技术领域technical field
本发明涉及身份认证技术领域,特别是涉及一种基于异构终端的身份认证服务方法及系统。The invention relates to the technical field of identity authentication, in particular to an identity authentication service method and system based on heterogeneous terminals.
背景技术Background technique
目前,随着无线互联网和物联网的发展,需要身份认证的应用场景越来越多,用户需要在不同的设备登录,通常情况下亦需要在不同的应用中进行注册,非常繁琐而且用户名和密码难以一一记忆。OAuth技术的发展,为改善用户在第三方应用登录提供了可能,用户在登录第三方应用时,可以选择使用OAuth登录,通过OAuth即可访问到第三方应用,从而不需要在第三方的应用上进行注册即可直接授权使用第三方应用获取用户信息。而OAuth仍然需要用户在OAuth授权界面输入用户名和密码,仍然存在一定的安全风险,以及手工填写用户名和密码的步骤,安全系数和用户体验仍然有可以提升的空间。其次,OAuth服务通常是部署在同一台终端设备上的同一个软件环境中进行,不能跨平台和软件环境进行授权服务,无法利用移动终端便携和集成生物识别能力进行用户识别的特点。At present, with the development of the wireless Internet and the Internet of Things, there are more and more application scenarios that require identity authentication. Users need to log in on different devices, and usually also need to register in different applications, which is very cumbersome and the user name and password Difficult to remember one by one. The development of OAuth technology has made it possible to improve user login in third-party applications. When users log in to third-party applications, they can choose to use OAuth to log in, and they can access third-party applications through OAuth, so that they do not need to log in to third-party applications. Registering can directly authorize the use of third-party applications to obtain user information. However, OAuth still requires the user to enter the user name and password on the OAuth authorization interface, and there are still certain security risks, as well as the steps of manually filling in the user name and password. There is still room for improvement in the safety factor and user experience. Secondly, OAuth services are usually deployed in the same software environment on the same terminal device. Authorization services cannot be performed across platforms and software environments, and users cannot be identified using the portability and integrated biometric capabilities of mobile terminals.
随着生物识别技术日益成熟,在终端上也可以进行认证的集成,最为用户所知的是手机的指纹识别,用户可以很方便的通过指纹识别进行解锁,而虹膜识别、静脉识别、人脸识别等生物识别技术也逐渐成熟,逐渐集成到智能终端上。目前最主要的应用仅仅是进行手机的解锁,对于生物识别技术而言,应用范围过于狭窄,没能很好地应用生物识别的技术。With the increasing maturity of biometric technology, authentication integration can also be carried out on the terminal. The most known to users is the fingerprint recognition of mobile phones. Users can easily unlock through fingerprint recognition, while iris recognition, vein recognition, face recognition And other biometric technologies have gradually matured and gradually integrated into smart terminals. At present, the most important application is only to unlock the mobile phone. For the biometric technology, the application range is too narrow, and the biometric technology cannot be well applied.
OAuth2.0协议是当前最流行的API访问控制模型之一。作为开放的授权标准,该协议广泛用于解决开放云平台下灵活的跨域以及第三方授权的问题。然而大多数实施OAuth2.0协议的授权服务器与资源服务器仍然采用传统的基于用户名和口令的认证方式,这种实施方式有一定的局限性:一方面授权服务器要管理授权码、访问令牌等授权信息,还要管理用户名和密码等认证信息,使得平台的开发维护与用户管理成本偏高,影响用户体验与系统效率;另一方面基于用户名和口令的认证方式安全性不高,很容易受到字典或者暴力攻击破解。The OAuth2.0 protocol is currently one of the most popular API access control models. As an open authorization standard, this protocol is widely used to solve the problem of flexible cross-domain and third-party authorization under the open cloud platform. However, most authorization servers and resource servers that implement the OAuth2.0 protocol still use the traditional authentication method based on username and password. Information, as well as authentication information such as user names and passwords, makes the development and maintenance of the platform and user management costs high, affecting user experience and system efficiency; Or brute force attack to crack.
FIDO联盟成立于2012年7月,联盟宗旨为满足市场需求,统一行业标准,疏通产业链的上下游,进而促进身份认证技术的发展。FIDO(Fast Identity Online,线上快速身份验证)联盟提出的基于生物识别技术的在线身份认证方案,通过指纹识别、脸部识别、声纹识别等生物特征技术,实现了高安全等级但又很便捷的用户身份认证,得到各行业的关注与认可。2014年末,联盟推出U2F(Universal Second Factor protocol)和UAF(UniversalAuthentication Framework protocol)两套协议方案。U2F方案使用双因子(密码和硬件设备)的方式保护用户账户与隐私;UAF方案使用生物特征识别的方式增强用户账户安全性。这两套方案能够简化用户体验、提高安全性及保护隐私,无需密码介入便能安全访问相关应用,具有广泛的可扩展性和发展潜力。The FIDO alliance was established in July 2012. The purpose of the alliance is to meet market demand, unify industry standards, unblock the upstream and downstream of the industrial chain, and promote the development of identity authentication technology. The online identity authentication scheme based on biometric technology proposed by the FIDO (Fast Identity Online) alliance achieves a high level of security but is very convenient through biometric technologies such as fingerprint recognition, face recognition, and voiceprint recognition. User identity authentication has gained attention and recognition from various industries. At the end of 2014, the alliance launched two sets of protocol solutions, U2F (Universal Second Factor protocol) and UAF (Universal Authentication Framework protocol). The U2F solution uses two factors (password and hardware device) to protect user accounts and privacy; the UAF solution uses biometric identification to enhance user account security. These two solutions can simplify user experience, improve security and protect privacy, and can safely access related applications without password intervention, and have extensive scalability and development potential.
