A kind of platform authorization method, platform service end and applications client and systemTechnical field
The present invention relates to computer communication technology field, more particularly to a kind of platform authorization method, platform service end and shouldWith client and system.
Background technology
Open platform refers to being provided by website, towards third-party open infrastructure service platform, such as Baidu, riseNews, Ali, Sina weibo etc. open cloud platform.Third-party applications client is in order to obtain the various of these open platforms offerThe cloud ability and user data of high value, can all remove the open mandate interface for supporting each large platform to be provided, and be existed with obtaining userTo the mandate access token produced after this application client authorization on these platforms, and each large platform is called to carry by access tokenThe OpenAPI (Open Application Programming Interface, open application interface) of confession obtains thisRelated data of the cloud ability and user that applications client needs on correspondence open platform.
In the prior art, user is before applications client mandate to needing first based on the existing Account Logon of the user platform,Otherwise platform cannot know which user will be corresponding applications client mandate, and in order to ensure safety, be typically necessaryApplications client provides network view (WebView) or external browser to load the login mandate page that correspondence platform is providedFace, user carries out login mandate in the login authorization page, so that applications client can not directly contact the account of user, closeThe sensitive informations such as code.But such flow experience is very disagreeableness many times:
Firstth, due to needing to load a Web page (webpage) when authorizing, and the loading velocity of Web page is moved depending on userThe network speed of dynamic equipment, under most of 2G environment, the loading velocity of this page is extremely slow, and user needs to wait very longTime can just see that login authorizes interface;
Secondth, because Web page is to be unified to provide by open platform end, third-party application usually cannot be to the pageStyle, layout, content etc. carry out flexibly customizing, and many times, the style of this page can be with applications client itselfStyle comes in and goes out very big so that third-party application is difficult to receive, especially in third party's game application;
3rd, applications client can cause Consumer's Experience drastically if being loaded by external browser and logging in mandate pageDecline, if loaded by WebView, third-party application is still that to have method to take the account of user input, password etc. quickSense information, its security is not high enough;
4th, one is realized when the applications client user data that the multiple open platforms of needs are provided simultaneously and cloud abilityDuring item function, the guiding user that must try every possible means carries out login mandate on multiple platforms in turn, will go out mandate is logged in every timeIn the case that one logs in mandate interface, what such work basically can not effectively be carried out.Applications client it is required thatIn the case that user is interference-free, the smooth licensing issue for completing multiple platforms could so obtain the conversion ratio of maximum.
The content of the invention
In view of this, the embodiment of the present invention provides a kind of platform authorization method, platform service end and applications client and isSystem, to improve the mechanism that applications client obtains the mandate of platform service end.
In a first aspect, a kind of platform authorization method at platform service end is the embodiment of the invention provides, including:
Platform service end receives applications client and first is verified and message and obtain the application by what first path sentThe terminal iidentification of terminal where client, the first checking message includes random string;
The platform service end is remembered by the mapping relations between the random string for being received and the terminal iidentificationRecord;
The platform service end receives the second checking message that the applications client is sent by the second path, and described theTwo checking message include the random string, and the applications client is carried out by predetermined encryption algorithm to authentication informationThe identity ciphering string of generation is encrypted, and authentication information described in registration process is in the corresponding identity in the platform service endMark;
Read what is submitted in registration process from database according to the identity for being received in the platform service endAuthentication information, and the identity ciphering string is decrypted by default decipherment algorithm;
If platform service end checking the decryption authentication information for obtaining and the identity read from database are recognizedCard information is consistent, then corresponding terminal iidentification is extracted from the mapping relations for being recorded according to the random string, andCorresponding user account information is obtained according to the terminal iidentification;
The platform service end authorizes access token according to the user account information and authentication information generation,It is sent to the applications client.
