Disclosure of Invention
One or more embodiments of the present specification describe a service providing method and apparatus for a third party applet, which can improve security of a service of the third party applet.
According to a first aspect, there is provided a service providing method of a third party applet, the method comprising:
obtaining a public key sent by a first party client; the public key is a public key in a pair of public and private key pairs generated by a third party client, and the public key is sent to a first party client by the third party client;
acquiring an open authentication system identifier OpenID and generating a session identifier SessionID;
establishing a corresponding relation among the public key, the OpenID and the SessionID;
receiving a service data request sent by a first party client, wherein the service data request carries the SessionID and service parameters signed by a private key in the public-private key pair;
searching a public key corresponding to the SessionID carried in the service data request according to the pre-established corresponding relation;
signing the service parameters signed by the private key by using the searched public key;
after the verification is passed, sending a service resource request to a third party server, wherein the service resource request carries an OpenID corresponding to the SessionID carried in the service request;
and sending the response data returned by the third party server to the first party client so that the first party client can send the response data to the third party client.
The obtaining the public key sent by the first party client includes: receiving a third party login request sent by a first party client, wherein the third party login request is used for requesting to establish session connection for the third party client, and the third party login request carries the public key and identity information of the third party client; the public key is derived from the third party logging request.
Wherein after the session identifier SessionID is generated and before the receiving the service data request sent by the first party client, the method further includes:
encrypting the SessionID by using the public key, and sending the encrypted SessionID to a first party client, wherein the first party client interacts with a third party client to enable the first party client to obtain the SessionID decrypted by the private key.
According to a second aspect, there is provided a service providing method of a third party applet, the method comprising:
generating a public-private key pair;
transmitting the public key in the public-private key pair to a first party client;
receiving a login success response sent by a first party client;
signing the service parameters by utilizing the private key in the public-private key pair;
a service data request is sent to a first party client, wherein the service data request carries service parameters signed by the private key;
response data sent by the first party client is received.
The sending the public key of the public-private key pair to the first party client side includes:
and when the business service corresponding to the third party client is needed, sending a third party login request to the first party client, wherein the third party login request is used for requesting to establish session connection for the third party client, and the third party login request carries the public key and identity information of the third party client.
According to a third aspect, there is provided a service providing method of a third party applet, the method comprising:
receiving a public key sent by a third party client;
transmitting the public key to a second party server;
receiving a session identifier SessionID sent by a second party server, and caching;
receiving a service data request sent by a third party client, wherein the service data request carries service parameters signed by the private key, and sending the service data request carrying the sessionID and the service parameters signed by the private key to a second party server;
and receiving response data sent by the second party server, and sending the response data to the third party client.
According to a fourth aspect, there is provided a service providing apparatus of a third party applet, the apparatus comprising:
the public key acquisition module is configured to acquire a public key sent by the first party client; the public key is a public key in a pair of public and private key pairs generated by a third party client, and the public key is sent to a first party client by the third party client;
the identification acquisition module is configured to acquire an open authentication system identification OpenID and generate a session identification SessionID;
the corresponding relation establishing module is configured to establish a corresponding relation among the public key, the OpenID and the SessionID;
the business parameter processing module is configured to receive a business data request sent by a first party client, wherein the business data request carries the SessionID and business parameters signed by a private key in the public-private key pair; searching a public key corresponding to the SessionID carried in the service data request according to the pre-established corresponding relation; signing the service parameters signed by the private key by using the searched public key;
the resource acquisition module is configured to send a service resource request to a third party server after verification is passed, wherein the service resource request carries an OpenID corresponding to the SessionID carried in the service request;
and the response data processing module is configured to send response data returned by the third party server to the first party client so that the first party client can send the response data to the third party client.
According to a fifth aspect, there is provided a service providing apparatus of a third party applet, the apparatus comprising:
the public-private key pair generation module is configured to generate a public-private key pair;
the public key reporting module is configured to send the public key in the public-private key pair to the first party client;
the login processing module is configured to receive a login success response sent by the first party client;
the resource request module is configured to sign the service parameters by utilizing the private key in the public-private key pair; a service data request is sent to a first party client, wherein the service data request carries service parameters signed by the private key;
and the resource data receiving module is configured to receive response data sent by the first party client.