UAF是一种线上基于生物特征识别的身份认证通用解决方案。它是线上数码认证方面首个开放的行业标准方案,支持指纹、语音、瞳孔、人脸等生物特征识别方式,无需输入用户名口令,直接进行验证。其突出的特点是将认证手段和认证协议进行解耦合,即在终端可以使用所能支持的任何认证方式,而终端到服务之间只利用一套标准的认证协议就能验证用户。多样化的认证方式采取统一的认证协议,系统建设成本降低,社会的协同性得到提升。传统的身份认证体制,通常是服务端存有用户的密码和口令信息,每次用户做认证的时候要提交到服务端去做比对。而UAF把这个过程分为两步:1)由本地的终端设备认证用户身份,认证手段可以是指纹、声纹或者人脸等生物信息;2)认证成功后,通过公私钥体制,由服务端验证设备。这种先由终端设备认证用户,再由后端服务认证终端设备的协议,具有很高的扩展性和兼容性。UAF is a general solution for online identity authentication based on biometric identification. It is the first open industry-standard solution for online digital authentication. It supports biometric identification methods such as fingerprints, voice, pupils, and faces, and can be directly verified without entering a user name or password. Its outstanding feature is the decoupling of the authentication method and the authentication protocol, that is, any authentication method that can be used can be used on the terminal, and only a set of standard authentication protocols can be used between the terminal and the service to verify the user. Diversified authentication methods adopt a unified authentication protocol, the cost of system construction is reduced, and the synergy of society is improved. In the traditional identity authentication system, the server usually stores the user's password and password information, and each time the user performs authentication, it must be submitted to the server for comparison. UAF divides this process into two steps: 1) The local terminal device authenticates the user's identity, and the authentication method can be biological information such as fingerprint, voiceprint or face; 2) After the authentication is successful, through the public-private key system, the server Verify the device. This protocol, in which the terminal device first authenticates the user, and then the back-end service authenticates the terminal device, has high scalability and compatibility.
目前已有的身份认证系统,无法达到真正的识别和验证使用者的身份,而且严重依赖于有线网络。基于生物特征识别的身份验证的授权服务已经广泛应用于各个服务系统中。但是基于生物特征识别的身份验证只能判断使用者与注册者是否为同一个人,并不能真正核实注册者的真实身份,在一些安全级别要求较高的使用场景无法满足安全要求。Currently existing identity authentication systems cannot truly identify and verify the user's identity, and rely heavily on wired networks. Authorization services based on biometric authentication have been widely used in various service systems. However, the identity verification based on biometric identification can only determine whether the user and the registrant are the same person, and cannot really verify the real identity of the registrant, and cannot meet the security requirements in some usage scenarios with high security requirements.
发明内容Contents of the invention
本发明提供的一种基于异构终端的身份认证服务方法及系统,解决用户在传统的OAuth方式中每次都要手动输入用户名和密码,以及OAuth不能跨设备授权的问题。The identity authentication service method and system based on heterogeneous terminals provided by the present invention solve the problems that users have to manually input user names and passwords every time in the traditional OAuth mode, and that OAuth cannot authorize cross-device.
本发明提供的一种基于异构终端的身份认证服务方法,包括以下步骤:An identity authentication service method based on a heterogeneous terminal provided by the present invention includes the following steps:
资源服务器获得授权服务器的配置信息,所述资源服务器向所述授权服务器注册资源集,配置授权策略;The resource server obtains the configuration information of the authorization server, the resource server registers the resource set with the authorization server, and configures an authorization policy;
用户通过客户端访问所述资源集,所述授权服务器判断所述用户是否为注册用户,若否则提醒所述用户进行注册;若是则根据所述授权策略判断是否需要资源拥有者进行授权确认,若不需要则转入下一步,若需要则由所述资源拥有者进行授权确认;其中,所述注册用户为已经注册到所述授权服务器上的用户;The user accesses the resource set through the client, the authorization server judges whether the user is a registered user, if not, reminds the user to register; if so, judges whether the resource owner needs to confirm the authorization according to the authorization policy, if not If not needed, go to the next step, and if necessary, the resource owner will perform authorization confirmation; wherein, the registered user is a user who has registered on the authorization server;
所述用户通过访问令牌访问所述资源集,其中,所述访问令牌是由所述授权服务器颁发的;The user accesses the set of resources through an access token, wherein the access token is issued by the authorization server;
所述资源服务器根据所述访问令牌的验证方式,判断所述用户是否已经授权,若是则返回资源集给所述用户,若否则不返回资源集给所述用户;其中,所述访问令牌的验证方式是由所述资源服务器与所述授权服务器商定的。The resource server judges whether the user has been authorized according to the verification method of the access token, and if so, returns the resource set to the user, and otherwise does not return the resource set to the user; wherein, the access token The verification method for is negotiated between the resource server and the authorization server.
可选的,资源服务器获得授权服务器配置信息之前还包括:资源拥有者选择授权服务器,将所述授权服务器引入资源服务器,所述资源服务器获得所述授权服务器的URL。Optionally, before the resource server obtains the configuration information of the authorization server, the method further includes: the resource owner selects the authorization server, imports the authorization server into the resource server, and the resource server obtains the URL of the authorization server.
