Invention content
The embodiment of the present invention provides a kind of method of unified verification, and Authentication Client and multiple thirds are run on terminal deviceFang Yingyong, the multiple third-party application correspond to identical user rs credentials, the method includes:
The Authentication Client carries out authentication using the user rs credentials;
The Authentication Client obtains the corresponding third-party application list of the user rs credentials, the third-party application listInside have recorded the third-party application that authentication is carried out using the user rs credentials;
After third-party application startup, if Authentication Client authentication success, the Authentication ClientJudge whether the third-party application is recorded in the third-party application list;
If so, the Authentication Client notifies the proof of Register of the third-party application to the third-party application,By the third-party application using carrying out login authentication on the proof of Register to service server.
The Authentication Client carries out the process of authentication using the user rs credentials, specifically includes:
The Authentication Client using carrying out authentication in the user rs credentials to authentication and authorization charging aaa server,And receive authentication success/unsuccessful response message from the aaa server.
The Authentication Client obtains the process of the corresponding third-party application list of the user rs credentials, specifically includes:InstituteAuthentication Client is stated to send for asking have the third-party application for using the user rs credentials permission to arrange to application authorization serverThe message of table, and receive the response message from the carrying third-party application list using authorization server;Wherein,It is described using be configured on authorization server allow using the user rs credentials carry out authentication third-party application thirdSquare list of application.
The Authentication Client judges whether the third-party application is recorded in after the third-party application list, describedMethod further comprises:
If the third-party application is not recorded in the third-party application list, the Authentication Client is by instituteStating third-party application does not have permission to notify, to the third-party application, to be answered by the third party using the information of the user rs credentialsAuthentication cannot be carried out with knowing using the user rs credentials.
The user rs credentials specifically include username information and encrypted message, the proof of Register be specially log in token orPerson's Cookie marks.
The embodiment of the present invention provides a kind of Authentication Client, runs Authentication Client on terminal device and multiple third parties answerWith the multiple third-party application corresponds to identical user rs credentials, and the Authentication Client includes:Authentication module is used forAuthentication is carried out using the user rs credentials;
Acquisition module, for obtaining the corresponding third-party application list of the user rs credentials, the third-party application listInside have recorded the third-party application that authentication is carried out using the user rs credentials;
Judgment module, after starting in third-party application, if authentication module authentication success,Judge whether the third-party application is recorded in the third-party application list;
Sending module, for when judging result is to be, the proof of Register of third-party application to be notified to the third partyUsing, by the third-party application utilize the proof of Register to service server carry out login authentication.
The authentication module is specifically used for enterprising to authentication and authorization charging aaa server using the user rs credentialsRow authentication, and receive authentication success/unsuccessful response message from the aaa server.
The acquisition module, specifically for being sent to application authorization server for asking to have to weigh using the user rs credentialsThe message of the third-party application list of limit, and receive from the carrying using the authorization server third-party application listResponse message;Wherein, described to allow to carry out authentication using the user rs credentials using being configured on authorization serverThe third-party application list of third-party application.
The sending module, be additionally operable to judge the third-party application whether be recorded in the third-party application list itAfterwards, if the third-party application is not recorded in the third-party application list, the third-party application is not weighedLimit notifies, to the third-party application, by the third-party application to be known described in cannot using using the information of the user rs credentialsUser rs credentials carry out authentication.
The user rs credentials include username information and encrypted message, and the proof of Register is to log in token or CookieMark.
Based on the above-mentioned technical proposal, in the embodiment of the present invention, for multiple application programs of the same enterprise, when multipleWhen tripartite's application corresponds to identical user rs credentials, the user rs credentials can be directed to and carry out authentication, multiple application programs only needIt wants authentication primary, need not repeatedly carry out authentication using the user rs credentials, it is user-friendly, it improves and usesThe usage experience at family.The third party for carrying out authentication using user rs credentials is allowed to answer by being configured in third-party application listWith, can control which third-party application using the user rs credentials carry out authentication, facilitate the permission of third-party application to control.
Specific implementation mode
For problems of the prior art, an embodiment of the present invention provides a kind of methods of unified verification, are applied toIn network including terminal device, service server, aaa server and application authorization server.Certification is run on terminal deviceClient and multiple third-party applications (i.e. APP), multiple third-party applications correspond to identical user rs credentials, and the user rs credentials are specificIncluding but not limited to username information and encrypted message.