According to a sixth aspect, there is provided a service providing apparatus of a third party applet, the apparatus comprising:
the public key forwarding module is configured to receive a public key sent by the third party client; transmitting the public key to a second party server;
the session identification processing module is configured to receive a session identification SessionID sent by the second party server and cache the session identification SessionID;
the service data request processing module is configured to receive a service data request sent by a third party client, wherein the service data request carries service parameters signed by the private key, and the service data request carrying the SessionID and the service parameters signed by the private key is sent to a second party server;
and the response data forwarding module is configured to receive response data sent by the second party server and send the response data to the third party client.
According to a seventh aspect, there is provided a computing device comprising a memory having executable code stored therein and a processor which, when executing the executable code, implements a method as described in any of the embodiments of the present specification.
In the service providing method and device of the third party applet provided in the embodiments of the present disclosure, a third party client generates a public-private key pair, and the third party client stores a private key. In the first stage, namely the stage of initiating login by the third party client, the third party client can upload the public key to the second party server through the first party client, so that the second party server obtains the public key information of the third party client initiating login. After that, when the second phase, i.e. the third party client requests the resource data, the second party server acquires the signed service parameters from the current third party client from the service data request, if the second party server can successfully verify the signed service parameters acquired in the second phase by using the public key acquired in the first phase, the third party client initiating login in the first phase and the third party client acquiring the resource data in the second phase are the same client, and the situation that the resource data is leaked is not caused, so that the response data is sent to the third party client requesting the resource data through the first party client, and if the signature verification cannot be successfully performed, the third party client initiating login in the first phase and the third party client acquiring the resource data in the second phase are not the same client, and if the response data is provided, the situation that the resource data is leaked is caused, and therefore the response data is not sent to the third party client requesting the resource data through the third party client. Therefore, the method of the embodiment of the specification completes a more complete verification process for the identity of the third party client, and the security of the service providing process of the third party applet is greatly improved.
In addition, the method and the device of the embodiment of the specification sign the service parameters by using the private key, prevent the service parameters from being stolen at will, prevent the boundary disorder between the third party servers, and be more beneficial to the isolation protection of the third party resources, thereby ensuring the long-term safe operation of the future third party applet.
Detailed Description
The following describes the scheme provided in the present specification with reference to the drawings.
It is first noted that the terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be understood that the term "and/or" as used herein is merely one relationship describing the association of the associated objects, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
For ease of understanding the methods provided in this specification, a description of the system architecture to which this specification relates and applies is first provided. As shown in fig. 1, the system architecture mainly includes 5 network nodes: the system comprises a third party client (namely an application end of a third party applet loaded on the terminal equipment), a third party server (namely a server for providing service resources for the third party applet), a second party server (for the sake of safety and for isolating a first party server from the third party server), a first party client (namely an application end of a host program loaded on the terminal equipment) and a first party server (namely a server for providing service for the host program).
Wherein the third party client and the first party client are both installed and operate in a terminal device, which may include, but is not limited to, such as: intelligent mobile terminals, intelligent home devices, network devices, wearable devices, intelligent medical devices, PCs (personal computers), etc. Wherein the smart mobile device may comprise a mobile phone, tablet, notebook, PDA (personal digital assistant), internet car, etc. The smart home devices may include smart home devices such as smart televisions, smart air conditioners, smart water heaters, smart refrigerators, smart air cleaners, etc., and may also include smart door locks, smart sockets, smart lights, smart cameras, etc. The network devices may include, for example, switches, wireless APs, servers, etc. Wearable devices may include devices such as smart watches, smart glasses, smart bracelets, virtual reality devices, augmented reality devices, mixed reality devices (i.e., devices that can support virtual reality and augmented reality), and so forth. Smart medical devices may include devices such as smart thermometers, smart blood pressure meters, smart blood glucose meters, and the like.
It should be understood that the number of various network nodes in fig. 1 is merely illustrative. Any number may be selected and deployed as desired for implementation.
The method of the embodiment of the present specification mainly relates to processing of the second party server, processing of the third party client, and processing of the first party client. The following is a description of various embodiments.
First, the processing in the second-party server is explained. Fig. 2 is a flowchart of a service providing method of a third party applet executed in a second party server in one embodiment of the present description. The execution subject of the method is a service providing device of a third party applet. The apparatus may be located in a second party server. It will be appreciated that the method may be performed by any apparatus, device, platform, cluster of devices, having computing, processing capabilities. Referring to fig. 2, the method includes:
step 201: the second party server obtains the public key sent by the first party client; the public key is a public key of a pair of public and private key pairs generated by a third party client and is sent to the first party client by the third party client.
Step 203: the second party server obtains an open authentication system identification (OpenID) and generates a session identification (SessionID).
