Disclosure of Invention
The application aims to provide a unified authentication method based on an Oauth authorization framework, a front-end system of a portal system, a unified identity authentication system, computer equipment and a machine-readable storage medium, which are used for realizing unified authentication of multiple systems, multiple applications and multiple clients.
In order to achieve the above object, a first aspect of the present application provides a unified authentication method based on Oauth authorization framework, applied to a front-end system of a portal system, where the portal system includes a unified identity authentication system, a service interface provided by the unified identity authentication system is registered in advance to a service gateway of the portal system and issued, and a page of the front-end system is integrated with link entries of a plurality of application systems, the method includes:
responding to a portal system access request initiated by a user, and judging whether a portal system session of the user exists or not;
if the portal system session of the user is not available, jumping to a login page of a unified identity authentication system to acquire login information of the user, calling the service interface to enable the unified identity authentication system to check the login information, generating session information for establishing a session required by the user to access an application system after the login information passes the verification, returning a unified authorization code based on an Oauth authorization framework in the session information, and displaying a page of a front-end system;
Responding to an operation request containing the unified authorization code, which is triggered by the user through a link entry of a target application system, and judging whether the user has a target application system session;
And if the target application system session of the user exists and the unified authorization code bound by the current session is not matched with the unified authorization code contained in the operation request or the target application system session of the user does not exist, the service interface is called, and if the user information which is returned by the service interface and obtained by the unified identity authentication system according to the unified authorization code contained in the operation request is received, the authentication is executed based on the received user information, and the target application system session of the user is established in response to the login request of the user.
In a specific embodiment of the present application, generating session information for the establishment of a session required by the user to access the application system after the verification is passed includes:
According to the login information of the user and the user information registered by the user when registering on a login page of the unified identity authentication system, a unified authorization code based on an Oauth authorization framework is generated by adopting a preset password mode;
Session information for the establishment of a session required by the user to access the application system is generated, the session information comprising the unified authorization code, an access token and a refresh token.
The method in a specific embodiment of the application further comprises:
And if the target application system session of the user exists and the unified authorization code bound by the current session is matched with the unified authorization code contained in the operation request, jumping to an operation page of the target application system.
In a specific embodiment of the application, the method further comprises:
And if the user information or session time-out acquired by the unified identity authentication system according to the unified authorization code contained in the operation request and returned by the service interface is not received, jumping to a login page of the unified identity authentication system.
The second aspect of the present application provides a unified authentication method based on an Oauth authorization framework, which is applied to a unified identity authentication system of a portal system, wherein a service interface provided by the unified identity authentication system is registered in advance to a service gateway of the portal system and issued, the portal system comprises a front-end system, and a page of the front-end system is integrated with link entries of a plurality of application systems, and the method comprises:
receiving login information of a user transmitted by a user through an internal login page when a front-end system responds to a portal system access request initiated by the user and does not have a portal system session of the user;
receiving a request for calling the service interface sent by a front-end system;
Checking the login information, if the login information passes the verification, generating established session information for a session required by the user to access an application system, and transmitting a unified authorization code based on an Oauth authorization framework in the session information to the front-end system for the front-end system to display a self page, receiving an operation request containing the unified authorization code, triggered by the user through a link entry of a target application system, and judging whether the user has a target application system session;
Receiving a request for calling the service interface, which is sent by a front-end system when the front-end system has the target application system session of the user and the unified authorization code bound by the current session is not matched with the unified authorization code contained in the operation request or the front-end system does not have the target application system session of the user;
And acquiring user information according to the unified authorization code contained in the operation request, and transmitting the user information to the front-end system for the front-end system to perform the following processing based on the received user information, namely, authenticating and responding to the login request of the user to establish the target application system session of the user.
In a specific embodiment of the present application, generating session information for the establishment of a session required by the user to access the application system includes:
According to the login information of the user and the user information registered by the user when registering on a login page of the unified identity authentication system, a unified authorization code based on an Oauth authorization framework is generated by adopting a preset password mode;
Session information for the establishment of a session required by the user to access the application system is generated, the session information comprising the unified authorization code, an access token and a refresh token.