Second aspect, the embodiment of the present invention additionally provides a kind of platform authorization method of applications client, including:
Applications client sends first and verifies message, the first checking message package by first path to platform service endRandom string is included, so that the platform service end is to the terminal of terminal where the random string and the applications clientMapping relations between mark are recorded;
Applications client is encrypted generation identity ciphering string to authentication information by predetermined encryption algorithm;
Applications client sends second and verifies message by the second path to the platform service end, and second checking disappearsBreath includes the random string, the identity ciphering string, and authentication information described in registration process is in the platformThe corresponding identity of service end, so that registration process is read in the platform service end according to the identity from databaseThe authentication information of middle submission, and the identity ciphering string is decrypted by default decipherment algorithm, if the platformThe authentication information that service end checking decryption is obtained is consistent with the authentication information read from database, then according to describedRandom string extracts corresponding terminal iidentification from the mapping relations for being recorded, and obtains right according to the terminal iidentificationThe user account information answered, and access token is authorized according to the user account information and authentication information generation;
Applications client receives the mandate access token that the platform service end sends.
The third aspect, the embodiment of the present invention additionally provides a kind of platform service end, including:
First checking message reception units, applications client is sent by first path the is received for platform service endOne verifies message and obtains the terminal iidentification of terminal where the applications client, and the first checking message includes random characterString;
Mapping relations recording unit, for the mapping relations between the random string to being received and the terminal iidentificationRecorded;
Second checking message reception units, for receiving the second checking that the applications client is sent by the second pathMessage, the second checking message includes the random string, and the applications client is by predetermined encryption algorithm to identityAuthentication information is encrypted the identity ciphering string of generation, and authentication information described in registration process in the platform serviceHold corresponding identity;
Information extraction and decryption unit, for reading registration process from database according to the identity for being receivedThe authentication information of middle submission, and the identity ciphering string is decrypted by default decipherment algorithm;
Account information acquiring unit, if for verifying the authentication information of decryption acquisition and the reading from databaseAuthentication information is consistent, then corresponding terminal mark is extracted from the mapping relations for being recorded according to the random stringKnow, and corresponding user account information is obtained according to the terminal iidentification;
Granted unit, for authorizing access token according to the user account information and authentication information generation,It is sent to the applications client.
Fourth aspect, the embodiment of the present invention additionally provides a kind of applications client, including:
First checking message sending unit, message, institute are verified for sending first to platform service end by first pathStating the first checking message includes random string, so that the platform service end is to the random string and the application clientMapping relations between the terminal iidentification of terminal where end are recorded;
Ciphering unit, for being encrypted generation identity ciphering string to authentication information by predetermined encryption algorithm;
Second checking message sending unit, disappears for sending the second checking to the platform service end by the second pathBreath, the second checking message includes the random string, the identity ciphering string, and identity is recognized described in registration processCard information in the corresponding identity in the platform service end, so that the platform service end is according to the identity from dataThe authentication information submitted in registration process is read in storehouse, and the identity ciphering string is solved by default decipherment algorithmIt is close, if the platform service end checking decryption authentication information for obtaining and the authentication information read from databaseUnanimously, then corresponding terminal iidentification is extracted from the mapping relations for being recorded according to the random string, and according to instituteState terminal iidentification and obtain corresponding user account information, and given birth to according to the user account information and the authentication informationInto mandate access token;
Access token receiving unit is authorized, for receiving the mandate access token that the platform service end sends.
5th side's application surface, the embodiment of the present invention additionally provides a kind of platform authorization method, including:
Applications client sends first and verifies message, the first checking message package by first path to platform service endInclude random string;
Platform service end receives applications client and first is verified and message and obtain the application by what first path sentThe terminal iidentification of terminal where client;
The platform service end is remembered by the mapping relations between the random string for being received and the terminal iidentificationRecord;
Applications client is encrypted generation identity ciphering string to authentication information by predetermined encryption algorithm;
Applications client sends second and verifies message by the second path to the platform service end, and second checking disappearsBreath includes the random string, the identity ciphering string, and authentication information described in registration process is in the platformThe corresponding identity of service end;
The platform service end receives the second checking message that the applications client is sent by the second path;
Read what is submitted in registration process from database according to the identity for being received in the platform service endAuthentication information, and the identity ciphering string is decrypted by default decipherment algorithm;
If platform service end checking the decryption authentication information for obtaining and the identity read from database are recognizedCard information is consistent, then corresponding terminal iidentification is extracted from the mapping relations for being recorded according to the random string, andCorresponding user account information is obtained according to the terminal iidentification;
The platform service end authorizes access token according to the user account information and authentication information generation,It is sent to the applications client;
Applications client receives the mandate access token that the platform service end sends.
