therefore, when the authorization process abstract authorization protocol model needs to be configured according to a plurality of standard authorization protocols, the field mapping of each stage of the protocol model can be configured according to the table above.

In step S102: and establishing a standard input object and a standard output object of the authorization protocol model, and defining a standard request parameter and a standard return parameter of the authorization protocol model. Therefore, the mapping relation construction between different standard protocols and authorization protocol models can be met.

In step S103, a mapping relationship is established between the standard input object, the standard output object, the standard request parameter, and the standard return parameter, and the non-standard input object, the non-standard output object, the non-standard request parameter, and the non-standard return parameter of the request authorization system under each SaaS tenant. Therefore, the purpose of quick authorization can be achieved by setting system identifications of request authorization systems of different SaaS tenants and analyzing the mapping relation.

Further, the standard input object, the standard output object, the standard request parameter, the standard return parameter and the authorization protocol model are organized in a memory by a variable pool during operation, a data mapping table is established in a persistent layer, and the mapping relation is stored in the data mapping table.

In step S104: and receiving an authorization request, constructing an authorization context based on the mapping relation according to the system identifier in the authorization request to obtain an authorization result, and returning the authorization result. Therefore, the authorization process can be completed, and the tenant can directly access the protected information resource interface through the returned authorization result.

Further, the constructing an authorization context based on the mapping relationship according to the system identifier in the authorization request to obtain an authorization result includes: and loading the data mapping table and the authorization protocol model in the persistent layer into a memory according to the system identifier in the authorization request, constructing an authorization context to obtain field mapping, and mapping the new field obtained in each step through a variable pool to obtain an authorization result. Therefore, in the whole authorization process, parameter mapping and standard authorization protocol model information in the persistent layer can be loaded into a memory according to the system identifier requesting authorization, an authorization context is constructed, the obtained new field is mapped through a variable pool in each step, an authorization result is finally obtained, and the tenant can directly access the protected information resource interface through the returned authorization result.

Specifically, taking a code scanning authorization login scenario, which follows a standard oidc protocol as an example, the following specific embodiments can be implemented:

the authorization includes all the following phases:

authrequest authorization request phase, TokenRequest password request phase, TokenResponse password return phase, UserInfRequest user information request phase and UserInfResponse user information return phase, and the field mapping of each phase of the protocol can be configured through the established authorization protocol model.

After the authorization protocol model is constructed, the authorization protocol model is implemented in the memory through Java code, for example:

further, the model is abstracted by the following example:

further, the field mapping is abstracted by the following example:

further, when an authorization request is received, parameter mapping and standard authorization protocol model information in a persistent layer can be loaded into a memory according to a system identifier requesting authorization, an authorization context is constructed, an obtained new field is mapped through a variable pool in each step, an authorization result is finally obtained, and a tenant can directly access a protected information resource interface through a returned authorization result.

Therefore, the field mapping-based general multi-tenant service authorization method provided by the embodiment of the application abstracts an authorization protocol model through an authorization process according to a plurality of standard authorization protocols; establishing a standard input object and a standard output object of the authorization protocol model, and defining a standard request parameter and a standard return parameter of the authorization protocol model; establishing a mapping relation between the standard input object, the standard output object, the standard request parameter and the standard return parameter, and the non-standard input object, the non-standard output object, the non-standard request parameter and the non-standard return parameter of the request authorization system under each SaaS tenant; and receiving an authorization request, constructing an authorization context based on the mapping relation according to the system identifier in the authorization request to obtain an authorization result, and returning the authorization result. Therefore, by providing the authorization protocol module, data reading is realized by adopting a field mapping mode, the user resource authorization process is completed, and when the tenant requests authorization, the authorization can be completed through the mapping relation directly according to the system identifier of the tenant requesting authorization. Meanwhile, a standard authorization protocol model is provided as a basic configuration item to deal with customization of various manufacturers on a data structure, so that the reusability of the model is realized in a multi-tenant scene, repeated development of the system is reduced, the workload of developers is reduced, and the development efficiency is improved.

Fig. 2 shows a main module schematic diagram of a general multi-tenant service authorization system based on field mapping provided in an embodiment of the present application, and for convenience of description, only the parts related to the embodiment of the present application are shown, which are detailed as follows:

a general multi-tenantservice authorization system 200 based on field mapping, comprising:

an authorization protocolmodel construction module 201, configured to abstract an authorization protocol model according to authorization procedures of multiple standard authorization protocols;

aparameter definition module 202, configured to establish a standard input object and a standard output object of the authorization protocol model, and define a standard request parameter and a standard return parameter of the authorization protocol model;

the mappingrelation building module 203 is used for building mapping relations among the standard input object, the standard output object, the standard request parameter and the standard return parameter, the non-standard input object, the non-standard output object, the non-standard request parameter and the non-standard return parameter of the request authorization system under each SaaS tenant;

and theauthorization center module 204 is configured to receive the authorization request, construct an authorization context based on the mapping relationship according to the system identifier in the authorization request to obtain an authorization result, and return the authorization result.