A third aspect of the present application provides a front-end system of a portal system, the portal system including a unified identity authentication system, a service interface provided by the unified identity authentication system being registered in advance with a service gateway of the portal system and issued, a page of the front-end system integrating link entries of a plurality of application systems, the front-end system including:
The first module is used for responding to a portal system access request initiated by a user and judging whether a portal system session of the user exists or not;
The second module is used for jumping to a login page of the unified identity authentication system to acquire login information of the user when the portal system session of the user is not available, calling the service interface to enable the unified identity authentication system to check the login information, generating established session information for the user to access the application system required by the session after the verification is passed, returning a unified authorization code based on an Oauth authorization framework in the session information, and displaying a page of the front-end system;
A third module, configured to determine whether a target application system session of the user exists, in response to an operation request including the unified authorization code triggered by the user through a link entry of the target application system;
And a fourth module, configured to invoke the service interface when the unified authorization code bound by the current session does not match the unified authorization code contained in the operation request or the target application system session of the user is not present, and if user information returned by the service interface and acquired by the unified identity authentication system according to the unified authorization code contained in the operation request is received, perform the following processing based on the received user information, and establish the target application system session of the user in response to the login request of the user.
A fourth aspect of the present application provides a unified identity authentication system, where a service interface provided by the unified identity authentication system is registered in advance with a service gateway of a portal system and issued, the portal system includes a front-end system, and a page of the front-end system is integrated with link entries of a plurality of application systems, and the unified identity authentication system includes:
a fifth module, configured to receive login information of a user, which is transmitted by the user through an internal login page when the front-end system responds to a portal system access request initiated by the user and does not have a portal system session of the user;
a sixth module for receiving a request for calling the service interface sent by the front-end system;
A seventh module, configured to verify the login information, and if the verification is passed, generate session information for the user to access to an establishment of a session required by the application system, and transmit a unified authorization code based on an Oauth authorization framework in the session information to the front-end system, so as to be used for the front-end system to display a self page, receive an operation request including the unified authorization code triggered by the user through a link entry of a target application system, and determine whether the user has a target application system session;
An eighth module, configured to receive a request for calling the service interface, where the front-end system has a target application system session of the user and the unified authorization code bound by the current session does not match the unified authorization code contained in the operation request or does not have the target application system session of the user;
and a ninth module, configured to acquire user information according to the unified authorization code included in the operation request, and transmit the user information to the front-end system, so that the front-end system performs, based on the received user information, authentication, and creates a target application system session of the user in response to the login request of the user.
A fifth aspect of the present application provides a computer apparatus comprising:
A memory configured to store instructions, and
A processor configured to invoke the instructions from the memory and when executing the instructions is capable of implementing a unified authentication method based on an Oauth authorization framework according to the first or second aspect of the application.
A sixth aspect of the present application provides a machine-readable storage medium having stored thereon instructions for causing a machine to perform a unified authentication method based on an Oauth authorization framework according to the first or second aspect of the present application.
According to the technical scheme, the unified authentication mechanism is established based on the Oauth authorization framework when the portal system integrated with a plurality of application systems is in butt joint with the unified identity authentication system, wherein the unified authorization code based on the Oauth authorization framework is used as a mark for unified identification of user identities to perform application system session identification, application system session establishment and the like, unified authentication of a plurality of systems, a plurality of applications and a plurality of clients is realized, and compared with decentralized construction and separate authentication of a plurality of application systems, repeated input of account numbers and passwords for a plurality of times is avoided, so that the authentication efficiency is improved.
Additional features and advantages of embodiments of the application will be set forth in the detailed description which follows.
Detailed Description
The following describes the detailed implementation of the embodiments of the present application with reference to the drawings. It should be understood that the detailed description and specific examples, while indicating and illustrating the application, are not intended to limit the application.
If there is a description of "first", "second", etc. in an embodiment of the present application, the description of "first", "second", etc. is for descriptive purposes only and is not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In addition, the technical solutions of the embodiments may be combined with each other, but it is necessary to base that the technical solutions can be realized by those skilled in the art, and when the technical solutions are contradictory or cannot be realized, the combination of the technical solutions should be considered to be absent and not within the scope of protection claimed in the present application.
Oauth authorization frameworks, such as Oauth2.0, etc., as an industrial-level authorization protocol, enable Internet users to authorize third-party websites or application services to access their information on a particular website without having to provide login account numbers and passwords to the third-party website or application service. An 'authorization server' is provided in the Oauth authorization framework, and after user authorization, the authorization server issues an access token to the third party application, so that resources stored on a specific resource server by a user can be accessed within a specific time through the token without providing a login account and a password to the third party application.