6th aspect, the embodiment of the present invention additionally provides a kind of platform authoring system, including:Any embodiment institute of the present inventionThe applications client that the platform service end of offer and any embodiment of the present invention are provided.
The technical scheme that the embodiment of the present invention is proposed is by applications client respectively by two paths to platform service endTransmission includes that the first of random string verifies message, including the random string, identity ciphering string and identity theTwo checking message, if the authentication information that platform service end checking is obtained according to the identity ciphering string decryption for being receivedIt is consistent with the authentication information read from database, then corresponding user account letter is obtained according to the random stringBreath, and access token is authorized according to the user account information and authentication information generation, it is sent to the application visitorFamily end, without being logged in by webpage, can cause user to licensing process unaware, and can further improve the safety of mandateProperty.
Brief description of the drawings
Technical scheme in order to illustrate more clearly the embodiments of the present invention, institute in being described to the embodiment of the present invention belowThe accompanying drawing for needing to use is briefly described, it should be apparent that, drawings in the following description are only some implementations of the inventionExample, for those of ordinary skill in the art, on the premise of not paying creative work, can also implement according to the present inventionThe content and these accompanying drawings of example obtain other accompanying drawings.
Fig. 1 is the flow chart of the platform authorization method at the platform service end described in the embodiment of the present invention one;
Fig. 2 is the flow chart of the platform authorization method of the applications client described in the embodiment of the present invention two;
Fig. 3 is the structured flowchart at the platform service end described in the embodiment of the present invention three;
Fig. 4 is the structured flowchart of the applications client described in the embodiment of the present invention four;
Fig. 5 is that platform service end shows with interacting for applications client in platform authorization method described in the embodiment of the present invention fiveIt is intended to;
Fig. 6 is the flow chart of the platform authorization method described in the embodiment of the present invention six.
Specific embodiment
For make present invention solves the technical problem that, the technical scheme that uses and the technique effect that reaches it is clearer, belowThe technical scheme of the embodiment of the present invention will be described in further detail with reference to accompanying drawing, it is clear that described embodiment is onlyIt is a part of embodiment of the invention, rather than whole embodiments.Based on the embodiment in the present invention, those skilled in the art existThe every other embodiment obtained under the premise of creative work is not made, the scope of protection of the invention is belonged to.
Further illustrate technical scheme below in conjunction with the accompanying drawings and by specific embodiment.
Embodiment one
Fig. 1 is the platform authorization method flow chart at the platform service end that the embodiment of the present invention one is provided, and the present embodiment can be fittedAccess token feelings are authorized for needing to be obtained during the OpenAPI of terminal user authorization in applications client request call open platformCondition, wherein, the applications client can be application software, instant communication client, the Entertainment visitor being installed in terminalSystem tool on family end or terminal, i.e. third-party application.The method can be performed by platform service end, and platform service end isThe server of platform service can be provided to third-party application, as shown in figure 1, the platform at the platform service end described in the present embodimentAuthorization method includes:
S101, platform service end receive applications client by first path sends first checking message and acquisition described inThe terminal iidentification of terminal where applications client, the first checking message includes random string.
In order to prevent applications client malice from obtaining the user data of platform side, the first checking sent by first pathThe first checking message that message sends preferably by the system interface for calling terminal system to provide to platform service end, for example may be usedShort message interface is called to forward the first checking message by Short Message Service Gateway.
Preferably, the applications client generation random string, and create comprising the random string and purposeAddress is the checking short message at the platform service end.The applications client sends the checking short message to Short Message Service Gateway, indicatesThe checking short message is carried out protocol conversion by the Short Message Service Gateway, and message is verified in generation comprising the random string first,It is sent to the platform service end.Short Message Service Gateway can extract the terminal iidentification of short message sending side from checking short message, carryIt is transmitted in first checking message, then the random string and terminal iidentification are extracted in the platform service end after receiving.
S102, the platform service end are entered to the mapping relations between the random string for being received and the terminal iidentificationRow record.
The terminal iidentification is the identification code for unique distinguishing terminal, as long as platform service end receives applications client and leads toWhen crossing the first checking message of first path transmission, can be used for identifying it is which terminal, the terminal iidentification includesBut it is not limited to the device identification of telephone number and terminal.Terminal iidentification is generally used by the user to identify the account of oneself, can be accordinglyObtain accounts information.
