CN116346486A

Movatterモバイル変換

Info

Publication number: CN116346486A
Application number: CN202310370873.0A
Authority: CN
Inventors: 骆衍华; 林立志; 黄思创; 李冠彬
Original assignee: Industrial and Commercial Bank of China Ltd ICBC
Current assignee: Industrial and Commercial Bank of China Ltd ICBC
Priority date: 2023-04-07
Filing date: 2023-04-07
Publication date: 2023-06-27

Abstract

Translated fromChinese

本公开提供了一种联合登录方法、装置、设备及存储介质，可以应用于计算机通信技术领域和金融技术领域。该方法包括：获取第一应用程序的身份令牌信息；利用第二应用程序的私钥对身份令牌信息进行加密处理，得到数字签名信息；在第一应用程序的服务端对数字签名信息进行验证通过的情况下，接收由第一应用程序的服务端发送的加密密钥因子数据，并利用第二应用程序的私钥对加密密钥因子数据进行解密处理，得到密钥因子；利用密钥因子对加密后的目标用户的属性信息进行解密处理，得到解密后的目标用户的属性信息；在目标用户具有对第二应用程序的访问权限的情况下，展示第二应用程序的访问页面。

The disclosure provides a joint login method, device, device and storage medium, which can be applied in the technical fields of computer communication and financial technology. The method includes: obtaining the identity token information of the first application program; encrypting the identity token information with the private key of the second application program to obtain digital signature information; performing digital signature information on the server end of the first application program If the verification is passed, receive the encrypted key factor data sent by the server of the first application program, and use the private key of the second application program to decrypt the encrypted key factor data to obtain the key factor; The factor decrypts the encrypted attribute information of the target user to obtain the decrypted attribute information of the target user; when the target user has access authority to the second application, the access page of the second application is displayed.

Description

Combined login method, device, equipment and storage medium

Technical Field

The present disclosure relates to the field of computer communication technology and the field of financial technology, and in particular, to a joint login method, apparatus, device, medium, and program product.

Background

Along with popularization of Internet technology application, the more the enterprise information digitization needs, the number of service systems used is increased, but repeated login is needed for accessing different service systems, and the other service systems can be accessed after one login is difficult to realize.

In the related art, the joint login is generally realized by accessing a third party system, and various login technical schemes of business systems of different companies are required to be integrated in the mode.

Disclosure of Invention

In view of the foregoing, the present disclosure provides federated login methods, apparatus, devices, media, and program products.

According to a first aspect of the present disclosure, there is provided a joint login method, applied to a server of a second application program, including:

the method comprises the steps of obtaining identity token information of a first application program, wherein the identity token information is obtained by conducting encryption processing on login information of a target user for logging in the first application program by utilizing a server side of the first application program in response to selection operation executed on a page of the first application program and identifying an access page of a second application program. And encrypting the identity token information by using the private key of the second application program to obtain digital signature information. And under the condition that the server side of the first application program passes the verification of the digital signature information, receiving the encryption key factor data sent by the server side of the first application program, and decrypting the encryption key factor data by utilizing the private key of the second application program to obtain the key factor. And decrypting the encrypted attribute information of the target user by using the key factor to obtain the decrypted attribute information of the target user. And under the condition that the target user has access rights to the second application program, displaying the access page of the second application program.

According to an embodiment of the present disclosure, encrypting the identity token information by using a private key of the second application program to obtain digital signature information includes:

and decrypting the identity token information to obtain domain name information of the first application program, identification information of the first application program and timestamp information of the target user logging in the first application program. And encrypting the domain name information of the first application program, the identification information of the first application program and the timestamp information of the target user logging in the first application program by using the private key of the second application program to obtain digital signature information.

According to an embodiment of the present disclosure, decrypting the encrypted attribute information of the target user using the key factor to obtain the decrypted attribute information of the target user includes:

and verifying the encrypted attribute information of the target user by using the public key of the first application program to obtain a verification result. And under the condition that the verification result is that the verification is passed, decrypting the encrypted attribute information of the target user by utilizing the key factor to obtain the attribute information of the target user.

According to an embodiment of the present disclosure, verifying, with a public key of a first application, attribute information of an encrypted target user to obtain a verification result includes:

And decrypting the encrypted attribute information of the target user by using the public key of the first application program to obtain the attribute information of the target user and the timestamp information of the target user logging in the first application program. And determining the first information interaction duration according to the timestamp information and the current time information. And under the condition that the first information interaction time length meets a preset threshold value and the attribute information of the target user is verified, determining that the verification result is verification passing.