Using Fig. 2 as the application scenarios schematic diagram of the embodiment of the present invention, the operating system platform of terminal device is (such as:IOS,Android, Windows) on operation Authentication Client, third-party application 1 (APP1), third-party application 2 (APP2), third party answerWith 3 (APP3).Aaa server is used to carry out authentication to third-party application 1, third-party application 2, third-party application 3.UsingThe third-party application list for the third-party application for allowing to carry out authentication using the user rs credentials is configured on authorization server,I.e. by applying authorization server which third-party application can be authorized the user rs credentials can be used to carry out authentication.ExampleSuch as, when the user rs credentials can be used to carry out authentication using authorization server mandate third-party application 1, third-party application 2,Include then third-party application 1, third-party application 2 in third-party application list.Service server 1 be used for third-party application 1 intoRow login authentication, service server 2 are used to carry out login authentication to third-party application 2.Authentication Client is responsible for third-party applicationAuthentication, i.e., instead of third-party application using carrying out authentication in user rs credentials to aaa server, and manage third partyThe authentication of application.
Under above application scene, as shown in figure 3, the method for unification verification specifically includes following steps:
Step 301, Authentication Client using user rs credentials (the corresponding identical user rs credentials of i.e. multiple third-party applications,User rs credentials can such as username information and encrypted message) carry out authentication.
In the embodiment of the present invention, Authentication Client carries out the process of authentication using user rs credentials, specifically includes but notIt is limited to such as under type:Authentication Client is received and is taken from AAA using carrying out authentication in user rs credentials to aaa serverAuthentication success/unsuccessful response message of business device.
Specifically, the user rs credentials such as username information and encrypted message are sent to aaa server, AAA by Authentication ClientUsername information and encrypted message that server by utilizing is locally stored, username information and message in cipher from Authentication ClientBreath carries out authentication to Authentication Client.If authentication success, aaa server send identity to Authentication ClientThe response message being proved to be successful;If authentication is unsuccessful, aaa server to Authentication Client send authentication not atThe response message of work(.
Step 302, Authentication Client obtains the corresponding third-party application list of user rs credentials, in the third-party application listHave recorded the third-party application that authentication is carried out using the user rs credentials.
In the embodiment of the present invention, Authentication Client obtains the process of the corresponding third-party application list of user rs credentials, specificallyIncluding but not limited to such as under type:Authentication Client is sent to application authorization server for asking to have to be weighed using the user rs credentialsThe message of the third-party application list of limit, and receive come self-application authorization server carrying third-party application list (wherein takeInformation with third-party application) response message.
Specifically, which third-party application can be authorized to have permission using user's unified login, i.e., using authorization serverThird-party application mandate is carried out in application authorization server, setting allows the third-party application list using unified login function,It include the third-party application that authentication is carried out using user rs credentials in the third-party application list, it is assumed that the third-party applicationInclude third-party application 1, third-party application 2 in list.Based on this, Authentication Client is after authentication success, to applicationAuthorization server sends the message of the third-party application list for asking to have using the user rs credentials permission.Using authorization serviceDevice returns to Authentication Client after receiving that message, by the third-party application list for having access right, third-party application rowInclude third-party application 1, third-party application 2 in table.Authentication Client knows third party after receiving third-party application listUser rs credentials can be used to carry out authentication using 1, third-party application 2.
Step 303, after third-party application startup, if Authentication Client authentication success, Authentication ClientJudge whether the third-party application is recorded in third-party application list.If it is, Authentication Client can execute step304;If it is not, then Authentication Client can execute step 305.
Step 304, Authentication Client notifies the proof of Register of third-party application to third-party application, by third-party applicationUsing carrying out login authentication on the proof of Register to service server.
Step 305, third-party application is not had permission to be notified to third party using the information of user rs credentials by Authentication ClientUsing being known by third-party application cannot use the user rs credentials to carry out authentication.
In the embodiment of the present invention, after third-party application startup, third-party application is objective to certification by software development kitAsk authentication result in family end.If Authentication Client carries out authentication not yet, 301 and step 302 are thened follow the steps,Authentication is carried out by Authentication Client.If Authentication Client has carried out authentication, tested in Authentication Client identityWhen demonstrate,proving unsuccessful, handled according to the prior art.If Authentication Client has carried out authentication, in Authentication ClientWhen authentication success, Authentication Client judges whether third-party application is recorded in third-party application list.For third partyUsing 1, for third-party application 1 in third-party application list, Authentication Client gives the notice of the proof of Register 1 of third-party application 1Third-party application 1.For third-party application 2, third-party application 2 is in third-party application list, and Authentication Client is by third partyIt is notified to third-party application 2 using 2 the proof of Register 2.For third-party application 3, third-party application 3 is not arranged in third-party applicationIn table, third-party application 3 is not had permission to be notified to third-party application 3 using the information of user rs credentials by Authentication Client, byTripartite is known using 3 cannot use the user rs credentials to carry out authentication, i.e., the user rs credentials cannot be used to access the industry of enterpriseBusiness server.