S103, the platform service end receive the second checking message that the applications client is sent by the second path,The second checking message includes the random string, and the applications client is believed authentication by predetermined encryption algorithmBreath is encrypted the identity ciphering string of generation, and authentication information described in registration process in platform service end correspondenceIdentity.
During applications client or application server are registered on platform service end, platform service end can be each applicationClient or application server distribute an identity, for uniquely being marked to each applications client or application serverKnow, i.e. identity and corresponding authentication information can correspond to an applications client, it is also possible to correspond to oneAll applications clients of class application service.Meanwhile, for the sake of security, in registration process, each applications client or applicationServer can also submit authentication information (such as using key) to platform service end, to carry out authentication.In platform clothesBusiness end can record in database to the mapping relations between the identity and the authentication information, for closingJoint investigation is looked for.Each applications client or application server to platform service end when access request is initiated, it is necessary to send identityIt is used to carry out identity difference and authentication with authentication information, for example, authentication information is used as bag name and packet signature.
Further, the second checking message may also include the data access authority that the applications client is expected to obtainList.
In order to ensure safety, second path can be assisted based on SSL (Secure Sockets Layer, SSL)View, further, second path can be based on HTTPS (Hyper Text Transfer Protocol over SecureSocket Layer, Secure Hypertext Transfer Protocol) agreement.For example, the second checking message sent based on second pathMay be based on the HTTPS request of HTTPS transmissions.In order to prevent applications client from obtaining platform side using second path maliceUser data, applications client needs to make necessary security protection for second path to lift the utilization of other clientsThe difficulty and cost in the path, for example, provide socket SOCKET interfaces and replace HTTP (Hypertext TransferProtocol, HTTP) interface, corresponding symmetric cryptography or asymmetric encryption are made to the described second checking message,Increase anti-across station request forgery attack treatment strategy etc..
S104, the platform service end carry during registration process is read from database according to the identity for being receivedThe authentication information of friendship, and the identity ciphering string is decrypted by default decipherment algorithm.
In mapping relations of the platform service end between identity and the authentication information, according to being receivedThe identity extract authentication information.
In order to further improve security performance, preferably, this operation can also increase an operation for expired judgement, with trueIt is fixed whether expired.Specially:After being decrypted to the identity ciphering string, the platform service end also can determine whether the net that decryption is obtainedWhether difference between network timestamp and present system time stamp within the scope of pre-set threshold value, grasp if meeting by triggering followingMake.Accordingly, the network time stamp for applications client produce identity ciphering string when, using current time stamp as network timeStamp, is added in identity ciphering string.
If the authentication information that S105, platform service end checking decryption are obtained and the body read from databasePart authentication information is consistent, then corresponding terminal mark is extracted from the mapping relations for being recorded according to the random stringKnow, and corresponding user account information is obtained according to the terminal iidentification.
S106, the platform service end authorize and access according to the user account information and authentication information generationToken, is sent to the applications client.
Generation can be authorized access token to be transmitted by the first path or second path by platform service endTo the applications client, the data sex chromosome mosaicism easy to use due to size of data problem and to receiving, preferably by describedSecond path is transmitted.
The mandate access token that the applications client of third-party application gets from platform service end or application service end, i.e.,Corresponding cloud ability and number of users can be obtained by the OpenAPI interfaces of mandate access token calling platform side offerAccording to.
Preferably, this operation may also include:The platform service end decryption obtains the expectation number that applications client is providedAccording to list of access rights, given birth to according to the user account information, the authentication information and expected data list of access rightsInto mandate access token.
Further, if obtaining the operation failure of corresponding user account information, basis according to the terminal iidentificationThe terminal iidentification registration obtains new user account information.That is, if there is no the account information, can be according to by instituteThe terminal iidentification for stating first path acquisition registers a user account automatically.
Further, the platform service end can be also included in the access token is the power that the applications client is openedThe data access authority list that limit information and/or expectation are obtained.It should be noted that the present embodiment is applicable to an application visitorThe mandate access token situation of the family end one or more open platform of acquisition request.