可选的,所述授权服务器判断所述用户是否为注册用户进一步包括:所述授权服务器提醒所述用户通过人脸识别进行认证,如所述用户同意授权则拍照并上传照片至所述授权服务器,所述授权服务器进行人证合一比对,根据人证合一比对结果,判断所述用户是否为注册用户。Optionally, the authorization server judging whether the user is a registered user further includes: the authorization server reminding the user to authenticate through face recognition, and if the user agrees to authorize, taking a photo and uploading the photo to the authorization server , the authorization server performs a combination of witness and certificate comparison, and judges whether the user is a registered user according to the result of the combination of witness and certificate.
可选的,所述授权服务器进行人证合一比对进一步包括:所述授权服务器利用装载FIDO UAF的设备进行生物信息特征值提取和比对。Optionally, the authorization server performing the comparison of witnesses and certificates further includes: the authorization server uses a device loaded with FIDO UAF to extract and compare biometric feature values.
可选的,所述资源服务器向所述授权服务器注册资源集进一步包括:所述授权服务器为所述资源集分配唯一标识符,并将其与一个URL一同返回给所述资源服务器。Optionally, the resource server registering the resource set with the authorization server further includes: the authorization server assigning a unique identifier to the resource set, and returning it together with a URL to the resource server.
可选的,所述用户通过访问令牌访问所述资源集进一步包括:所述访问令牌包含所述用户的最终访问权限。Optionally, the accessing the resource set by the user through the access token further includes: the access token includes the user's final access right.
本发明还提供了一种基于异构终端的身份认证服务系统,包括:The present invention also provides an identity authentication service system based on heterogeneous terminals, including:
认证授权服务模块,用于进行认证授权服务,所述认证授权服务模块包括资源服务器模块、认证服务器模块和授权服务器模块;The authentication and authorization service module is used for performing authentication and authorization services, and the authentication and authorization service module includes a resource server module, an authentication server module and an authorization server module;
资源拥有者模块,用于选择授权服务器模块,并向所述授权服务器模块引入资源服务器模块,对用户模块进行授权确认,向获得授权的用户模块返回资源集;The resource owner module is used to select the authorization server module, introduce the resource server module into the authorization server module, confirm the authorization of the user module, and return the resource set to the authorized user module;
用户模块,用于注册到授权服务器模块,出示声明向所述认证服务器模块进行身份认证,获取授权服务器模块颁发的访问令牌,通过访问令牌访问所述资源服务器的资源集。The user module is configured to register with the authorization server module, present a statement to authenticate the identity of the authentication server module, obtain an access token issued by the authorization server module, and access the resource set of the resource server through the access token.
可选的,所述资源服务器模块进一步包括,用于获取授权服务器模块的配置信息,与授权服务器商定访问令牌的生成与验证方式,向授权服务器模块注册资源集,配置授权策略。Optionally, the resource server module further includes: obtaining configuration information of the authorization server module, negotiating with the authorization server on how to generate and verify the access token, registering the resource set with the authorization server module, and configuring authorization policies.
可选的,所述认证服务器模块进一步包括,用于对用户进行认证,向所述授权服务器模块返回认证用户的鉴权结果。Optionally, the authentication server module further includes, for authenticating the user, returning an authentication result of authenticating the user to the authorization server module.
可选的,所述授权服务器模块进一步包括,用于对用户进行注册,根据认证服务器模块认证用户的鉴权结果,决定是否向所述用户发放访问令牌。Optionally, the authorization server module further includes a method for registering the user, and deciding whether to issue an access token to the user according to the authentication result of the authentication server module authenticating the user.
本发明提供的技术方案具有的有益效果是:The beneficial effect that the technical scheme provided by the invention has is:
本发明还提供了一种基于异构终端的身份认证服务方法及系统,通过将OAuth授权的步骤转移到异构的移动智能终端上,并通过智能终端所带的生物识别功能,包含指纹,静脉,虹膜、人脸等各种生物识别方式,获取用户的生物识别信息,通过生物识别信息识别用户,并将识别结果作为授权方式;用户可以在移动终端上识别自己的生物特征进行第三方应用的授权,极大地方便了用户在第三方应用的使用;并结合定位系统获取使用者的位置和时间信息,在不增加硬件成本的情况下提高授权服务的安全性和便捷性,增强了系统的适用性和可扩展性。The present invention also provides an identity authentication service method and system based on a heterogeneous terminal, by transferring the OAuth authorization steps to a heterogeneous mobile intelligent terminal, and through the biometric identification function carried by the intelligent terminal, including fingerprint, vein , iris, face and other biometric methods, obtain the user's biometric information, identify the user through the biometric information, and use the recognition result as the authorization method; the user can identify his own biometrics on the mobile terminal for third-party applications Authorization greatly facilitates the user's use of third-party applications; combined with the positioning system to obtain the user's location and time information, it improves the security and convenience of authorized services without increasing hardware costs, and enhances the applicability of the system and scalability.
附图说明Description of drawings
图1为本发明一种基于异构终端的身份认证服务方法及系统的系统架构图。FIG. 1 is a system architecture diagram of an identity authentication service method and system based on heterogeneous terminals according to the present invention.
图2为本发明一种基于异构终端的身份认证服务方法及系统的身份认证服务流程图。FIG. 2 is a flow chart of an identity authentication service method and system based on a heterogeneous terminal in the present invention.