According to an embodiment of the present disclosure, the above method further includes:

and decrypting the encrypted key factor data by using the private key of the second application program to obtain the key factor and the random number. And storing the random number and the key factor in an associated mode. And receiving the random number sent by the server of the first application program, and determining the key factor according to the random number.

According to a second aspect of the present disclosure, there is provided a joint login method, applied to a server of a first application program, including:

and in response to the selection operation executed on the page of the first application program and for the identification of the access page of the second application program, encrypting the login information of the target user for logging in the first application program to obtain identity token information, and sending the identity token information to the server side of the second application program. And receiving digital signature information obtained by encrypting the identity token information by the server of the second application program by using the private key of the second application program, and verifying the digital signature information by using the public key of the second application program to obtain a verification result. And under the condition that the verification result is that the verification is passed, the public key of the second application program is utilized to encrypt the randomly generated key factor, so as to obtain encrypted key factor data, and the encrypted key factor data is sent to the server side of the second application program. Encrypting the attribute information of the target user by using the key factor to generate the encrypted attribute information of the target user; and sending the encrypted attribute information of the target user to the server side of the second application program.

According to an embodiment of the present disclosure, verifying the digital signature information by using the public key of the second application program, to obtain a verification result, includes:

and decrypting the digital signature information by using the public key of the second application program to obtain the identity token information and the timestamp information of the target user logging in the first application program. Determining a second information interaction duration according to the timestamp information and the current time information; and under the condition that the second information interaction time length meets a preset threshold value and the identity token information is verified, determining that the verification result is verification passing.

and under the condition that the verification result is that the verification is passed, randomly generating a random number and a key factor, and encrypting the key factor by using a public key of the second application program to obtain encrypted key factor data. And sending the encryption key factor data and the random number to a server of the second application program.

A third aspect of the present disclosure provides a federated login device applied to a server of a second application, comprising: the system comprises an acquisition module, a first encryption module, a first decryption module and a second decryption module.

And the acquisition module is used for acquiring the identity token information of the first application program. The identity token information is obtained by encrypting login information of a target user for logging in the first application program by utilizing a server side of the first application program in response to a selection operation executed on a page of the first application program and identifying an access page of the second application program. And the first encryption module is used for encrypting the identity token information by using the private key of the second application program to obtain digital signature information. The first decryption module is used for receiving the encryption key factor data sent by the server of the first application program under the condition that the server of the first application program verifies the digital signature information, and decrypting the encryption key factor data by utilizing the private key of the second application program to obtain the key factor. And the second decryption module is used for decrypting the encrypted attribute information of the target user by utilizing the key factor to obtain the decrypted attribute information of the target user. And the display module is used for displaying the access page of the second application program under the condition that the target user has the access right to the second application program.

According to an embodiment of the present disclosure, the first encryption module includes a first decryption unit and an encryption unit. The first decryption unit is used for decrypting the identity token information to obtain domain name information of the first application program, identification information of the first application program and timestamp information of a target user logging in the first application program. The encryption unit is used for encrypting the domain name information of the first application program, the identification information of the first application program and the timestamp information of the target user logging in the first application program by utilizing the private key of the second application program to obtain digital signature information.

According to an embodiment of the present disclosure, the second decryption module includes a first authentication unit and a second decryption unit. The first verification unit is used for verifying the encrypted attribute information of the target user by using the public key of the first application program to obtain a verification result. And the second decryption unit is used for decrypting the encrypted attribute information of the target user by utilizing the key factor to obtain the attribute information of the target user under the condition that the verification result is that the verification is passed.

According to an embodiment of the present disclosure, the first verification unit comprises a decryption subunit, a first determination subunit, and a second determination subunit. And the decryption subunit decrypts the encrypted attribute information of the target user by using the public key of the first application program to obtain the attribute information of the target user and the timestamp information of the target user logging in the first application program. And the first determining subunit is used for determining the first information interaction duration according to the timestamp information and the current time information. And the second determining subunit is used for determining that the verification result is verification passing under the condition that the first information interaction duration meets a preset threshold value and the attribute information of the target user is verified.

According to an embodiment of the present disclosure, the above apparatus further includes: the device comprises a third decryption module, an association storage module and a determination module. And the third decryption module is used for decrypting the encrypted key factor data by using the private key of the second application program to obtain the key factor and the random number. And the association storage module is used for carrying out association storage on the random number and the key factor. And the determining module is used for receiving the random number sent by the server of the first application program and determining the key factor according to the random number.