It should be noted that first path described in the present embodiment is two different paths with second path, shouldThe opportunity for sending checking message by two paths respectively with client can be with identical, it is also possible to successively different, it is only necessary to meetThe step of corresponding terminal iidentification is extracted from the mapping relations for being recorded according to the random string in operation S105Before, operation S102 has been completed, and the preferably first checking message and the second checking message send simultaneously, or the first checking disappearsBreath first sends than the second checking message.
The technical scheme that the embodiment of the present invention is proposed is by platform service end respectively by two paths from applications clientTransmission includes that the first of random string verifies message, including the random string, identity ciphering string and identity theTwo checking message, if the authentication information that platform service end checking is obtained according to the identity ciphering string decryption for being receivedIt is consistent with the authentication information read from database, then corresponding user account letter is obtained according to the random stringBreath, and access token is authorized according to the user account information and authentication information generation, it is sent to the application visitorFamily end, can cause user to licensing process unaware, and can further improve the security of mandate.
Embodiment two
Fig. 2 is the platform authorization method flow chart of the applications client that the embodiment of the present invention two is provided, and the present embodiment can be fittedAccess token feelings are authorized for needing to be obtained during the OpenAPI of terminal user authorization in applications client request call open platformCondition, wherein, the applications client can be application software, instant communication client, the Entertainment visitor being installed in terminalSystem tool on family end or terminal, i.e. third-party application.The method can be performed by applications client, as shown in Fig. 2 thisThe platform authorization method of the applications client described in embodiment includes:
S201, applications client send first and verify message, first checking by first path to platform service endMessage includes random string
In order to prevent applications client malice from obtaining the user data of platform side, the first checking sent by first pathThe first checking message that message sends preferably by the system interface that calling system is provided to platform service end, for example, can pass throughShort Message Service Gateway forwarding the first checking message.
Preferably, the applications client generation random string, and create comprising the random string and purposeAddress is the checking short message at the platform service end.The applications client sends the checking short message to Short Message Service Gateway, indicatesThe checking short message is carried out protocol conversion by the Short Message Service Gateway, and message is verified in generation comprising the random string first,The platform service end is sent to, the random string and terminal iidentification are extracted in the platform service end after receiving.Short message netThe terminal iidentification that short message sending side can be extracted from checking short message is closed, is carried and is transmitted in the first checking message, then instituteState after platform service end receives and extract the random string and terminal iidentification.
S202, applications client are encrypted generation identity ciphering string to authentication information by predetermined encryption algorithm.
S203, applications client send second and verify message, described second by the second path to the platform service endChecking message includes the random string, the identity ciphering string, and authentication information described in registration process is in instituteState the corresponding identity in platform service end.
Further, the second checking message may also include the data access authority that the applications client is expected to obtainList, the data area of the access rights of the data of needs application is clearly proposed for applications client to platform service end.
In order to ensure safety, second path can be based on ssl protocol, and further, second path can be based onHTTPS agreements.For example, second path may be based on the HTTPS request of HTTPS agreements transmission.In order to prevent application clientThe user data that platform side is obtained using second path malice is held, applications client needs must for second path workThe security protection wanted for example provides SOCKET interfaces and replaces HTTP to lift difficulty and cost of other clients using the pathInterface, corresponding symmetric cryptography or asymmetric encryption are made to the described second checking message, increase anti-at station request forgery attackReason strategy etc..
S204, applications client receive the mandate access token that the platform service end sends.
It should be noted that first path described in the present embodiment is two different paths with second path, shouldThe opportunity for sending checking message by two paths respectively with client can be with identical, it is also possible to successively different, it is only necessary to meetThe operation of corresponding terminal iidentification is extracted from the mapping relations for being recorded according to the random string in platform service endBefore, send first to platform service end by first path and verify message success, preferably first verifies message and theTwo checking message send simultaneously, or the first checking message first sends than the second checking message.
The technical scheme that the embodiment of the present invention is proposed is by applications client respectively by two paths to platform service endTransmission includes the first checking message of random string, and including the random string, identity ciphering string and identitySecond checking message, access token is authorized so that the platform service end returns, and can further improve the security of mandate, and makeUser is obtained to licensing process unaware.