具体实施方式Detailed ways
为了便于理解本发明,下面将参照相关附图对本发明进行更全面的描述。附图中给出了本发明的首选实施例。但是,本发明可以以许多不同的形式来实现,并不限于本文所描述的实施例。相反地,提供这些实施例的目的是使对本发明的公开内容更加透彻全面。In order to facilitate the understanding of the present invention, the present invention will be described more fully below with reference to the associated drawings. A preferred embodiment of the invention is shown in the drawings. However, the present invention can be embodied in many different forms and is not limited to the embodiments described herein. Rather, these embodiments are provided so that the disclosure of the present invention will be thorough and complete.
除非另有定义,本文所使用的所有的技术和科学术语与属于本发明的技术领域的技术人员通常理解的含义相同。本文中在本发明的说明书中所使用的术语只是为了描述具体的实施例的目的,不是旨在于限制本发明。本文所使用的术语“及/或”包括一个或多个相关的所列项目的任意的和所有的组合。Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the technical field of the invention. The terms used herein in the description of the present invention are for the purpose of describing specific embodiments only, and are not intended to limit the present invention. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
本发明实施例提供的基于异构终端的身份认证服务方法及系统,其系统部分包括认证授权服务模块、资源拥有者模块及用户模块,系统的总体架构如图1所示,其中,认证授权服务模块由资源服务器模块、认证服务器模块及授权服务器模块组成。系统主要功能操作流程如下所述:用户模块通过第三方应用程序的客户端,请求访问某个资源拥有者模块存储在某域云服务中的资源集,域中的资源服务器模块将用户模块导向认证服务器模块,由认证服务器模块对用户模块进行认证服务时,需要请求用户模块进行认证并询问是否授权,用户模块通过内置的生物识别器进行身份认证并同意授权。授权服务器模块根据第三方应用程序的身份认证返回的结果,连同认证服务器认证用户模块的身份返回的结果,来决定是否发放访问令牌。第三方应用程序的客户端获取到合法的访问令牌后,用户模块通过访问令牌向资源服务器模块请求访问资源。The identity authentication service method and system based on heterogeneous terminals provided by the embodiment of the present invention, its system part includes an authentication and authorization service module, a resource owner module and a user module, the overall architecture of the system is shown in Figure 1, wherein the authentication and authorization service The module is composed of resource server module, authentication server module and authorization server module. The main functional operation process of the system is as follows: the user module requests access to a resource set stored in a domain cloud service by a resource owner module through the client of a third-party application program, and the resource server module in the domain directs the user module to authentication The server module, when the authentication server module authenticates the user module, needs to request the user module to authenticate and ask whether to authorize, and the user module performs identity authentication through the built-in biometric device and agrees to authorize. The authorization server module decides whether to issue the access token according to the result returned by the identity authentication of the third-party application program and the result returned by the authentication server to authenticate the identity of the user module. After the client of the third-party application obtains a legal access token, the user module requests the resource server module to access resources through the access token.
本发明实施例提供的基于异构终端的身份认证服务方法及系统,基于异构终端的身份认证服务系统,主要包含终端SDK和认证授权服务平台。认证授权服务平台向外部开放认证授权服务,资源拥有者通过在授权服务器上配置授权策略,对不同的资源实行不同的配置策略,这里的资源不仅仅指可见的资源,也可以是一种权限授予。用户在提供认证授权的认证授权服务平台注册,注册用户账户、生物信息以及进行授权的终端,生物信息会通过第三方平台进行有效性验证。用户通过客户端访问受保护资源时,选择通过认证服务进行登录和授权,系统提醒用户进行授权,用户如同意授权则在终端进行生物信息录制并上传认证服务器,认证服务器对比,判断是否为注册用户本人;系统服务再根据配置策略判断是否还需资源拥有者本人确认,如果需要则由资源拥有者进行授权确认,确认后授权服务器再给客户端颁发访问令牌,客户端使用访问令牌可获取资源。本发明实施例通过将身份认证服务延伸到移动终端设备并利用设备的摄像头等个人特征信息认证设备,为用户提供了一种方便安全的认证业务体验。The heterogeneous terminal-based identity authentication service method and system provided by the embodiments of the present invention, the heterogeneous terminal-based identity authentication service system mainly includes a terminal SDK and an authentication and authorization service platform. The authentication and authorization service platform opens the authentication and authorization service to the outside. The resource owner implements different configuration strategies for different resources by configuring the authorization strategy on the authorization server. The resources here not only refer to visible resources, but also can be a kind of permission granting. . Users register on the authentication and authorization service platform that provides authentication and authorization, register user accounts, biometric information and authorized terminals, and the biometric information will be verified through the third-party platform for validity. When the user accesses the protected resources through the client, he chooses to log in and authorize through the authentication service. The system reminds the user to authorize. If the user agrees to the authorization, the biometric information is recorded on the terminal and uploaded to the authentication server. The authentication server compares it to determine whether it is a registered user. I; the system service will judge whether the resource owner needs to confirm according to the configuration policy. If necessary, the resource owner will confirm the authorization. After confirmation, the authorization server will issue an access token to the client. The client can use the access token to obtain resource. The embodiment of the present invention provides a convenient and safe authentication service experience for the user by extending the identity authentication service to the mobile terminal device and using personal characteristic information such as a camera of the device to authenticate the device.