In order to realize unified authentication of multiple systems, multiple applications and multiple clients, the application provides a unified authentication method, and the unified authentication process of the method is realized on the basis of an Oauth authorization framework.
Example 1
Specifically, a unified authentication method based on Oauth authorization framework is applied to a front-end system of a portal system, the portal system comprises a unified identity authentication system, a service interface provided by the unified identity authentication system is registered in advance to a service gateway of the portal system and is released, a page of the front-end system is integrated with link entries of a plurality of application systems, wherein the portal system can be an enterprise portal system and the like, and the unified authentication method comprises the following contents:
responding to a portal system access request initiated by a user, and judging whether a portal system session of the user exists or not;
If the portal system session of the user is not available, jumping to a login page of a unified identity authentication system to acquire login information of the user, calling a service interface provided by the unified identity authentication system to enable the unified identity authentication system to check the login information of the user, generating established session information for the user to access a session required by the application system after the verification is passed, returning a unified authorization code based on an Oauth authorization framework in the session information, and displaying a page of a front-end system;
Responding to an operation request for the target application system triggered by the user through a link entry of the target application system, judging whether the target application system session of the user exists or not, wherein the operation request contains a unified authorization code returned in the last step;
If the target application system session of the user is provided and the unified authorization code bound by the current session is not matched with the unified authorization code contained in the operation request, or the target application system session of the user is not provided, a service interface of the unified identity authentication system is called, if the user information which is returned by the service interface and obtained by the unified identity authentication system according to the unified authorization code contained in the operation request is received, the following processing is executed based on the received user information, namely, identity authentication is performed, and a session between the user and the target application system (the target application system session of the user) is created in response to the login request of the user.
Specifically, the unified authorization code is generated based on an Oauth authorization frame, different from the standard Oauth2.0 authorization code mode adopted when an application system is solely connected with a unified identity authentication system, a plurality of application systems are integrated through a portal system, the portal system is connected with the unified identity authentication system, the standard Oauth2.0 mode and the like are inapplicable, and the authorization code under the Oauth authorization frame adopted by the application is defined as the unified authorization code, which indicates the uniformity of access authorization of each application system under the portal system. The target application system is the application system that the user is currently planning to access. The session information generated by the unified identity authentication system refers to the established session information for the session required by the user to access the application system resource, and under the Oauth authorization framework, the session information comprises a unified authorization code, an access token, a refresh token and the like.
In the embodiment, the service interface provided by the unified identity authentication system is registered in advance to the service gateway of the portal system and issued, the link inlets of a plurality of application systems are integrated on the page of the front end system of the portal system, and a unified authentication mechanism of a plurality of systems, a plurality of applications and a plurality of clients is established based on the Oauth authorization framework, wherein the unified authentication system performs application system session identification, application system session establishment and the like by taking the unified authorization code generated by the unified identity authentication system after verification according to the login information of the user as a mark for identifying the user identity, and if the access token and the like in session information are used as identity identification marks, the transmission is inconvenient because of overlong access tokens. Based on the above, the application realizes unified authentication of multiple systems, multiple applications and multiple clients, provides effective identity support and safety authentication protection for enterprise informatization construction, business system interconnection and the like, improves the safety level, simultaneously greatly improves the working efficiency of staff, and accordingly reduces the enterprise management cost.
As one example, a user may trigger a portal system access request by entering a portal system address at a browser or clicking on a portal system link at a client display page, or the like.
As one example, a user may trigger an operation request for a target application system containing a uniform authorization code by clicking on a link entry of the target application system on a front-end system page.
Optionally, after determining whether there is a portal system session of the user, the method further includes the steps of:
and if the portal system session of the user exists, displaying the page of the front-end system.
Optionally, the login page of the unified identity authentication system includes an operation entry for registering an account number, modifying a password and retrieving the password, after skipping to the login page of the unified identity authentication system, if the user does not register the account number, after the user registers the account number, the user information is saved, and then after the user inputs the account number password for login, or scans the password for login, or logs in with a short message, the login information of the user is obtained.