Embodiment three
Fig. 3 is the structured flowchart at the platform service end described in the embodiment of the present invention three, as shown in figure 3, described in the present embodimentPlatform service end include:
First checking message reception units 301, for receiving the first checking that applications client is sent by first pathMessage simultaneously obtains the terminal iidentification of terminal where the applications client, and the first checking message includes random string;
Mapping relations recording unit 302, for the mapping between the random string to being received and the terminal iidentificationRelation is recorded;
Second checking message reception units 303, for receiving the applications client is sent by the second path secondChecking message, the second checking message includes the random string, and the applications client passes through predetermined encryption algorithm pairAuthentication information is encrypted the identity ciphering string of generation, and authentication information described in registration process in the platformThe corresponding identity of service end;
Information extraction and decryption unit 304, for reading registration from database according to the identity for being receivedDuring the authentication information submitted to, and the identity ciphering string is decrypted by default decipherment algorithm;
Account information acquiring unit 305, if for verifying that the authentication information that decryption is obtained is read with from databaseThe authentication information for taking is consistent, then corresponding end is extracted from the mapping relations for being recorded according to the random stringEnd mark, and corresponding user account information is obtained according to the terminal iidentification;
Granted unit 306, for authorizing and accessing order according to the user account information and authentication information generationBoard, is sent to the applications client.
Further, it is described first checking message reception units 301 specifically for:The applications client is received by shortFirst checking message of letter gateway forwards, wherein, the first checking message is the Short Message Service Gateway according to the application clientHolding the checking short message for sending carries out the message after protocol format conversion, and the random string is carried in the checking short message;
The terminal iidentification of terminal where the applications client, the terminal iidentification are obtained from the described first checking messageFor short message initiator's terminal iidentification that the Short Message Service Gateway is extracted from the checking short message.
Further, second path can be based on ssl protocol, and further, second path can be assisted based on HTTPSView.
Further, the account information acquiring unit 305 also includes that timestamp judges subelement, and the timestamp judgesSubelement is used for after being decrypted to the identity ciphering string by default decipherment algorithm, if it is determined that the net that decryption is obtainedIn predetermined threshold value, then triggering following is operated difference between network timestamp and present system time stamp.Accordingly, during the networkBetween stamp for applications client produce identity ciphering string when, using current time stamp as network time stab, be added to identity cipheringIn string.
Further, the account information acquiring unit 305 also includes that new account registers subelement, the new account registrationAfter subelement is used for according to the corresponding user account information of terminal iidentification acquisition, if obtained according to the terminal iidentificationThe operation failure of corresponding user account information, then obtain new user account information according to terminal iidentification registration.
Further, the granted unit 306 is additionally operable to, and decryption obtains the expected data access right that applications client is providedLimit list, authorizes according to the generation of the user account information, the authentication information and expected data list of access rights and visitsAsk token.
Further, the authentication information includes bag name and packet signature.
Further, the terminal is designated cell-phone number.
The platform of the applications client that the executable embodiment of the present invention one of applications client that the present embodiment is provided is providedAuthorization method, possesses the corresponding functional module of execution method and beneficial effect.
Example IV
Fig. 4 is the structured flowchart of the applications client described in the embodiment of the present invention four, as shown in figure 4, described in the present embodimentApplications client include:
First checking message sending unit 401, message is verified for sending first to platform service end by first path,The first checking message includes random string, so that the platform service end is to the random string and the application visitorMapping relations between the terminal iidentification of terminal where the end of family are recorded;
Ciphering unit 402, for being encrypted generation identity ciphering string to authentication information by predetermined encryption algorithm;
Second checking message sending unit 403, verifies for sending second to the platform service end by the second pathMessage, the second checking message includes the random string, the identity ciphering string, and identity described in registration processAuthentication information in the corresponding identity in the platform service end, so that the platform service end is according to the identity from numberAccording to the authentication information that submission in registration process is read in storehouse, and the identity ciphering string is carried out by default decipherment algorithmDecryption, if the platform service end checking decryption authentication information for obtaining and the authentication letter read from databaseBreath is consistent, then extract corresponding terminal iidentification from the mapping relations for being recorded according to the random string, and according toThe terminal iidentification obtains corresponding user account information, and according to the user account information and the authentication informationGeneration authorizes access token;
Access token receiving unit 404 is authorized, for receiving the mandate access token that the platform service end sends.