Step 205: and the second party server establishes the corresponding relation among the public key, the OpenID and the SessionID.
Step 207: and the second party server receives a service data request sent by the first party client, wherein the service data request carries the SessionID and the service parameters signed by the private key in the public-private key pair.
Step 209: and the second party server searches a public key corresponding to the SessionID carried in the service data request according to the pre-established corresponding relation.
Step 211: and the second party server uses the searched public key to check the service parameters signed by the private key.
Step 213: after the second party server passes the verification, a service resource request is sent to the third party server, wherein the service resource request carries service parameters and OpenID corresponding to the SessionID carried in the service request.
Step 215: the second party server sends the response data returned by the third party server to the first party client, so that the first party client sends the response data to the third party client.
The flow shown in fig. 2 described above describes the processing in the second party server. Corresponding to the processing of the second party server shown in fig. 2, the third party client and the first party client also need to cooperate to complete corresponding processing.
The following describes a process corresponding to the second-party server shown in fig. 2, and a corresponding process performed in the third-party client. Fig. 3 is a flowchart of a service providing method of a third party applet executed in a third party client in one embodiment of the present description. The execution subject of the method is a service providing device of a third party applet. The apparatus may be located in a third party client. It will be appreciated that the method may be performed by any apparatus, device, platform, cluster of devices, having computing, processing capabilities. Referring to fig. 3, the method includes:
step 301: the third party client generates a public-private key pair;
step 303: the third party client sends the public key in the public-private key pair to the first party client;
step 305: the third party client receives a login success response sent by the first party client;
step 307: the third party client signs the service parameters by using a private key in the public-private key pair;
step 309: a third party client sends a service data request to a first party client, wherein the service data request carries service parameters signed by the private key;
step 311: the third party client receives response data sent by the first party client.
The following describes a process corresponding to the second-party server shown in fig. 2, and a corresponding process performed in the first-party client. Fig. 4 is a flowchart of a service providing method of a third party applet executed in a first party client in one embodiment of the present description. The execution subject of the method is a service providing device of a third party applet. The apparatus may be located in a first party client. It will be appreciated that the method may be performed by any apparatus, device, platform, cluster of devices, having computing, processing capabilities. Referring to fig. 4, the method includes:
step 401: the first party client receives a public key sent by the third party client;
step 403: the first party client sends the public key to the second party server;
step 405: the first party client receives the SessionID sent by the second party server and caches the SessionID;
step 407: the first party client receives a service data request sent by the third party client, wherein the service data request carries service parameters signed by the private key, and the service data request carrying the SessionID and the service parameters signed by the private key is sent to the second party server;
step 409: the first party client receives the response data sent by the second party server and sends the response data to the third party client.
As described above, in the related art, a situation in which service resources enjoyed by the third party applet are stolen often occurs, and thus security is greatly reduced. For example, on a platform of a host program, there are multiple clients of a third party applet (i.e., multiple third party clients), where the clients of the multiple third party applets all obtain service resources required by themselves through the same host program (i.e., the same first party client), so it is likely that the third party client a obtains a session SessionID that originally belongs to the third party client B, so that the third party client a obtains the service resources that should be provided to the third party client B. For another example, an attacker may also obtain service resources that should be originally provided to the third party client B by launching an attack. Therefore, the safety of the prior art needs to be improved.
In the embodiment of the present disclosure, in order to avoid the situation that the service resources enjoyed by the third party applet are stolen, it is required to ensure that the third party client that logs in to the connection at the beginning and the third party client that requests resources later are the same client. Therefore, referring to the flows shown in fig. 2, 3 and 4, in the method of the embodiment of the present disclosure, the third party client generates the public-private key pair, and the third party client stores the private key. In the first stage, namely the stage of initiating login by the third party client, the third party client can upload the public key to the second party server through the first party client, so that the second party server obtains the public key information of the third party client initiating login. After that, when the second phase, i.e. the third party client requests the resource data, the second party server acquires the signed service parameters from the current third party client from the service data request, if the second party server can successfully verify the signed service parameters acquired in the second phase by using the public key acquired in the first phase, the third party client initiating login in the first phase and the third party client acquiring the resource data in the second phase are the same client, and the situation that the resource data is leaked is not caused, so that the response data is sent to the third party client requesting the resource data through the first party client, and if the signature verification cannot be successfully performed, the third party client initiating login in the first phase and the third party client acquiring the resource data in the second phase are not the same client, and if the response data is provided, the situation that the resource data is leaked is caused, and therefore the response data is not sent to the third party client requesting the resource data through the third party client. Therefore, the method of the embodiment of the specification completes a more complete verification process for the identity of the third party client, and the security of the service providing process of the third party applet is greatly improved.