A fourth aspect of the present disclosure provides a federated login device applied to a server of a first application, including: the system comprises a second encryption module, a third encryption module, a fourth encryption module and a fifth encryption module.

The second encryption module is used for responding to the selection operation executed on the page of the first application program and the identification of the access page of the second application program, carrying out encryption processing on login information of a target user for logging in the first application program to obtain identity token information, and sending the identity token information to the server side of the second application program. And the third encryption module is used for receiving digital signature information obtained by encrypting the identity token information by the server of the second application program by utilizing the private key of the second application program, and verifying the digital signature information by utilizing the public key of the second application program to obtain a verification result. And the fourth encryption module is used for encrypting the randomly generated key factors by using the public key of the second application program to obtain encryption key factor data and sending the encryption key factor data to the server side of the second application program when the verification result is that the verification is passed. The fifth encryption module is used for encrypting the attribute information of the target user by utilizing the key factors to generate the encrypted attribute information of the target user; and sending the encrypted attribute information of the target user to the server side of the second application program.

According to an embodiment of the present disclosure, the third encryption module includes a third decryption unit, a first determination unit, and a second determination unit. And the third decryption unit is used for decrypting the digital signature information by using the public key of the second application program to obtain the identity token information and the timestamp information of the target user logging in the first application program. And the first determining unit is used for determining the second information interaction duration according to the timestamp information and the current time information. And the second determining unit is used for determining that the verification result is verification passing under the condition that the second information interaction time length meets a preset threshold value and the identity token information is verified to pass.

According to an embodiment of the present disclosure, the above apparatus further includes: and a sixth encryption module and a transmission module.

The sixth encryption module is used for randomly generating a random number and a key factor under the condition that the verification result is that verification is passed, and carrying out encryption processing on the key factor by utilizing a public key of the second application program to obtain encrypted key factor data;

and the sending module is used for sending the encryption key factor data and the random number to a server side of the second application program.

A fifth aspect of the present disclosure provides an electronic device, comprising: one or more processors; and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method described above.

A fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described method.

A fifth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the above method.

According to the joint login method, the device, the equipment, the medium and the program product, the second application system encrypts the identity token information by utilizing the private key of the second application program by acquiring the identity token information of the first application program, so as to obtain digital signature information. And under the condition that the server side of the first application program passes the verification of the digital signature information, receiving the encryption key factor data sent by the server side of the first application program, and decrypting the encryption key factor data by utilizing the private key of the second application program to obtain the key factor. And then decrypting the encrypted attribute information of the target user by utilizing the key factor to obtain the decrypted attribute information of the target user. And finally, under the condition that the target user has access rights to the second application program, displaying the access page of the second application program. Because the information interaction is carried out between the first application program and the second application program through the public key encryption algorithm, the second application program can obtain the attribute information of the target user from the first application program so as to determine whether the target user has the authority to log in the second application program. The original login authentication flow of the second application program is not required to be modified, the joint login of the first application program and the second application program can be realized, the safety between joint login systems is improved, and the data processing capacity of the server is reduced.

Drawings

The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:

FIG. 1 schematically illustrates an application scenario diagram of a federated login method, apparatus, device, medium, and program product in accordance with an embodiment of the present disclosure;

FIG. 2 schematically illustrates a server-side flowchart of a federated login method applied to a second application in accordance with an embodiment of the present disclosure;

FIG. 3 schematically illustrates a server-side flowchart of a federated login method applied to a first application in accordance with an embodiment of the present disclosure;

FIG. 4 schematically illustrates a schematic diagram of a federated login method, in accordance with an embodiment of the present disclosure;

FIG. 5 schematically illustrates a block diagram of a configuration of a server device to which a federated login method is applied to a second application in accordance with an embodiment of the present disclosure;

FIG. 6 schematically illustrates a block diagram of a server device to which a federated login method is applied to a first application in accordance with an embodiment of the present disclosure; and

fig. 7 schematically illustrates a block diagram of an electronic device adapted to implement a federated login method, in accordance with an embodiment of the present disclosure.

Detailed Description

Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.

All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.

Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).

In the technical scheme of the disclosure, the related data (such as including but not limited to personal information of a user) are collected, stored, used, processed, transmitted, provided, disclosed, applied and the like, all conform to the regulations of related laws and regulations, necessary security measures are adopted, and the public welcome is not violated.