Optionally, after determining whether there is a target application system session of the user, the method further includes the steps of:
If the target application system session of the user exists, and the unified authorization code bound by the current session is matched with the unified authorization code contained in the operation request, the operation page of the target application system is jumped to, so that the user can conveniently operate the target application system, and the resources of the target application system are accessed.
Optionally, after the service interface is invoked, if the user information or session timeout obtained by the unified identity authentication system according to the unified authorization code contained in the operation request returned by the service interface is not received, the login page of the unified identity authentication system is skipped.
Fig. 1 schematically shows a flowchart of a unified authentication method based on Oauth authorization framework applied to a front-end system of a portal system according to an embodiment of the present application. As shown in fig. 1, the method may include steps 100 through 106.
Step 100, receiving a portal system access request initiated by a user.
In the application, a user triggers a portal system access request by inputting a portal system address in a browser or clicking a portal system link on a display page of a client side.
Step 102, when the portal system session of the user is provided, displaying the page of the front-end system, namely, the page of the front-end system is directly accessed by the user.
Step 104, receiving an operation request which is triggered by a user through a link entry of the target application system and contains a unified authorization code and is aimed at the target application system. The unified authorization code of the user is generated by the unified identity authentication system after checking login information transmitted through a login page of the unified identity authentication system before the current session of the user starts.
As one example, a user may trigger an operation request for a target application system containing a uniform authorization code by clicking on a link entry of the target application system on a page of the front-end system.
As one example, the operation request header contains a unified authorization code.
As an example, the unified authorization code is generated by employing a preset password pattern based on login information of a user and user information registered by the user at the time of login page registration of the unified identity authentication system. Preferably, the unified authorization code is of the UUID type, i.e. the unified authorization code is a unique identification code generated by a UUID generator.
As another example of the generation of the unified authorization code, the unified authorization code is generated by generating the unified authorization code of the UUID type in a preset password mode according to the account number, password, client id, client key, tenant id, authorization type and authorization parameter range of the user. For example, the application service is based on a Spring framework, and the preset password mode is SpringSecurity + Jwt +oauth2. Wherein SpringSecurity refers to SpringSecurity security framework, jwt is called JSON WEB Token, is a cross-domain authentication solution, and Oauth2 refers to Oauth2.0 protocol. As mentioned above, the authorization type is an authorization type corresponding to the access rights of the application system resources opened to the user, and the authorization parameter range is an authorization parameter range corresponding to the access rights of the application system resources opened to the user.
And 106, when the target application system session of the user is provided and the unified authorization code bound by the current session is matched with the unified authorization code contained in the operation request received in the step 104, jumping to an operation page of the target application system, and thus completing access authentication of the user to the target application system.
As an example, to determine whether there is a target application system session for the user, the target application system intercepts the operation request to obtain the unified authorization code in the operation request header. In addition, the application also provides a unified authorization code acquisition mode when the application system cannot intercept the operation request, specifically, when the application system is integrated into the portal system, url is added with a fixed prefix, and redirection is carried out after the jump to the application system.
Fig. 2 schematically shows a flowchart of a unified authentication method based on Oauth authorization framework applied to a front-end system of a portal system according to another embodiment of the present application. As shown in fig. 2, the method may include steps 200 through 206.
Step 200, a portal system access request initiated by a user is received.
Step 202, when the portal system session of the user is not provided, jumping to a login page of the unified identity authentication system to acquire login information of the user, calling a service interface provided by the unified identity authentication system to enable the unified identity authentication system to check the login information of the user, generating session information for establishing a session required by the user to access the application system after the verification is passed, returning a unified authorization code based on an Oauth authorization framework and a preset security mechanism in the session information, and displaying a page of a front-end system. The generation mechanism of the unified authorization code may be described with reference to the embodiment shown in fig. 1.
Step 204, receiving an operation request for the target application system, triggered by the user through the link entry of the target application system, containing the unified authorization code.
And 206, when the target application system session of the user is not provided or the unified authorization code which is provided with the target application system session of the user and is bound with the current session is not matched with the unified authorization code contained in the operation request received in the step 204, calling a service interface of the unified identity authentication system, receiving user information which is returned by the service interface and is acquired by the unified identity authentication system according to the unified authorization code contained in the operation request, and then executing the following processing based on the received user information, namely, identity verification, responding to the login request of the user, creating the target application system session of the user, and then jumping to an operation page of the target application system, thereby completing the access authentication of the user to the target application system.