本发明实施例的认证授权服务平台主要包括资源服务器和授权服务器,服务的对象为资源拥有者,客户端,用户,用户和资源拥有者可以为同一人。资源拥有者管理授权服务器和资源服务器之间的关系,通过设置一些策略允许第三方应用访问资源。用户控制第三方应用的客户端,可以通过出示包括客户端信息和用户信息的声明,当声明满足资源拥有者的设置要求时可以获取相关资源。The authentication and authorization service platform in the embodiment of the present invention mainly includes a resource server and an authorization server, and the service object is the resource owner, the client, the user, and the user and the resource owner may be the same person. The resource owner manages the relationship between the authorization server and the resource server, and allows third-party applications to access resources by setting some policies. The user controls the client of the third-party application. By presenting a statement including client information and user information, relevant resources can be obtained when the statement meets the setting requirements of the resource owner.
本发明实施例提供的基于异构终端的身份认证服务方法,包含如下步骤:The heterogeneous terminal-based identity authentication service method provided by the embodiment of the present invention includes the following steps:
步骤S1:资源服务器获得授权服务器的配置信息,所述资源服务器向所述授权服务器注册资源集,配置授权策略;Step S1: the resource server obtains the configuration information of the authorization server, the resource server registers the resource set with the authorization server, and configures the authorization policy;
步骤S2:用户通过客户端访问所述资源集,所述授权服务器判断所述用户是否为注册用户,若否则提醒所述用户进行注册;若是则根据所述授权策略判断是否需要资源拥有者进行授权确认,若不需要则转入下一步,若需要则由所述资源拥有者进行授权确认;其中,所述注册用户为已经注册到所述授权服务器上的用户;Step S2: The user accesses the resource set through the client, the authorization server judges whether the user is a registered user, if not, reminds the user to register; if so, judges whether the resource owner is required to authorize according to the authorization policy Confirmation, if not needed, go to the next step, and if necessary, the resource owner will perform authorization confirmation; wherein, the registered user is a user who has registered on the authorization server;
步骤S3:所述用户通过访问令牌访问所述资源集,其中,所述访问令牌是由所述授权服务器颁发的;Step S3: the user accesses the resource set through an access token, wherein the access token is issued by the authorization server;
步骤S4:所述资源服务器根据所述访问令牌的验证方式,判断所述用户是否已经授权,若是则返回资源集给所述用户,若否则不返回资源集给所述用户;其中,所述访问令牌的验证方式是由所述资源服务器与所述授权服务器商定的。Step S4: The resource server judges whether the user has been authorized according to the verification method of the access token, and if so, returns the resource set to the user, and otherwise does not return the resource set to the user; wherein, the The verification method of the access token is negotiated between the resource server and the authorization server.
资源拥有者选择认证服务的授权服务器并向授权服务器引入资源服务器,资源服务器获取授权服务器的URL。资源服务器获取授权服务器的配置信息,并将自身注册为授权服务器的客户端,并与资源服务器商定后续访问令牌的生成与验证方式。The resource owner selects the authorization server of the authentication service and introduces the resource server to the authorization server, and the resource server obtains the URL of the authorization server. The resource server obtains the configuration information of the authorization server, registers itself as a client of the authorization server, and agrees with the resource server on how to generate and verify subsequent access tokens.
资源服务器向授权服务器注册其资源集,请求内容为其想要保护的各个资源集的详情,授权服务器会为资源集分配唯一标识符,并将其与一个URL一起返回给资源服务器,资源服务器可以将资源拥有者引导至该URL,资源拥有者就可以交互式地管理与该资源集关联的策略了。资源服务器可以使用HTTP GET、PUT和DELETE方法,分别读取、更新和删除其资源。The resource server registers its resource set with the authorization server, and the request content is the details of each resource set it wants to protect. The authorization server will assign a unique identifier to the resource set and return it to the resource server together with a URL. The resource server can By directing the resource owner to this URL, the resource owner can interactively manage the policies associated with that set of resources. A resource server can use the HTTP GET, PUT, and DELETE methods to read, update, and delete its resources, respectively.
资源拥有者在授权服务器上配置授权策略,不同的资源需要不同的认证;用户和他们的客户端要出示一组能够满足策略要求的声明。如果没有为一个资源集配置策略,则该资源集被视为不可访问。一旦设置完策略,资源拥有者通常就可以退场了,当用户尝试访问资源时,根据授权策略需要资源拥有者授权时资源拥有者才需再次出场。Resource owners configure authorization policies on the authorization server, and different resources require different authentication; users and their clients must present a set of claims that satisfy the policy requirements. If no policy is configured for a resource set, that resource set is considered inaccessible. Once the policy is set, the resource owner can usually exit. When the user tries to access the resource, the resource owner needs to appear again when the resource owner's authorization is required according to the authorization policy.
用户在系统服务的授权服务器通过生物识别信息注册。The user registers with the authorization server of the system service through biometric information.
用户通过客户端选定资源集在没有授权的情况下尝试访问资源服务器,资源服务器从这个初始HTTP请求上下文中知道客户端尝试访问的是哪个资源集,进而知道对应的资源拥有者以及授权服务器需要哪些信息声明。The user selects a resource set through the client and tries to access the resource server without authorization. The resource server knows which resource set the client is trying to access from the initial HTTP request context, and then knows the corresponding resource owner and authorization server. which information to declare.