In addition, referring to the processes shown in fig. 2, fig. 3 and fig. 4, the method in the embodiment of the present disclosure signs the service parameters by using the private key, which prevents the service parameters from being stolen at will, prevents the boundary between the third party servers from being disordered, and is more conducive to the isolation and protection of the third party resources, thereby ensuring the long-term safe operation of the future third party applet.
In the process shown in fig. 2, 3 and 4, the second party server is caused to obtain the public key sent from the first party client in the first stage. In particular the number of the elements,
in the third party client, the process of sending the public key in the public-private key pair to the first party client in step 301 includes: a third party login request is sent to a first party client, the third party login request is used for requesting to establish session connection for the third party client, and the third party login request carries the public key and identity information of the third party client;
accordingly, in the first party client, the implementation process of the step 401 and the step 403 includes: the first party client receives a third party login request carrying the public key and the identity information of the third party client from the third party client, and sends the third party login request carrying the public key and the identity information of the third party client to the second party server;
correspondingly, in the second party server, the implementation process of obtaining the public key sent by the first party client in the step 201 includes: the second party server receives a third party login request sent by the first party client, wherein the third party login request is used for requesting to establish session connection for the third party client, and the third party login request carries the public key and identity information of the third party client; the second party server obtains the public key from the third party login request.
In the embodiment of the present specification, encryption transmission of the service parameter may be further implemented, so as to further improve security. The specific implementation method comprises the following steps:
in the second party server, after generating the SessionID in step 203 and before receiving the service data request sent by the first party client in step 207, the method further includes: the second party server generates a session key, wherein the session key is the same as the life cycle of the SessionID; transmitting the session key and the SessionID to the first party client;
then, in the first party client, in step 405, the first party client receives the session key sent by the second party server, and caches the session key; in step 407, before sending the service data request to the second party server, further comprising: the first party client encrypts service parameters in a service data request sent to the second party server by using the stored session key; that is, the service data request sent by the first party client to the second party server carries the encrypted service parameters;
and after the verification is passed, the second party server decrypts the encrypted service parameters in the service data request by using the session key before sending the service resource request to the third party server, so as to obtain the service parameters.
The following describes a flowchart of a service providing method of the third party applet in the embodiment of the present specification through cooperation of the parties in the system shown in fig. 1. Referring to fig. 5, the method includes:
step 500: the third party client generates a pair of public and private key pairs and stores the private keys therein.
Step 501: when the business service corresponding to the third party client is needed, the third party client sends a third party login request to the first party client, the third party login request is used for requesting to establish session connection for the third party client, and the third party login request carries the public key and identity information of the third party client.
For example, the third party client corresponds to a third party applet for processing the electricity charge of the user on the payment platform. The first party client corresponds to a host program of the payment facilitation platform. When a user needs to inquire the balance of the electric charge, the third party applet can be clicked, and a third party login request is sent to the first party client through the corresponding third party client.
Step 503: and the first party client sends the received third party login request to the second party server.
Step 505: the second party server acquires the public key and identity information of the third party client side currently requesting login from the third party login request, and stores the public key.
Step 507: the second party server sends a session update request carrying identity information of the third party client to the first party server.
Step 509: the first party server returns a token (token) corresponding to the current session to the second party server.
Step 511: the second party server requests OpenID from the first party server using token.
Step 513: and the first party server returns the OpenID corresponding to the current session to the second party server.
Step 515: the second side server generates a SessionID and a session key according to the received OpenID, and establishes a corresponding relation among the obtained public key, the OpenID and the SessionID.
Step 517: the second party server sends the SessionID and the session key to the first party client.
Step 519: the first party client caches the SessionID and the session key.
Step 521: the third party client signs the service parameters by using the private key in the public-private key pair, and sends a service data request to the first party client, wherein the service data request carries the service parameters signed by the private key.
Step 523: the first party client encrypts the service parameters by using the session key, and sends the service parameters after SessionID, encryption and private key signature to the second party server along with the service data request.
Step 525: and the second party server searches a public key corresponding to the SessionID carried in the service data request according to the pre-established corresponding relation, and uses the searched public key to check the service parameters after the private key is signed.