The traditional method for logging in the third party system adopts a unified login authentication technical scheme, and realizes unified authentication login management of enterprise users by modifying modules such as user registration, authority management, login authentication and the like. The technical scheme discards the original login flow, so that the unified authentication login system integrates all business systems to a high degree. The technical scheme needs to carry out deep secondary development on each service system, and the private system of the enterprise needs to be independently deployed and operated and maintained. With more and more business systems required by enterprises, new business demands are continuously generated, and the unified login authentication technical scheme causes difficult development and maintenance operation, large workload of a server, road congestion for receiving verification information, low safety efficiency and poor user experience.

In view of this, an embodiment of the present disclosure provides a joint login method, which is applied to a server of a second application program and includes: the method comprises the steps of obtaining identity token information of a first application program, wherein the identity token information is obtained by conducting encryption processing on login information of a target user for logging in the first application program by utilizing a server side of the first application program in response to selection operation executed on a page of the first application program and identifying an access page of a second application program. And encrypting the identity token information by using the private key of the second application program to obtain digital signature information. And under the condition that the server side of the first application program passes the verification of the digital signature information, receiving the encryption key factor data sent by the server side of the first application program, and decrypting the encryption key factor data by utilizing the private key of the second application program to obtain the key factor. And decrypting the encrypted attribute information of the target user by using the key factor to obtain the decrypted attribute information of the target user. And under the condition that the target user has access rights to the second application program, displaying the access page of the second application program.

Fig. 1 schematically illustrates an application scenario diagram of a federated login method, apparatus, device, medium, and program product according to an embodiment of the present disclosure.

As shown in fig. 1, anapplication scenario 100 according to this embodiment may include a firstterminal device 101, a secondterminal device 102, afirst application server 103, afirst application database 104, asecond application server 105, and asecond application database 106.

Thefirst application server 103 is configured to provide functional services such as user login, login authentication key distribution, login authentication callback, and second application portal.

Thefirst application database 104 is configured to store information such as first application user information and a key.

Thesecond application server 105 is configured to provide a function service such as a joint login access service, joint login authentication, user search, login success page, and the like.

Thesecond application database 106 is used for storing second application user information, keys, and the like.

The user may access thefirst application server 103 by using the firstterminal device 101 and the secondterminal device 102, and then access thesecond application server 105 by using the joint login method provided by the embodiment of the present disclosure. The encrypted information generated by the interaction of thefirst application server 103 with the second application server is stored in thefirst application database 104 and thesecond application database 106.

Various communication client applications may be installed on the firstterminal device 101, the secondterminal device 102, such as a knowledge reading class application, a web browser application, a search class application, an instant messaging tool, a mailbox client and/or social platform software, to name a few.

The firstterminal device 101, the secondterminal device 102 may be various electronic devices having a display screen and supporting web browsing, including but not limited to tablet computers, laptop computers, desktop computers, smartphones, and the like. Thefirst application server 103 and thesecond application server 105 may be servers providing various services, such as a background management server (for example only) providing support for content browsed by the user using the firstterminal device 101 and the secondterminal device 102. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.

It should be noted that, the joint login method provided in the embodiments of the present disclosure may be generally performed by thefirst application server 103 and thesecond application server 105.

The federated login method provided by embodiments of the present disclosure may also be generally performed by thefirst application server 103 and thesecond application server 105. Accordingly, the federated login devices provided by embodiments of the present disclosure may be generally located in thefirst application server 103 and thesecond application server 105. The joint login method provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from thefirst application server 103 and thesecond application server 105 and is capable of communicating with the firstterminal device 101, the secondterminal device 102, and/or thefirst application server 103, thesecond application server 105. Accordingly, the federated login apparatus provided by the embodiments of the present disclosure may also be provided in a server or a server cluster that is different from thefirst application server 103, thesecond application server 105 and is capable of communicating with the firstterminal device 101, the secondterminal device 102 and/or thefirst application server 103, thesecond application server 105.

For example, when a user logs in to a first application, the firstterminal device 101 and the secondterminal device 102 may access thefirst application server 103, then access information carrying the first application to thesecond application server 105, and thesecond application server 105 processes the information content. The encrypted information of the interaction process between thefirst application server 103 and thesecond application server 105 is saved in the first application database and the second application database.

It should be understood that the number of first terminal devices, second terminal devices, servers and databases in fig. 1 is merely illustrative. There may be any number of terminal devices, databases and servers as practical.

The joint login method of the disclosed embodiment will be described in detail below with reference to fig. 2 to 6 based on the scenario described in fig. 1.

Fig. 2 schematically illustrates a flowchart of a federated login method applied to a server of a first application in accordance with an embodiment of the present disclosure.

As shown in fig. 2, the joint login method of this embodiment is applied to the server side of the second application program, and includes operations S210 to S250.

In operation S210, identity token information of a first application is acquired.