认证服务的授权服务器提醒用户通过人脸识别进行认证;用户如同意授权则使用带有摄像头的电子终端进行头像拍照并上传照片到授权服务器,如不同意则选取消或者不做任何操作。The authorization server of the authentication service reminds the user to authenticate through face recognition; if the user agrees to the authorization, he or she will use an electronic terminal with a camera to take a picture and upload the photo to the authorization server. If the user does not agree, choose to cancel or do nothing.
授权服务器中的人证核验服务利用装载FIDO UAF的设备进行生物信息特征值提取和比对,简称人证合一比对。The witness verification service in the authorization server uses the device loaded with FIDO UAF to extract and compare the characteristic value of biological information, which is referred to as the verification of witness and certificate.
系统根据人证合一比对结果,判断是否为注册用户本人,如果是则根据配置策略是否还需资源拥有者进行授权确认,如果需要资源拥有者确认,则系统通过短信,邮件,应用消息推送(终端SDK接收)等方式提醒资源拥有者进行授权确认。The system judges whether it is the registered user himself according to the comparison result of the combination of witnesses and certificates. If so, whether the resource owner is required to confirm the authorization according to the configuration policy. (terminal SDK receiving) and other methods to remind the resource owner to confirm the authorization.
授权服务器颁发访问令牌给客户端,令牌包含客户端的最终访问权限;用户尝试通过访问令牌访问资源服务器获取资源;资源服务器通过与授权服务器商定的访问令牌验证方式,判断该用户是否已经授权,如已经授权则返回资源给客户端。The authorization server issues an access token to the client, which contains the client's final access rights; the user tries to access the resource server to obtain resources through the access token; the resource server judges whether the user has Authorization, if authorized, return the resource to the client.
在整个过程中,资源拥有者的个人信息和用户的个人信息都没有被透露给资源服务器或客户端;另外,资源拥有者和用户也没有相互透露敏感的个人信息。用户只需要最小限度地提供证明信息,满足资源拥有者设置的策略可以访问资源。在这里授权服务器担任着身份注册和验证的角色,而用户又不需要同现实中出示身份证件给第三方,用户只需提取生物识别信息发送给授权服务器,由授权服务器完成身份核实,避免了现实生活中个人信息泄露给第三方的问题。During the whole process, neither the resource owner's personal information nor the user's personal information is disclosed to the resource server or the client; in addition, the resource owner and the user do not disclose sensitive personal information to each other. Users only need to provide minimum proof information, and can access resources if they meet the policy set by the resource owner. Here, the authorization server plays the role of identity registration and verification, and the user does not need to present the identity certificate to the third party in reality. The user only needs to extract the biometric information and send it to the authorization server, and the authorization server completes the identity verification, avoiding the reality. The problem of personal information leakage to third parties in daily life.
本发明实施例的基于异构终端的身份认证服务方法及系统,在客户端中添加GPS模块,通过无线网路,连接远程服务器,结合定位服务器获取地理位置信息,获取的被认证人所在的地理位置信息和时间信息,作为用户信息的一部分。根据客户端获取的用户位置信息的识别,提取位置识别的特征集,利用识别出位置信息所编码的特征向量进行身份认证。In the identity authentication service method and system based on heterogeneous terminals in the embodiment of the present invention, a GPS module is added to the client, connected to a remote server through a wireless network, combined with a positioning server to obtain geographical location information, and the geographical location of the authenticated person is obtained. Location information and time information, as part of user information. According to the identification of the user's location information obtained by the client, the feature set of location identification is extracted, and the feature vector encoded by the identified location information is used for identity authentication.
本发明实施例的基于异构终端的身份认证服务方法及系统,采取结合FIDO架构的认证方式来加强OAuth2.0协议的安全性,一方面可以提供健全的身份认证方式,以满足安全性、用户体验等需求;另一方面可以实现用户资料的共享,节约网络资源,降低平台的开发维护与用户管理成本。The identity authentication service method and system based on heterogeneous terminals in the embodiment of the present invention adopts the authentication method combined with the FIDO architecture to strengthen the security of the OAuth2.0 protocol. On the one hand, it can provide a sound identity authentication method to meet the needs of security, user Experience and other needs; on the other hand, it can realize the sharing of user data, save network resources, and reduce the development and maintenance of the platform and user management costs.
本发明实施例的基于异构终端的身份认证服务方法及系统,通过将OAuth授权的步骤转移到异构的移动智能终端上,并通过智能终端所带的生物识别功能,包含指纹,静脉,虹膜、人脸等各种生物识别方式,获取用户的生物识别信息,通过生物识别信息识别用户,并将识别结果作为授权方式,从而用户可以减少或免除在传统的OAuth方式中手动输入用户名和密码的次数,以及解决OAuth不能跨设备授权的缺点,用户可以在移动终端上识别自己的生物特征进行第三方应用的授权,极大地方便了用户在第三方应用的使用。The identity authentication service method and system based on heterogeneous terminals in the embodiment of the present invention transfers the steps of OAuth authorization to heterogeneous mobile smart terminals, and uses the biometric identification functions carried by smart terminals, including fingerprints, veins, and irises. , face and other biometric methods, obtain the user's biometric information, identify the user through the biometric information, and use the recognition result as an authorization method, so that the user can reduce or eliminate the need to manually enter the user name and password in the traditional OAuth method The number of times, and to solve the shortcoming that OAuth cannot authorize across devices, users can identify their own biometrics on the mobile terminal to authorize third-party applications, which greatly facilitates the use of third-party applications by users.