Fig. 3 schematically shows a flowchart of a unified authentication method based on Oauth authorization framework applied to a front-end system of a portal system according to another embodiment of the present application. As shown in fig. 3, the method may include steps 300 through 306.
Step 300, receiving a portal system access request initiated by a user.
Step 302, when the portal system session of the user is provided, displaying the page of the front-end system, namely, the page of the front-end system is directly entered by the user.
Step 304, receiving an operation request for the target application system, triggered by the user through the link entry of the target application system, wherein the operation request contains a unified authorization code. The unified authorization code of the user is generated by the unified identity authentication system after checking login information transmitted through a login page of the statistical identity authentication system before the current session of the user starts.
And 306, when the target application system session of the user is not provided, or the unified authorization code which is provided with the target application system session of the user and is bound with the current session is not matched with the unified authorization code contained in the operation request received in the step 304, calling a service interface of the unified identity authentication system, and when receiving the user information which is returned by the service interface and is acquired by the unified identity authentication system according to the unified authorization code contained in the operation request, executing the following processing based on the received user information, namely, performing identity authentication, responding to the login request of the user, creating the target application system session of the user, and then jumping to an operation page of the target application system, thereby completing the access authentication of the user to the target application system.
Fig. 4 schematically shows a flowchart of a unified authentication method based on Oauth authorization framework applied to a front-end system of a portal system according to another embodiment of the present application. As shown in fig. 4, the method may include steps 400 through 406.
Step 400, receiving a portal system access request initiated by a user.
Step 402, when the portal system session of the user is not provided, jumping to a login page of the unified identity authentication system to acquire login information of the user, calling a service interface provided by the unified identity authentication system to enable the unified identity authentication system to check the login information of the user, generating session information for establishing a session required by the user to access the application system after the verification is passed, returning a unified authorization code based on an Oauth authorization framework and a preset security mechanism in the session information, and displaying a page of the front-end system. The generation mechanism of the unified authorization code may be described with reference to the embodiment shown in fig. 1.
Step 404, receiving an operation request for the target application system, triggered by the user through the link entry of the target application system, containing the unified authorization code.
Step 406, when the unified authorization code of the current session binding matches the unified authorization code contained in the operation request received in step 404 and the target application system session of the user is included, jumping to the operation page of the target application system, thereby completing the access authentication of the user to the target application system.
Example two
Specifically, the unified authentication method based on the Oauth authorization framework is applied to a unified identity authentication system of a portal system, a service interface provided by the unified identity authentication system is registered in a service gateway of the portal system in advance and is released, the portal system comprises a front-end system, and a page of the front-end system is integrated with link entries of a plurality of application systems. As shown in fig. 5, the unified authentication method includes the following steps 500 to 508.
Step 500, receiving login information of a user, which is transmitted by the user through an internal login page when a front-end system responds to a portal system access request initiated by the user and does not have a portal system session of the user.
Step 502, a request for calling a service interface of a unified identity authentication system, which is sent by a front-end system, is received.
Step 504, checking the received login information, if the login information passes the verification, generating session information for establishing a session required by the user to access the application system, and transmitting a unified authorization code based on an Oauth authorization framework in the session information to the front-end system for the front-end system to display a self page, receiving an operation request containing the unified authorization code as described above, triggered by the user through a link entry of the target application system, and judging whether the session of the target application system of the user exists.
Step 506, receiving a request of calling a service interface of a unified identity authentication system sent by the front-end system when the unified authorization code of the current session binding does not match with the unified authorization code contained in the operation request or the target application system session of the user is not present.
Step 508, obtaining user information according to the unified authorization code contained in the operation request, and transmitting the user information to the front-end system for the front-end system to perform the following processing based on the received user information, namely, authentication, and establishing a target application system session of the user in response to the login request of the user.
As an example, the session information includes a unified authorization code, an access token, and a refresh token, wherein the process of generating the unified authorization code based on the Oauth authorization framework is to generate the unified authorization code using a preset password pattern according to login information of a user and user information registered by the user at a login page registration of the unified identity authentication system. Preferably, the unified authorization code is of the UUID type, i.e. the unified authorization code is a unique identification code generated by a UUID generator.