In operation S220, the identity token information is encrypted using the private key of the second application program, to obtain digital signature information.

In operation S230, in the case that the digital signature information is verified by the server of the first application, the encryption key factor data sent by the server of the first application is received, and the encryption key factor data is decrypted by using the private key of the second application, so as to obtain the key factor.

In operation S240, the encrypted attribute information of the target user is decrypted using the key factor, to obtain the decrypted attribute information of the target user.

In operation S250, in case that the target user has access right to the second application, an access page of the second application is presented.

According to the embodiment of the disclosure, the identity token information is obtained by performing encryption processing on login information of a target user for logging in a first application program by using a server side of the first application program in response to a selection operation performed on a page of the first application program on an identification of an access page of a second application program.

According to an embodiment of the present disclosure, the digital signature information refers to digital signature data generated by signing data such as a domain name of a first application, an identification of the first application, a time stamp, and the like using a second application.

According to an embodiment of the present disclosure, the key factor data refers to data information that encrypts the key factor using the second application public key.

According to an embodiment of the present disclosure, the attribute information of the target user includes a user identification, a certificate type, a certificate number, and the like. For example: the user identification may be an enterprise a, the credential type may be a work card, and the credential number may be 9301.

According to an embodiment of the present disclosure, the first application and the second application both generate asymmetric keys, and both exchange public keys.

For example: the first application generates an asymmetric key pair of public key 1 and private key 1, and the second application generates an asymmetric key pair of public key 2 and private key 2. The two parties exchange public keys, namely public key 1 is handed to the second application server for storage, private key 1 is stored by the first application server, public key 2 is handed to the first application server for storage, and private key 2 is stored by the second application server. According to an embodiment of the present disclosure, the first application may exchange a public key not only with the second application but also with the third application or the fourth application, etc. I.e. multiple applications can be logged in jointly by the first application.

According to the embodiment of the disclosure, after the second application server obtains the identity token information of the first application, the second application server uses the private key 2 of the second application to encrypt the identity token information such as the domain name of the first application, the first application identifier, the timestamp and the like, so as to generate digital signature information.

According to the embodiment of the disclosure, under the condition that the server side of the first application program passes the verification of the digital signature information, the data of the encryption key factor sent by the server side of the first application program and encrypted by the public key 2 are received, and the second application program server side is utilized to decrypt the data of the encryption key factor by using the private key 2, so that the key factor is obtained.

According to the embodiment of the disclosure, a random number sent by a first application server is used for inquiring a database to obtain a corresponding key factor, and the key factor is used for decrypting the attribute information of the target user to obtain the attribute information of the decrypted target user.

According to the embodiment of the disclosure, according to the joint login method, the device, the equipment, the medium and the program product provided by the disclosure, the second application system encrypts the identity token information by utilizing the private key of the second application program by acquiring the identity token information of the first application program to obtain digital signature information. And under the condition that the server side of the first application program passes the verification of the digital signature information, receiving the encryption key factor data sent by the server side of the first application program, and decrypting the encryption key factor data by utilizing the private key of the second application program to obtain the key factor. And then decrypting the encrypted attribute information of the target user by utilizing the key factor to obtain the decrypted attribute information of the target user. And finally, under the condition that the target user has access rights to the second application program, displaying the access page of the second application program. Because the information interaction is carried out between the first application program and the second application program through the public key encryption algorithm, the second application program can obtain the attribute information of the target user from the first application program so as to determine whether the target user has the authority to log in the second application program. The original login authentication flow of the second application program is not required to be modified, the joint login of the first application program and the second application program can be realized, the safety between joint login systems is improved, and the data processing capacity of the server is reduced.

According to the embodiment of the disclosure, the second application server decrypts the first application identity token information to obtain the domain name of the first application, the first application identifier and the timestamp information of the target user logging in the first application. For example: the first application identity token is encrypted by the private key 1 of the first application, and then the second application server uses the public key 1 of the first application to perform decryption processing. And then, the domain name information of the first application program, the identification information of the first application program and the timestamp information of the target user logging in the first application program are encrypted by using the private key 2 of the second application program, so that digital signature information is obtained. According to the embodiment of the disclosure, the asymmetric key exchange is performed by the first application program and the second application program, so that the interaction process between the application programs is more convenient and safer.

According to an embodiment of the present disclosure, the second application server verifies the signature data using the public key 1 of the first application. For example: the verification condition is that the first interactive information duration of the first application program and the second application program is within 5 minutes of validity period. If the first interaction information duration of the first application program and the second application program is within the 5-minute validity period, verification is passed, a random number is used for inquiring a database to obtain a key factor, and the key factor is used for decrypting the attribute information of the target user to obtain the attribute information of the target user.