本发明实施例提供了一种基于异构终端的身份认证服务方法及系统,提出基于异构终端的身份认证识别与定位系统,利用生物识别的认证方式,并结合定位系统获取使用者的位置和时间信息,在不增加硬件成本的情况下提高授权服务的安全性和便捷性。当电网的工作人员在重要设施进行户外作业时,可以确保实人实证。系统设定了授权安全等级,传统账号密码等弱身份认证仍可以使用,账号密码等弱身份认证只能用于安全要求不高的授权,而人证合一等可以用于安全要求较高的场合。The embodiment of the present invention provides an identity authentication service method and system based on heterogeneous terminals, proposes an identity authentication identification and positioning system based on heterogeneous terminals, uses biometric authentication methods, and combines the positioning system to obtain the user's location and location Time information, improving the security and convenience of authorization services without increasing hardware costs. When the staff of the power grid conducts outdoor work at important facilities, it can ensure real-life evidence. The system has set authorization security levels. Weak identity authentication such as traditional account passwords can still be used. Weak identity authentication such as account passwords can only be used for authorizations with low security requirements, and the integration of personal certificates can be used for high security requirements. occasion.
移动终端如智能手机和平板电脑的普及以及摄像头作为移动终端的标配,为人脸识别服务提供了广泛的终端设备,而且现在几乎每人都随身携带至少一部移动终端设备,所以可以在不增加硬件成本的条件下增加授权安全性和便利性。The popularization of mobile terminals such as smartphones and tablet computers and the standard configuration of cameras as mobile terminals provide a wide range of terminal devices for face recognition services, and now almost everyone carries at least one mobile terminal device with them, so it can be used without increasing Increase authorization security and convenience under the condition of hardware cost.
人证合一验证比传统单一的账号密码或者生物识别更加安全,不仅适用于必须核实用户身份的使用场景,也适用于一般的授权登陆,具有更强的适用性。系统不仅可以做到用户对用户授权,也可以做到用户对第三方应用授权,系统的可扩展性更强。Verification of witnesses and certificates is more secure than the traditional single account password or biometrics. It is not only suitable for usage scenarios where user identity must be verified, but also for general authorized logins, and has stronger applicability. The system can not only authorize users to users, but also authorize users to third-party applications, and the system is more scalable.
以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。The above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit them; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: it can still be described in the foregoing embodiments Modifications are made to the recorded technical solutions, or equivalent replacements are made to some of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the embodiments of the present invention.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910925627.0ACN110535882A (en) | 2019-09-27 | 2019-09-27 | Identity authentication service method and system based on heterogeneous terminal |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910925627.0ACN110535882A (en) | 2019-09-27 | 2019-09-27 | Identity authentication service method and system based on heterogeneous terminal |
| Publication Number | Publication Date |
|---|---|
| CN110535882Atrue CN110535882A (en) | 2019-12-03 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910925627.0APendingCN110535882A (en) | 2019-09-27 | 2019-09-27 | Identity authentication service method and system based on heterogeneous terminal |
| Country | Link |
|---|---|
| CN (1) | CN110535882A (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111064718A (en)* | 2019-12-09 | 2020-04-24 | 国网河北省电力有限公司信息通信分公司 | A dynamic authorization method and system based on user context and policy |
| CN111131301A (en)* | 2019-12-31 | 2020-05-08 | 江苏徐工信息技术股份有限公司 | Unified authentication and authorization scheme |
| CN111682941A (en)* | 2020-05-18 | 2020-09-18 | 上海瑾琛网络科技有限公司 | Centralized identity management, distributed authentication and authorization method based on cryptography |
| CN112202708A (en)* | 2020-08-24 | 2021-01-08 | 国网山东省电力公司 | Identity authentication method and device, electronic equipment and storage medium |
| CN114329381A (en)* | 2021-12-23 | 2022-04-12 | 北京八分量信息科技有限公司 | Method and device for verifying resource access request in heterogeneous network and related products |
| CN115065717A (en)* | 2022-05-24 | 2022-09-16 | 中原银行股份有限公司 | Micro-service calling processing method and device |
| CN115134155A (en)* | 2022-06-29 | 2022-09-30 | 北京天融信网络安全技术有限公司 | A kind of authentication method and apparatus, computer program product, electronic equipment |
| CN115514567A (en)* | 2022-09-23 | 2022-12-23 | 京东方科技集团股份有限公司 | Access method, access system, computer equipment and medium of internet of things terminal equipment |
| CN115694855A (en)* | 2021-07-28 | 2023-02-03 | 中国移动通信有限公司研究院 | An authentication method, device and equipment |
| CN116074101A (en)* | 2023-02-15 | 2023-05-05 | 西安热工研究院有限公司 | Method for realizing service account authentication based on FIDO |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104506562A (en)* | 2015-01-13 | 2015-04-08 | 东北大学 | Two-dimension code and face recognition fused conference identity authentication device and method |
| CN105577665A (en)* | 2015-12-24 | 2016-05-11 | 西安电子科技大学 | Identity and access control management system and method in cloud environment |
| CN105897652A (en)* | 2014-10-21 | 2016-08-24 | 北京京航计算通讯研究所 | Standard protocol based heterogeneous terminal dynamic access method |
| US20180077151A1 (en)* | 2016-09-09 | 2018-03-15 | Tyco Integrated Security, LLC | Architecture For Access Management |