Step 527: after the verification is passed, the second party server decrypts the encrypted service parameters by using the session key, and then sends a service resource request to the third party server, wherein the service resource request carries the service parameters and the OpenID corresponding to the SessionID in the service data request.
Step 529: and the second party server sends the response data returned by the third party server to the first party client.
Step 531: the first party client sends the response data to the third party client.
In one embodiment of the present description, a service providing apparatus of a third party applet is provided, the apparatus being provided in a second party server. Referring to fig. 6, the apparatus includes:
a public key obtaining module 601 configured to obtain a public key sent from the first party client; the public key is a public key in a pair of public and private key pairs generated by a third party client, and the public key is sent to a first party client by the third party client;
an identifier obtaining module 602, configured to obtain an OpenID and generate a session identifier SessionID;
a correspondence establishing module 603, configured to establish a correspondence among the public key, openID and SessionID;
a service parameter processing module 604, configured to receive a service data request sent by a first party client, where the service data request carries the SessionID and a service parameter signed by a private key in the public-private key pair; searching a public key corresponding to the SessionID carried in the service data request according to the pre-established corresponding relation; signing the service parameters signed by the private key by using the searched public key;
the resource obtaining module 605 is configured to send a service resource request to a third party server after the verification is passed, where the service resource request carries an OpenID corresponding to the SessionID carried in the service request;
the response data processing module 606 is configured to send response data returned by the third party server to the first party client, so that the first party client sends the response data to the third party client.
In one embodiment of the present description, the public key acquisition module 601 is configured to perform: receiving a third party login request sent by a first party client, wherein the third party login request is used for requesting to establish session connection for the third party client, and the third party login request carries the public key and identity information of the third party client; the public key is derived from the third party logging request.
In one embodiment of the present disclosure, the apparatus shown in fig. 6 further comprises: a session key issuing module (not shown in the figure) configured to perform: encrypting the SessionID by using the public key, and sending the encrypted SessionID to a first party client, so that the first party client can obtain the SessionID after private key decryption by interaction between the first party client and a third party client.
One embodiment of the present specification proposes a service providing apparatus of a third party applet, which is provided in a third party client. Referring to fig. 7, the apparatus includes:
a public-private key pair generation module 701 configured to generate a public-private key pair;
a public key reporting module 702 configured to send the public key of the public-private key pair to the first party client;
a login processing module 703, configured to receive a login success response sent from the first party client;
a resource request module 704 configured to sign the service parameter with a private key of the public-private key pair; a service data request is sent to a first party client, wherein the service data request carries service parameters signed by the private key;
the resource data receiving module 705 is configured to receive response data sent from the first party client.
In the embodiment of the present description apparatus shown in fig. 7, the public key reporting module 702 is configured to perform:
and when the business service corresponding to the third party client is needed, sending a third party login request to the first party client, wherein the third party login request is used for requesting to establish session connection for the third party client, and the third party login request carries the public key and identity information of the third party client.
One embodiment of the present specification proposes a service providing apparatus of a third party applet, which is provided in a first party client. Referring to fig. 8, the apparatus includes:
a public key forwarding module 801 configured to receive a public key sent from a third party client; transmitting the public key to a second party server;
a session identifier processing module 802, configured to receive a session identifier SessionID sent by the second party server, and cache the session identifier SessionID;
the service data request processing module 803 is configured to receive a service data request sent by a third party client, where the service data request carries a service parameter signed by using the private key, and send the service data request carrying the SessionID and the service parameter signed by using the private key to a second party server;
the response data forwarding module 804 is configured to receive response data sent by the second party server, and send the response data to the third party client.
An embodiment of the present specification provides a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of any of the embodiments of the specification.
An embodiment of the present specification provides a computing device including a memory having executable code stored therein and a processor that, when executing the executable code, performs a method of any of the embodiments of the present specification.
It should be understood that the structures illustrated in the embodiments of the present specification do not constitute a particular limitation on the apparatus of the embodiments of the present specification. In other embodiments of the specification, the apparatus may include more or less components than illustrated, or certain components may be combined, or certain components may be split, or different arrangements of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments in part.
Those skilled in the art will appreciate that in one or more of the examples described above, the functions described in the present invention may be implemented in hardware, software, a pendant, or any combination thereof. When implemented in software, these functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The foregoing embodiments have been provided for the purpose of illustrating the general principles of the present invention in further detail, and are not to be construed as limiting the scope of the invention, but are merely intended to cover any modifications, equivalents, improvements, etc. based on the teachings of the invention.