Further, it is described first checking message sending unit 401 specifically for:Generation random string, and create bagContaining the checking short message that the random string and destination address are the platform service end;And,
The checking short message to Short Message Service Gateway is sent, is turned with indicating the Short Message Service Gateway that the checking short message is carried out into agreementShort message initiator's terminal iidentification of the checking short message is changed and extracts, first checking of the generation comprising the random string disappearsBreath, sends to the platform service end.
It is described second checking message sending unit 403 specifically for:Based on Secure Hypertext Transfer Protocol HTTPS to describedPlatform service end sends the HTTPS request comprising the second checking message.
The platform of the applications client that the executable embodiment of the present invention two of applications client that the present embodiment is provided is providedAuthorization method, possesses the corresponding functional module of execution method and beneficial effect.
Further, the authentication information includes bag name and packet signature.
Further, the terminal is designated cell-phone number.
The platform of the applications client that the executable embodiment of the present invention two of applications client that the present embodiment is provided is providedAuthorization method, possesses the corresponding functional module of execution method and beneficial effect.
Embodiment five
During Fig. 5 is the platform authorization method at the platform service end described in the embodiment of the present invention five, the platform of applications clientThe schematic diagram that interacts of platform service end and applications client in authorization method, the present embodiment is mainly used in the mobile phone of Android systemIn application program (calling applications client in the following text), based on the system being made up of platform service end, applications client and Short Message Service Gateway.Such asShown in Fig. 5, the method described in the present embodiment includes:
501st, applications client sends the first checking message for including random string to platform service end.
I.e. applications client sends short message, the form generation one that applications client is required according to platform side to platform service endIndividual random short message content string, and the interface for directly transmitting short message provided by calling system is provided, by the short messageHold the Short Message Service Gateway that string is sent to the offer of platform side, to indicate the interface that the checking short message is carried out protocol conversion and extractedShort message initiator's terminal iidentification of the checking short message, first checking message of the generation comprising the random string, to describedPlatform service end sends.
502nd, Short Message Service Gateway sends terminal iidentification where client and the first checking message to platform service end.
The cell-phone number of short message content string and transmission short message is based on HTTP HTTP by sending by Short Message Service GatewayHTTP request is transmitted to the platform service end of platform side;
After platform service termination receives short message content string and cell-phone number, a short message content string is stored toward caching systemTo the mapping relations data of cell-phone number, and certain expired time (typical time is shorter, such as 1 minute) is set.
503rd, applications client sends second and verifies message to platform service end, includes random string, identity ciphering string,And identity.
Checking information is sent by internet.Applications client short message sending success after, calling platform side provideThe interface that SDK SDK (Software Development Kit, SDK) bag is provided is obtainedThe authentication information of current application client, the authentication information be according to the bag name of applications client, packet signature, whenThe information such as preceding network time stamp, default fixed key carry out the encryption string of symmetric cryptography generation, in order to prevent specific encryption from calculatingMethod is obtained by third party, so as to influence the security of the technical program, whole signature algorithm (including applications client bag name, bagThe acquisition of the data such as signature, default key) all by JNI (Java Native Interface, JAVA locally call) technologyRealized by C/C++ code layers;
Applications client is by the short message content string, applications client authentication information and expects that the data for obtaining are visitedAsk application ID that permissions list, applications client distribute when platform side registers (authentication information i.e. described in registration processIn the corresponding identity in the platform service end) authorization server of platform side is sent to obtain access token, in order to protectCard security, this network request is generally required based on SSL (Secure Sockets Layer SSLs), is such as based onHTTPS agreements send the HTTPS request comprising the second checking message to the platform service end.;
Hereafter, after platform service termination receives request, application client identity checking information is decrypted, obtains describedThe information such as network time stamp, applications client bag name and packet signature, then judge present system time stamp and the network timeThe difference of stamp whether in pre-set threshold value, if otherwise not interior, then it is assumed that be the request of Replay Attack, directly return to corresponding mistakeFalse information, otherwise continues next step.