For the authorization protocol model building module 201: an authorization protocol model is abstracted according to an authorization flow of a plurality of standard authorization protocols. Here, many enterprises have their own authorization services at the present stage, but when the saas system needs to access the third-party authorization service, it is often necessary to develop access logic that is time-consuming and labor-consuming according to the corresponding document, and in a multi-tenant scenario, the authentication access function developed for one client may not be continuously used in the next tenant, and the workload of repeated development is large, and it is easy to make an error. Therefore, considering that the authorization protocol followed by the three-party authorization system is common, such as oid, oauth2.0, saml, each vendor is more different in data structure and interface path in the implementation process. Furthermore, an authorization protocol model is abstracted according to authorization processes of a plurality of standard authorization protocols, meta information of a standard three-party authorization protocol is provided as a basic configuration item, and construction of an authorization protocol module is realized.

authrequest authorization request phase;

2, token request password requesting phase;

3, token response password returning phase;

user information request stage of UserInfRequest;

UserInfoResponse user information return phase.

Theparameter definition module 202 is configured to establish a standard input object and a standard output object of the authorization protocol model, and define a standard request parameter and a standard return parameter of the authorization protocol model. Therefore, the mapping relation construction between different standard protocols and authorization protocol models can be met.

And the mappingrelationship building module 203 is configured to build a mapping relationship between the standard input object, the standard output object, the standard request parameter, and the standard return parameter, and the nonstandard input object, the nonstandard output object, the nonstandard request parameter, and the nonstandard return parameter of the request authorization system under each SaaS tenant. Therefore, the purpose of quick authorization can be achieved by setting system identifications of request authorization systems of different SaaS tenants and analyzing the mapping relation.

The system further comprises a data mapping table creating module for organizing the standard input object, the standard output object, the standard request parameter, the standard return parameter and the authorization protocol model in a variable pool during operation in a memory, establishing a data mapping table in a persistent layer, and storing the mapping relation into the data mapping table.

For theauthorization center module 204, receiving an authorization request, according to the system identifier in the authorization request, constructing an authorization context based on the mapping relationship to obtain an authorization result, and returning the authorization result. Therefore, the authorization process can be completed, and the tenant can directly access the protected information resource interface through the returned authorization result.

Therefore, the field mapping-based general multi-tenant service authorization system provided by the embodiment of the application abstracts an authorization protocol model through an authorization process according to a plurality of standard authorization protocols; establishing a standard input object and a standard output object of the authorization protocol model, and defining a standard request parameter and a standard return parameter of the authorization protocol model; establishing a mapping relation between the standard input object, the standard output object, the standard request parameter and the standard return parameter, and the non-standard input object, the non-standard output object, the non-standard request parameter and the non-standard return parameter of the request authorization system under each SaaS tenant; and receiving an authorization request, constructing an authorization context based on the mapping relation according to the system identifier in the authorization request to obtain an authorization result, and returning the authorization result. Therefore, by providing the authorization protocol module, data reading is realized by adopting a field mapping mode, the user resource authorization process is completed, and when the tenant requests authorization, the authorization can be completed through the mapping relation directly according to the system identifier of the tenant requesting authorization. Meanwhile, a standard authorization protocol model is provided as a basic configuration item to deal with customization of various manufacturers on a data structure, so that the reusability of the model is realized in a multi-tenant scene, repeated development of the system is reduced, the workload of developers is reduced, and the development efficiency is improved.

An embodiment of the present application further provides an electronic device, including: one or more processors; a storage device, configured to store one or more programs, where when the one or more programs are executed by one or more processors, the one or more processors implement the field mapping-based universal multi-tenant service authorization method according to the embodiment of the present application

The embodiment of the present application further provides a computer readable medium, on which a computer program is stored, and when the computer program is executed by a processor, the method for authorizing a universal multi-tenant service based on field mapping according to the embodiment of the present application is implemented.

Fig. 3 illustrates anexemplary system architecture 300 to which the field mapping based general multi-tenant service authorization method or apparatus according to an embodiment of the present application may be applied.

As shown in fig. 3, thesystem architecture 300 may include

terminal devices

301, 302, 303, anetwork 304, and aserver 305. Thenetwork 304 serves as a medium for providing communication links between the

terminal devices

301, 302, 303 and theserver 305.Network 304 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.

The user may use the

terminal device

301, 302, 303 to interact with theserver 305 via thenetwork 304 to receive or send messages or the like. The

terminal devices

301, 302, 303 may have various communication client applications installed thereon, such as shopping applications, web browser applications, search applications, instant messaging tools, mailbox clients, social platform software, and the like.

The

terminal devices

301, 302, 303 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.