In the embodiment of the present invention, the proof of Register, which is specifically as follows, logs in token or Cookie marks.
Third-party application 1 uses the 1 registering service server 1 of the proof of Register after receiving the proof of Register 1.Business serviceDevice 1 on the proof of Register 1 to aaa server using being verified.If verifying successfully, service server 1 is to third-party application 1The information logined successfully is returned to, and third-party application 1 can use the business of service server 1.If verification failure, business clothesBusiness device 1 returns to the information of login failure to third-party application 1, and third-party application 1 cannot use the industry of service server 1Business.
Third-party application 2 uses the 2 registering service server 2 of the proof of Register after receiving the proof of Register 2.Business serviceDevice 2 on the proof of Register 2 to aaa server using being verified.If verifying successfully, service server 2 is to third-party application 2The information logined successfully is returned to, and third-party application 2 can use the business of service server 2.If verification failure, business clothesBusiness device 2 returns to the information of login failure to third-party application 2, and third-party application 2 cannot use the industry of service server 2Business.
Based on the above-mentioned technical proposal, in the embodiment of the present invention, for multiple application programs of the same enterprise, when multipleWhen tripartite's application corresponds to identical user rs credentials, the user rs credentials can be directed to and carry out authentication, multiple application programs only needIt wants authentication primary, need not repeatedly carry out authentication using the user rs credentials, it is user-friendly, it improves and usesThe usage experience at family.The third party for carrying out authentication using user rs credentials is allowed to answer by being configured in third-party application listWith, can control which third-party application using the user rs credentials carry out authentication, facilitate the permission of third-party application to control.
Based on inventive concept same as the above method, a kind of Authentication Client is additionally provided in the embodiment of the present invention, eventuallyAuthentication Client is run in end equipment and multiple third-party applications, the multiple third-party application correspond to identical user rs credentials,As shown in figure 4, the Authentication Client specifically includes:
Authentication module 11, for carrying out authentication using the user rs credentials;
Acquisition module 12, for obtaining the corresponding third-party application list of the user rs credentials, the third-party application rowThe third-party application that authentication is carried out using the user rs credentials is had recorded in table;
Judgment module 13, after starting in third-party application, if authentication module authentication success,Then judge whether the third-party application is recorded in the third-party application list;
Sending module 14, for when judging result is to be, the proof of Register of third-party application to be notified to the thirdFang Yingyong, the third-party application carry out login authentication using the proof of Register to service server.
The authentication module 11, specifically for using carrying out authentication in the user rs credentials to aaa server,And receive authentication success/unsuccessful response message from the aaa server.
The acquisition module 12 uses the user rs credentials specifically for being sent to application authorization server for asking to haveThe message of the third-party application list of permission, and receive from the carrying using the authorization server third-party application rowThe response message of table;Wherein, being configured on the application authorization server allows to carry out authentication using the user rs credentialsThird-party application third-party application list.
The sending module 14 is additionally operable to judging whether the third-party application is recorded in the third-party application listLater, if the third-party application is not recorded in the third-party application list, the third-party application is not hadPermission notifies that, to the third-party application, institute cannot be used by being known by the third-party application using the information of the user rs credentialsIt states user rs credentials and carries out authentication.
In the embodiment of the present invention, the user rs credentials include username information and encrypted message, and the proof of Register is to step onRecord token or Cookie marks.
Wherein, the modules of apparatus of the present invention can be integrated in one, and can also be deployed separately.Above-mentioned module can closeAnd be a module, multiple submodule can also be further split into.
Through the above description of the embodiments, those skilled in the art can be understood that the present invention can be bySoftware adds the mode of required general hardware platform to realize, naturally it is also possible to which by hardware, but the former is more in many casesGood embodiment.Based on this understanding, technical scheme of the present invention substantially in other words contributes to the prior artPart can be expressed in the form of software products, which is stored in a storage medium, if includingDry instruction is used so that a computer equipment (can be personal computer, server or the network equipment etc.) executes this hairMethod described in bright each embodiment.It will be appreciated by those skilled in the art that attached drawing is the schematic diagram of a preferred embodiment,Module or flow in attached drawing are not necessarily implemented necessary to the present invention.It will be appreciated by those skilled in the art that in embodimentDevice in module can according to embodiment describe be distributed in the device of embodiment, respective change position can also be carried outIn one or more devices different from the present embodiment.The module of above-described embodiment can be merged into a module, can alsoIt is further split into multiple submodule.The embodiments of the present invention are for illustration only, can not represent the quality of embodiment.WithSeveral specific embodiments of the upper disclosed only present invention, still, the present invention is not limited to this, any those skilled in the artMember can think of variation should all fall into protection scope of the present invention.