According to the embodiment of the disclosure, the attribute information of the user obtained by encrypting the key factor does not cause information leakage problem when logging in the second application program.

According to the embodiment of the disclosure, the second application server uses the public key 1 of the first application to decrypt the encrypted attribute information of the target user, so as to obtain the attribute information of the target user and the timestamp information of the target user logging in the first application. For example: the timestamp information is Beijing time 8:35, the current time is Beijing time 8:40, then the first information interaction is often 1 minute. Since 1 minute satisfies the preset threshold for 5 minutes, the verification is passed, and the verification result is determined as verification passed. Otherwise, the verification result is determined to be that the verification is not passed within 5 minutes when the preset threshold is not met. According to the embodiment of the disclosure, information interaction is performed between the first application program and the second application program through the public key encryption algorithm, and verification is performed by using the first information interaction time length between the programs, so that joint login of the first application program and the second application program is realized, and timeliness of the joint login can be improved.

According to the embodiment of the disclosure, the encryption key factor data is decrypted by using the private key 2 of the second application program to obtain the key factor and the random number. For example: the key factor is a key factor a and the random number is a random number a1. The random number a1 and the key factor a are stored in association.

For example: the association relationship may be a mapping relationship. Then the mapping of the random number a1 is the key factor a. The subsequent second application server receives the random number a1 sent by the server of the first application, and determines that the key factor is the key factor a according to the fact that the mapping of the random number a1 is the key factor a.

According to the embodiment of the disclosure, the second application program can query the key factor according to the random number by storing the random number and the key factor in an associated mode, so that the security of data transmission is improved.

Fig. 3 schematically illustrates a flowchart of a federated login method applied to a server of a first application in accordance with an embodiment of the present disclosure.

As shown in fig. 3, the joint login method of the embodiment is applied to a server side of a first application program, and includes operations S310 to S340.

In operation S310, in response to a selection operation performed on the page of the first application program for identifying the access page of the second application program, the login information of the target user for logging in the first application program is encrypted to obtain identity token information, and the identity token information is sent to the server side of the second application program.

In operation S320, the digital signature information obtained by the server of the second application program by encrypting the identity token information with the private key of the second application program is received, and the digital signature information is verified with the public key of the second application program, so as to obtain a verification result.

In operation S330, if the verification result is that the verification is passed, the randomly generated key factor is encrypted by using the public key of the second application program to obtain encrypted key factor data, and the encrypted key factor data is sent to the server of the second application program.

In operation S340, the attribute information of the target user is encrypted by using the key factor, and the encrypted attribute information of the target user is generated; and sending the encrypted attribute information of the target user to the server side of the second application program.

According to an embodiment of the present disclosure, login information when the target user logs in to the first application program includes login time, IP address, browsing information, and the like. The first application program server side encrypts login information by using a private key 1 of the first application program to obtain an identity token, and sends the identity token information to the second application program server side.

According to the embodiment of the disclosure, the first application server receives digital signature information obtained by encrypting the identity token information by the server of the second application by using the private key 2 of the second application. And then the first application program server verifies the digital signature information by using the public key 2 of the second application program to obtain a verification result.

According to the embodiment of the disclosure, under the condition that verification is passed, the first application server encrypts the randomly generated key factor by using the public key 2 of the second application to obtain encrypted key factor data, and then the first application server sends the encrypted key factor data to the second application server.

According to the embodiment of the disclosure, the first application program server encrypts the attribute information of the target user in the json format by using the key factor, and generates the encrypted attribute information of the target user. The user data is in json format and can be customized according to the requirements of the second application program. And the server side of the first application program sends the encrypted attribute information of the target user to the server side of the second application program.

According to the embodiment of the disclosure, since information interaction is performed between the first application program and the second application program through the public key encryption algorithm, the second application program can obtain the attribute information of the target user from the first application program so as to determine whether the target user has the authority to log in the second application program. The original login authentication flow of the second application program is not required to be modified, the joint login of the first application program and the second application program can be realized, the safety between joint login systems is improved, and the data processing capacity of the server is reduced.

According to the embodiment of the disclosure, the first application server decrypts the digital signature information by using the public key 2 of the second application to obtain the identity token information and the timestamp information of the target user logging in the first application.