Theserver 305 may be a server providing various services, such as a background management server providing support for users using incoming and outgoing messages sent by the

terminal devices

301, 302, 303. The background management server can perform analysis and other processing after receiving the terminal device request, and feed back the processing result to the terminal device.

It should be noted that the field mapping-based general multi-tenant service authorization method provided in the embodiment of the present application is generally executed by theserver 305, and accordingly, a field mapping-based general multi-tenant service authorization apparatus is generally disposed in theserver 305.

It should be understood that the number of terminal devices, networks, and servers in fig. 3 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.

Referring now to FIG. 4, shown is a block diagram of acomputer system 400 suitable for use in implementing the electronic device of an embodiment of the present application. The computer system shown in fig. 4 is only an example, and should not bring any limitation to the function and the scope of use of the embodiments of the present application.

As shown in fig. 4, thecomputer system 400 includes a Central Processing Unit (CPU)401 that can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)402 or a program loaded from astorage section 408 into a Random Access Memory (RAM) 403. In theRAM 403, various programs and data necessary for the operation of thesystem 400 are also stored. The CPU 401,ROM 402, andRAM 403 are connected to each other via abus 404. An input/output (I/O)interface 405 is also connected tobus 404.

The following components are connected to the I/O interface 405: an input section 406 including a keyboard, a mouse, and the like; anoutput section 407 including a display device such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; astorage section 408 including a hard disk and the like; and acommunication section 409 including a network interface card such as a LAN card, a modem, or the like. Thecommunication section 409 performs communication processing via a network such as the internet. Adriver 410 is also connected to the I/O interface 405 as needed. Aremovable medium 411 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on thedrive 410 as necessary, so that a computer program read out therefrom is mounted into thestorage section 408 as necessary.

In particular, according to embodiments disclosed herein, the processes described above with reference to the flow diagrams may be implemented as computer software programs. For example, embodiments disclosed herein include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through thecommunication section 409, and/or installed from theremovable medium 411. The above-described functions defined in the system of the present application are executed when the computer program is executed by a Central Processing Unit (CPU) 401.

It should be noted that the computer readable medium shown in the present application may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The modules described in the embodiments of the present application may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor includes a determination module, an extraction module, a training module, and a screening module. Where the names of these modules do not in some cases constitute a limitation of the module itself, for example, a determination module may also be described as a "module that determines a set of candidate users".

The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims

1.A universal multi-tenant service authorization method based on field mapping is characterized by comprising the following steps:

2. The field mapping-based universal multi-tenant service authorization method according to claim 1, wherein the authorization process abstract authorization protocol model according to a plurality of standard authorization protocols comprises: according to the authorization processes of the multiple standard authorization protocols, the authorization basic information of the multiple standard authorization protocols is abstracted, and the authorization protocol model is abstracted according to the authorization basic information.

3. The field mapping-based universal multi-tenant service authorization method according to claim 2, wherein the authorization basic information includes an authorization address, a redirection address, an application identifier and an application key.

4. The field mapping-based universal multi-tenant service authorization method according to claim 1, further comprising: and organizing the standard input object, the standard output object, the standard request parameter, the standard return parameter and the authorization protocol model in a variable pool during operation in a memory, establishing a data mapping table in a persistent layer, and storing the mapping relation into the data mapping table.

5. The field mapping-based universal multi-tenant service authorization method according to claim 4, wherein the constructing an authorization context based on the mapping relationship according to the system identifier in the authorization request to obtain an authorization result includes: and loading the data mapping table and the authorization protocol model in the persistent layer into a memory according to the system identifier in the authorization request, constructing an authorization context to obtain field mapping, and mapping the new field obtained in each step through a variable pool to obtain an authorization result.

6. A general multi-tenant service authorization system based on field mapping is characterized by comprising:

7. The field mapping-based universal multi-tenant business authorization system according to claim 6, wherein the authorization process abstract authorization protocol model according to a plurality of standard authorization protocols comprises: according to the authorization processes of the multiple standard authorization protocols, the authorization basic information of the multiple standard authorization protocols is abstracted, and the authorization protocol model is abstracted according to the authorization basic information.

8. The field mapping-based universal multi-tenant service authorization system according to claim 6, further comprising a data mapping table creation module, configured to organize the standard input object, the standard output object, the standard request parameter, the standard return parameter, and the authorization protocol model in a run-time variable pool in a memory, create a data mapping table in a persistent layer, and store the mapping relationship in the data mapping table.

9. An electronic device, comprising a memory and a processor, wherein the memory stores a computer program which, when executed by the processor, causes the processor to perform the steps of the field mapping based universal multi-tenant service authorization method of any one of claims 1 to 5.

10. A computer-readable storage medium, having stored thereon a computer program which, when executed by a processor, causes the processor to perform the steps of the field mapping based universal multi-tenant service authorization method according to any one of claims 1 to 6.