| CN108073630A (en)* | 2016-11-16 | 2018-05-25 | 北京京东尚科信息技术有限公司 | A kind of service search access management method and system based on mobilism configuration |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105897652A (en)* | 2014-10-21 | 2016-08-24 | 北京京航计算通讯研究所 | Standard protocol based heterogeneous terminal dynamic access method |
| CN104506562A (en)* | 2015-01-13 | 2015-04-08 | 东北大学 | Two-dimension code and face recognition fused conference identity authentication device and method |
| CN105577665A (en)* | 2015-12-24 | 2016-05-11 | 西安电子科技大学 | Identity and access control management system and method in cloud environment |
| US20180077151A1 (en)* | 2016-09-09 | 2018-03-15 | Tyco Integrated Security, LLC | Architecture For Access Management |
| CN108073630A (en)* | 2016-11-16 | 2018-05-25 | 北京京东尚科信息技术有限公司 | A kind of service search access management method and system based on mobilism configuration |
| Title |
|---|
| 李梁磊等: "一种基于FIDO UAF架构的开放授权方案", 《信息网络安全》* |
| 沈桐等: "基于OAuth2.0,OpenID Connect和UMA的用户认证授权系统架构", 《软件》* |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111064718A (en)* | 2019-12-09 | 2020-04-24 | 国网河北省电力有限公司信息通信分公司 | A dynamic authorization method and system based on user context and policy |
| CN111064718B (en)* | 2019-12-09 | 2022-08-02 | 国网河北省电力有限公司信息通信分公司 | Dynamic authorization method and system based on user context and policy |
| CN111131301A (en)* | 2019-12-31 | 2020-05-08 | 江苏徐工信息技术股份有限公司 | Unified authentication and authorization scheme |
| CN111682941A (en)* | 2020-05-18 | 2020-09-18 | 上海瑾琛网络科技有限公司 | Centralized identity management, distributed authentication and authorization method based on cryptography |
| CN112202708A (en)* | 2020-08-24 | 2021-01-08 | 国网山东省电力公司 | Identity authentication method and device, electronic equipment and storage medium |
| CN115694855A (en)* | 2021-07-28 | 2023-02-03 | 中国移动通信有限公司研究院 | An authentication method, device and equipment |
| CN114329381A (en)* | 2021-12-23 | 2022-04-12 | 北京八分量信息科技有限公司 | Method and device for verifying resource access request in heterogeneous network and related products |
| CN115065717A (en)* | 2022-05-24 | 2022-09-16 | 中原银行股份有限公司 | Micro-service calling processing method and device |
| CN115134155A (en)* | 2022-06-29 | 2022-09-30 | 北京天融信网络安全技术有限公司 | A kind of authentication method and apparatus, computer program product, electronic equipment |
| CN115514567A (en)* | 2022-09-23 | 2022-12-23 | 京东方科技集团股份有限公司 | Access method, access system, computer equipment and medium of internet of things terminal equipment |
| CN116074101A (en)* | 2023-02-15 | 2023-05-05 | 西安热工研究院有限公司 | Method for realizing service account authentication based on FIDO |
| CN116074101B (en)* | 2023-02-15 | 2024-11-15 | 西安热工研究院有限公司 | Method for realizing service account authentication based on FIDO |
| Publication | Publication Date | Title |
|---|---|---|
| CN110535882A (en) | Identity authentication service method and system based on heterogeneous terminal | |
| US11165581B2 (en) | System for improved identification and authentication | |
| CN102067555B (en) | Improved biometric authentication and identification | |
| US8474017B2 (en) | Identity management and single sign-on in a heterogeneous composite service scenario | |
| US9038138B2 (en) | Device token protocol for authorization and persistent authentication shared across applications | |
| US9781105B2 (en) | Fallback identity authentication techniques | |
| CN107210916B (en) | Conditional Login Promotion | |
| US9137228B1 (en) | Augmenting service provider and third party authentication | |
| US11025592B2 (en) | System, method and computer-accessible medium for two-factor authentication during virtual private network sessions | |
| US20160337351A1 (en) | Authentication system | |
| WO2017197974A1 (en) | Biometric characteristic-based security authentication method, device and electronic equipment | |
| US20140354401A1 (en) | Resource Management Based on Biometric Data | |
| CN112580006A (en) | Access right control method and device of multi-cloud system and authentication server | |
| EP1102157A1 (en) | Method and arrangement for secure login in a telecommunications system | |
| WO2014201636A1 (en) | Identity login method and device | |
| WO2014131279A1 (en) | Bidirectional authorization system, client and method | |
| US20250202883A1 (en) | Mobile device enabled desktop tethered and tetherless authentication | |
| CN110545274A (en) | A method, device and system for UMA service based on the integration of witnesses and witnesses | |
| CN113765655A (en) | Access control method, device, equipment and storage medium | |
| CN106982221A (en) | A kind of network authentication method, system and intelligent terminal | |
| US20240305630A1 (en) | Access control to a wireless communication network by authentication based on a biometric print of a user | |
| CN105656856A (en) | Resource management method and device | |
| KR100736164B1 (en) | Biometric authentication system using wired / wireless terminal embedded with multi biometric authentication information and its biometric authentication method | |
| KR101294805B1 (en) | 2-channel authentication method and system based on authentication application | |
| EP3343494A1 (en) | Electronic signature of transactions between users and remote providers by use of two-dimensional codes |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | Application publication date:20191203 | |
| RJ01 | Rejection of invention patent application after publication |