For example: the preset threshold duration is 5 minutes. The second information interaction duration is less than 5 minutes to enable verification to pass. The timestamp information of the target user logging in the first application program is Beijing time 10:00 and the current Beijing time 10:03, the second information interaction time is 3 minutes, the second information interaction time is less than 5 minutes, and the verification result is verification passing.

According to the embodiment of the disclosure, when verifying the digital signature information, the time stamp verification process is added, so that timeliness of information transmission can be ensured.

and under the condition that the verification result is that the verification is passed, randomly generating a random number and a key factor, and encrypting the randomly generated key factor by using a public key of the second application program to obtain encrypted key factor data. And sending the encryption key factor data and the random number to a server of the second application program.

According to the embodiment of the disclosure, the first application server randomly generates a key factor and a random number when the digital signature information is verified by using the public key 2 of the second application. The first application program server side encrypts the key factor by using the public key 2 of the second application program to obtain encrypted key factor data. And then the first application program server side sends the encryption key factor data and the random number to the second application program server side.

According to the embodiment of the disclosure, the random number is added in the data transmission process, so that the security of the data transmission can be improved.

Fig. 4 schematically illustrates a schematic diagram of a federated login method, in accordance with an embodiment of the present disclosure.

As shown in fig. 4, the schematic diagram of the joint login method of this embodiment includes steps S401 to S415.

In step 401, a user logs in a first application program by using elements such as a user name and a password, and when accessing a second application program, the user accesses an access address of the second application program by carrying identity token information of the first application program.

In step 402, the data, such as the first application domain name |first application identifier|timestamp, is signed using the second application private key to generate digital signature information.

In step 403, the callback first application logs in to the authentication key distribution address, and the upload parameters include: the first application identification, digital signature information, a timestamp, an identity token.

At step 404, the first application verifies the digital signature information using the second application public key, verifies the identity token, and verifies whether the timestamp is within 5 minutes of validity.

After the verification is passed, a random number, a key factor is generated and encrypted using the second application public key, step 405.

At step 406, the random number, the encrypted key factor data, the identity token are returned to the second application.

In step 407, the second application decrypts the encrypted key factor data using the second application private key to obtain the key factor. And storing the random number and the key factor into a database of the second application program.

In step 408, the second application initiates a request to the first application login authentication callback address, uploading parameters: a first application identification, digital signature information, a timestamp, an identity token, a random number, a second application redirection address.

At step 409, the digital signature information is verified using the second application public key, verifying the identity token, verifying whether the timestamp is within 5 minutes of validity.

After verification is passed, the first application uses the key factor to verify the json formatted user data at step 410: and encrypting the user identification, the certificate type, the certificate number and the like to obtain the attribute information of the target user.

In step 411, the attribute information of the target user is signed using the first application private key, generating digital signature information.

At step 412, the callback second application redirects the address, and the upload parameters include: attribute information of the target user, digital signature information, a time stamp, and a random number.

In step 413, the second application verifies the digital signature information using the first application public key, verifying if the timestamp is within 5 minutes of validity.

After the verification is passed, the encryption factor is obtained by querying the database with a random number, and the attribute information of the target user is decrypted with the encryption factor to obtain the user information in step 414.

In step 415, the user information is looked up and redirected to the second application login success page.

According to an embodiment of the present disclosure, the json format is a form of data in pure strings that does not itself provide any means for transmission in a network.

Based on the joint login method, the disclosure also provides a joint login device. The device will be described in detail below in connection with fig. 5 and 6.

Fig. 5 schematically illustrates a block diagram of a configuration of a server device to which the federated login method is applied to a second application according to an embodiment of the present disclosure.

As shown in fig. 5, theserver device 500 of the embodiment of the joint login method applied to the second application program includes anacquisition module 510, afirst encryption module 520, afirst decryption module 530, asecond decryption module 540, and apresentation module 550.

An obtainingmodule 510 is configured to obtain identity token information of the first application program. The identity token information is obtained by performing encryption processing on login information of a target user for logging in the first application program by utilizing a server side of the first application program in response to a selection operation performed on an identification of an access page of the second application program on a page of the first application program. In an embodiment, the obtainingmodule 510 may be configured to perform the operation S210 described above, which is not described herein.

Thefirst encryption module 520 is configured to encrypt the identity token information by using the private key of the second application program, so as to obtain digital signature information. In an embodiment, thefirst encryption module 520 may be used to perform the operation S220 described above, which is not described herein.

Thefirst decryption module 530 is configured to receive the encryption key factor data sent by the server of the first application program when the server of the first application program verifies the digital signature information, and decrypt the encryption key factor data by using the private key of the second application program to obtain a key factor. In an embodiment, thefirst decryption module 530 may be used to perform the operation S230 described above, which is not described herein.

