain the current timestamp; 计算子模块,用于计算所述当前时间戳与所述第一时间戳之间的差值;A calculation submodule, configured to calculate a difference between the current timestamp and the first timestamp; 判断子模块,用于判断所述差值是否满足预设条件;A judging submodule, used to judge whether the difference satisfies a preset condition; 第一判定子模块,用于若所述差值不满足所述预设条件,则所述鉴权结果为鉴权失败;A first determination submodule, configured to determine that if the difference does not satisfy the preset condition, the authentication result is an authentication failure; 第二判定子模块,用于若所述差值满足所述预设条件,则所述鉴权结果为鉴权通过。The second determination submodule is used to determine that the authentication result is authentication passed if the difference satisfies the preset condition. 15.根据权利要求13所述的鉴权服务器,所述鉴权令牌还包括发送方的标识,所述鉴权模块包括:15. The authentication server according to claim 13, wherein the authentication token further comprises an identifier of the sender, and the authentication module comprises: 查找子模块,用于在预设的标识库中查找所述发送方的标识,所述标识库中存储所有合法的发送方的标识;A search submodule, used for searching the identifier of the sender in a preset identifier library, wherein the identifier library stores all valid identifiers of senders; 第一判定子模块,还用于若没有查找到所述发送方的标识,则所述鉴权结果为鉴权失败;The first determination submodule is further configured to determine that if the identifier of the sender is not found, the authentication result is authentication failure; 第二判定子模块,还用于若查找到所述发送方的标识,则所述鉴权结果为鉴权通过。The second determination submodule is further configured to determine that if the identifier of the sender is found, the authentication result is authentication passed. 16.根据权利要求13至15任意一项所述的鉴权服务器,还包括:16. The authentication server according to any one of claims 13 to 15, further comprising: 解处理模块,用于对所述鉴权令牌进行解密和验签处理;A decryption processing module, used to decrypt and verify the authentication token; 所述鉴权模块,还用于若所述解密和验签处理成功,则执行所述基于所述鉴权令牌进行鉴权,得到鉴权结果的操作;The authentication module is further configured to perform the operation of performing authentication based on the authentication token and obtaining an authentication result if the decryption and signature verification process is successful; 信息发送模块,用于若所述解密和/或验签处理失败,则向所述授权服务器发送解密和/或验签处理失败的提示信息。The information sending module is used to send a prompt message of the failure of decryption and/or signature verification to the authorization server if the decryption and/or signature verification fails. 17.一种授权系统,包括:如权利要求9至12任意一项所述的授权服务器,以及,如权利要求13至16任意一项所述的鉴权服务器。17. An authorization system, comprising: the authorization server according to any one of claims 9 to 12, and the authentication server according to any one of claims 13 to 16. 18.一种计算机系统,包括:18. A computer system comprising: 一个或多个处理器;one or more processors; 存储器,用于存储一个或多个程序,a memory for storing one or more programs, 其中,当所述一个或多个程序被所述一个或多个处理器执行时,使得所述一个或多个处理器实现权利要求1至4中任一项所述的方法,或者,实现权利要求5至8中任一项所述的方法。When the one or more programs are executed by the one or more processors, the one or more processors implement the method of any one of claims 1 to 4, or implement the method of any one of claims 5 to 8. 19.一种计算机可读存储介质,其上存储有可执行指令,该指令被处理器执行时使处理器实现权利要求1至4中任一项所述的方法,或者,实现权利要求5至8中任一项所述的方法。19. A computer-readable storage medium having executable instructions stored thereon, which, when executed by a processor, enables the processor to implement the method of any one of claims 1 to 4, or the method of any one of claims 5 to 8.
CN202110853651.5A 2021-07-27 2021-07-27 Authorization method, server, system and storage medium Active CN113505397B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110853651.5A CN113505397B (en) 2021-07-27 2021-07-27 Authorization method, server, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110853651.5A CN113505397B (en) 2021-07-27 2021-07-27 Authorization method, server, system and storage medium

Publications (2)

Publication Number Publication Date
CN113505397A CN113505397A (en) 2021-10-15
CN113505397B true CN113505397B (en) 2025-01-10

Family

ID=78014263

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110853651.5A Active CN113505397B (en) 2021-07-27 2021-07-27 Authorization method, server, system and storage medium

Country Status (1)

Country Link
CN (1) CN113505397B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114219416A (en) * 2021-11-04 2022-03-22 北京来也网络科技有限公司 RPA robot floating authorization method and device combining RPA and AI and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108259502A (en) * 2018-01-29 2018-07-06 平安普惠企业管理有限公司 For obtaining the identification method of interface access rights, server-side and storage medium
CN111245774A (en) * 2018-11-29 2020-06-05 阿里巴巴集团控股有限公司 Resource request processing method, device and system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016134657A1 (en) * 2015-02-27 2016-09-01 飞天诚信科技股份有限公司 Operating method for push authentication system and device
CN109587126B (en) * 2018-11-26 2022-12-09 平安科技(深圳)有限公司 User authentication method and system
CN109347888A (en) * 2018-12-21 2019-02-15 北京博明信德科技有限公司 Method for authenticating, gateway and authentication device based on RESTful
CN109617907B (en) * 2019-01-04 2022-04-08 平安科技(深圳)有限公司 Authentication method, electronic device, and computer-readable storage medium
CN111770088A (en) * 2020-06-29 2020-10-13 南方电网科学研究院有限责任公司 Data authentication method, apparatus, electronic device and computer-readable storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108259502A (en) * 2018-01-29 2018-07-06 平安普惠企业管理有限公司 For obtaining the identification method of interface access rights, server-side and storage medium
CN111245774A (en) * 2018-11-29 2020-06-05 阿里巴巴集团控股有限公司 Resource request processing method, device and system

Also Published As

Publication number Publication date
CN113505397A (en) 2021-10-15

Similar Documents

Publication Publication Date Title
US9197420B2 (en) Using information in a digital certificate to authenticate a network of a wireless access point
WO2021184755A1 (en) Application access method and apparatus, and electronic device and storage medium
US10536271B1 (en) Silicon key attestation
CN110958119A (en) Identity verification method and device
CN114553570B (en) Method, device, electronic equipment and storage medium for generating token
US20210241270A1 (en) System and method of blockchain transaction verification
CN112491778A (en) Authentication method, device, system and medium
US20230186304A1 (en) Transaction Validation Service
US12107956B2 (en) Information processing device, information processing method, and non-transitory computer readable storage medium
CN113949566B (en) Resource access method, device, electronic equipment and medium
CN113282951A (en) Security verification method, device and equipment for application program
CN106331003A (en) A method and device for accessing an application portal system on a cloud desktop
CN112819469B (en) Payment method and system, terminal, server, computer system and medium
CN112446050B (en) Business data processing method and device applied to block chain system
CN114125027A (en) Communication establishing method and device, electronic equipment and storage medium
CN113505397B (en) Authorization method, server, system and storage medium
CN105429978B (en) Data access method, equipment and system
CN110399706B (en) Authorization authentication method, device and computer system
WO2022088710A1 (en) Mirror image management method and apparatus
TWI546698B (en) Login system based on servers, login authentication server, and authentication method thereof
CN113243093A (en) System and method for message transmission and retrieval using blockchains
CN116346486A (en) Joint login method, device, equipment and storage medium
CN112767142B (en) Processing method, device, computing equipment and medium for transaction file
CN114090996A (en) Multi-party system mutual trust authentication method and device
CN112995170A (en) Method, device and system for protecting website user information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载