Read from database when the applications client is registered on platform according to the application ID and carried in platform service endThe authority information that applications client bag name and packet signature, platform side open to the applications client intervention is handed over, and judges to readTo applications client bag name, packet signature with the applications client bag that obtains is decrypted from applications client authentication informationWhether name, the value of packet signature are consistent, if inconsistent, then it is assumed that be a forgery attack request, directly return to corresponding error message, otherwise continue next step;
Corresponding cell-phone number is read out in platform service end according to the short message content string from the caching system, and according toThe cell-phone number obtains corresponding user account information and (if there is no the account information, is then registered automatically according to cell-phone numberOne user account), it is then open-minded to the applications client according to the user account information, the application ID, platform sideOne mandate access token of authority information and the data genaration such as the data access authority list.
504th, platform service end returns to generated mandate access token to applications client.
OpenAPI is a kind of common application in service type website, and be packaged into for the website service of oneself by the service provider of websiteA series of API (Application Programming Interface, API) open away, are opened for third partyOriginator is used, and the API for being opened just is referred to as OpenAPI.After applications client gets mandate access token, you can by visitingThe OpenAPI interfaces of token calling platform side offer are asked to obtain corresponding cloud ability and user data.
Because after user's triggering key authorization requests of cell-phone number one, whole process is all without any other user circle of appearanceFace, therefore, if multiple platforms all support the technology, then applications client just can by way of multiple interface interchange comeThe acquisition of the mandate access token of each platform is completed, so as to solve the problems, such as above-mentioned fourth aspect.
Embodiment six
Fig. 6 is the platform authorization method flow chart that the embodiment of the present invention six is provided, and the present embodiment is applicable to application clientNeed to be obtained during the OpenAPI of terminal user authorization in the request call open platform of end and authorize access token situation, wherein, it is describedApplications client can be in application software, instant communication client, Entertainment client or the terminal being installed in terminalSystem tool, i.e. third-party application.The method is performed by platform service end and applications client, as shown in fig. 6, this implementationPlatform authorization method described in example includes:
S601, applications client send first and verify message, first checking by first path to platform service endMessage includes random string.
S602, platform service end receive applications client by first path sends first checking message and acquisition described inThe terminal iidentification of terminal where applications client.
S603, the platform service end are entered to the mapping relations between the random string for being received and the terminal iidentificationRow record.
S604, applications client are encrypted generation identity ciphering string to authentication information by predetermined encryption algorithm.
S605, applications client send second and verify message, described second by the second path to the platform service endChecking message includes the random string, the identity ciphering string, and authentication information described in registration process is in instituteState the corresponding identity in platform service end.
S606, the platform service end receive the second checking message that the applications client is sent by the second path.
S607, the platform service end carry during registration process is read from database according to the identity for being receivedThe authentication information of friendship, and the identity ciphering string is decrypted by default decipherment algorithm.
If the authentication information that S608, platform service end checking decryption are obtained and the body read from databasePart authentication information is consistent, then corresponding terminal mark is extracted from the mapping relations for being recorded according to the random stringKnow, and corresponding user account information is obtained according to the terminal iidentification.
S609, the platform service end authorize and access according to the user account information and authentication information generationToken, is sent to the applications client.
S610, applications client receive the mandate access token that the platform service end sends.
The respective operations of the explanation detailed in Example one of each operation and embodiment two in the technical scheme that the present embodiment is proposed,Beneficial effect with embodiment one and embodiment two.
The embodiment of the present invention additionally provides a kind of platform authoring system, including:It is flat that any embodiment of the present invention is providedThe applications client that platform service end and any embodiment of the present invention are provided.
Above example provide technical scheme in all or part of content can be realized by software programming, its softwareIn the storage medium that can read, storage medium is for example for program storage:Hard disk, CD or floppy disk in computer.
Note, above are only presently preferred embodiments of the present invention and institute's application technology principle.It will be appreciated by those skilled in the art thatThe invention is not restricted to specific embodiment described here, can carry out for a person skilled in the art various obvious changes,Readjust and substitute without departing from protection scope of the present invention.Therefore, although the present invention is carried out by above exampleIt is described in further detail, but the present invention is not limited only to above example, without departing from the inventive concept, alsoMore other Equivalent embodiments can be included, and the scope of the present invention is determined by scope of the appended claims.