Thesecond decryption module 540 is configured to decrypt the encrypted attribute information of the target user by using the key factor, to obtain the decrypted attribute information of the target user. In an embodiment, thesecond decryption module 540 may be used to perform the operation S240 described above, which is not described herein.

And thedisplay module 550 is configured to display the access page of the second application program if the target user has access rights to the second application program. In an embodiment, thepresentation module 550 may be configured to perform the operation S250 described above, which is not described herein.

Fig. 6 schematically illustrates a block diagram of a structure of a server device to which a federated login method according to an embodiment of the present disclosure is applied to a first application.

As shown in fig. 6, theserver device 600 of the embodiment of the joint login method applied to the first application program includes asecond encryption module 610, athird encryption module 620, afourth encryption module 630, and afifth encryption module 640.

Thesecond encryption module 610 is configured to perform encryption processing on login information of the target user for logging in the first application program to obtain identity token information in response to a selection operation performed on the page of the first application program and on the identifier of the access page of the second application program, and send the identity token information to the server side of the second application program. In an embodiment, thesecond encryption module 610 may be used to perform the operation S310 described above, which is not described herein.

Thethird encryption module 620 is configured to receive digital signature information obtained by encrypting the identity token information by using a private key of the second application program, and verify the digital signature information by using a public key of the second application program, so as to obtain a verification result. In an embodiment, thethird encryption module 620 may be used to perform the operation S320 described above, which is not described herein.

And thefourth encryption module 630 is configured to encrypt the randomly generated key factor with the public key of the second application program to obtain encrypted key factor data, and send the encrypted key factor data to the server of the second application program when the verification result indicates that the verification result is that the verification result passes. In an embodiment, thefourth encryption module 630 may be used to perform the operation S330 described above, which is not described herein.

Afifth encryption module 640, configured to encrypt attribute information of the target user using the key factor, and generate encrypted attribute information of the target user; and sending the encrypted attribute information of the target user to the server side of the second application program. In an embodiment, thefifth encryption module 640 may be used to perform the operation S340 described above, which is not described herein.

According to an embodiment of the present disclosure, the above apparatus further includes: and a sixth encryption module and a transmission module. The sixth encryption module is used for randomly generating a random number and a key factor under the condition that the verification result is that verification is passed, and carrying out encryption processing on the key factor by utilizing a public key of the second application program to obtain encrypted key factor data; and the sending module is used for sending the encryption key factor data and the random number to a server side of the second application program.

As shown in fig. 7, anelectronic device 700 according to an embodiment of the present disclosure includes aprocessor 701 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 702 or a program loaded from astorage section 708 into a Random Access Memory (RAM) 703. Theprocessor 701 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Theprocessor 701 may also include on-board memory for caching purposes. Theprocessor 701 may comprise a single processing unit or a plurality of processing units for performing different actions of the method flows according to embodiments of the disclosure.

In theRAM 703, various programs and data necessary for the operation of theelectronic apparatus 700 are stored. Theprocessor 701, theROM 702, and theRAM 703 are connected to each other through abus 704. Theprocessor 701 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in theROM 702 and/or theRAM 703. Note that the program may be stored in one or more memories other than theROM 702 and theRAM 703. Theprocessor 701 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.

According to an embodiment of the present disclosure, theelectronic device 700 may further include an input/output (I/O)interface 705, the input/output (I/O)interface 705 also being connected to thebus 704. Theelectronic device 700 may also include one or more of the following components connected to an input/output (I/O) interface 705: aninput section 706 including a keyboard, a mouse, and the like; anoutput portion 707 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; astorage section 708 including a hard disk or the like; and acommunication section 709 including a network interface card such as a LAN card, a modem, or the like. Thecommunication section 709 performs communication processing via a network such as the internet. Thedrive 710 is also connected to an input/output (I/O)interface 705 as needed. Aremovable medium 711 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on thedrive 710 as necessary, so that a computer program read therefrom is mounted into thestorage section 708 as necessary.

The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.

According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may includeROM 702 and/orRAM 703 and/or one or more memories other thanROM 702 andRAM 703 described above.

Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to implement the item recommendation method provided by embodiments of the present disclosure.

The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by theprocessor 701. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.

In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed over a network medium in the form of signals, downloaded and installed via thecommunication section 709, and/or installed from theremovable medium 711. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.

In such an embodiment, the computer program may be downloaded and installed from a network via thecommunication portion 709, and/or installed from theremovable medium 711. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by theprocessor 701. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.

According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.

The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.