As another example of the unified authorization code generation process, a unified authorization code is generated by generating a UUID type unified authorization code using a preset password pattern according to a user's account number, password, client id, client key, tenant id, authorization type, and authorization parameter range. For example, when the application service is based on a Spring framework and the Oauth authorization framework adopts oauth2.0, the preset password mode is SpringSecurity + Jwt +oauth2. Wherein SpringSecurity refers to SpringSecurity security framework, jwt is called JSON WEB Token, is a cross-domain authentication solution, and Oauth2 refers to Oauth2.0 protocol. As mentioned above, the authorization type is an authorization type corresponding to the access rights of the application system resources opened to the user, and the authorization parameter range is an authorization parameter range corresponding to the access rights of the application system resources opened to the user.
Optionally, the unified authorization code and access token are persisted to a database, and session information is stored locally, e.g., in a local store, for later use.
Alternatively, the unified authorization code is communicated to the front-end system by using get/post means. For example, in an actual application, the post method may be adopted by default.
Example III
The embodiment of the application provides a unified authentication method based on an Oauth authorization framework, which comprises the following steps:
Step S1, a user inputs a portal system address in a browser, firstly jumps to a login page of a unified identity authentication system, and the user performs account registration, password modification, password recovery and the like on the login page.
In one practical application, when jumping to the unified identity authentication system, the redirect_url encoded by base64 is spliced behind the url, the way=href (for establishing a connection between the current document and the reference resource), exitFlag =true (exit mark), and the redirect_url is default to the url address of the portal system. If no exitFlag =true parameter exists, the unified identity authentication system detects whether the cookie or the local storage has session information, if so, the unified identity authentication system jumps to redirect_url, and if not, the unified identity authentication system jumps to a login page.
And S2, the user inputs login information such as account numbers and passwords on a login page of the unified identity authentication system to perform login, code scanning login, short message login and the like.
And S3, checking the login information of the user by the unified identity authentication system, and generating session information containing the unified authorization code, the access token, the refresh token and the like after the verification is passed. In this embodiment, the unified authorization code is named iamCode, the access token is named as access_token, the refresh token is named as refresh_token, iamCode and the access_token are persisted in a database in a one-to-one correspondence manner, session information is stored in a local storage for convenient subsequent use, then the unified identity authentication system transmits iamCode to a front-end system of the portal system by adopting a get/post mode, the default is a post mode, the post mode is submitted by adopting a form mode, and the get mode transmission means that iamCode is spliced after the decoded redirect_url directly, that is, iamCode =xxx is spliced after the decoded redirect_url. The front-end system of the portal system stores the acquired iamCode, which cannot be shown in url.
In step S4, clicking on the link entry of the target application system on the front-end system page, for example, each link entry may be displayed by using the defined module name of each application system, or all the menus of each application system may be displayed in the menu bar on the left side of the front-end system page. After clicking the link entry of the target application system, an operation request for the target application system is generated by the request headband iamCode, and the operation request is jumped to the target application system. Preferably iamCode of the request header may be transmitted by a key-value pair, where key is iamCode and the value is iamCode.
And S5, the target application system intercepts the operation request, acquires iamCode in the request head and judges whether an application system session corresponding to the user exists. If there is an application system session corresponding to the user, judging whether iamCode bound by the current session id of the application system is matched with the operation request, if so, jumping to an operation page of the target application system and displaying, if not, clearing the session, acquiring user information according to iamCode, authenticating the user information by using a service gateway, jumping to a login page of the unified identity authentication system after the authentication passes, logging in the login page of the unified identity authentication system by the user, creating a session between the user and the target application system by a front-end system, binding the session id of the created session with iamCode, and storing the session id in a local storage, a cookie or a session storage. If no application system session corresponding to the user exists, user information is acquired according to iamCode, the user information is authenticated by utilizing a service gateway, the authentication is passed and then the user jumps to a login page of the unified identity authentication system, the user logs in the login page of the unified identity authentication system, a front-end system creates a session between the user and a target application system, and the created session id of the session is bound with iamCode and stored in a local storage, or a cookie, or a session storage. If the acquisition of the user information fails or the session is overtime, the existing session is emptied, the login page of the unified identity authentication system is jumped, and then the step S2 is executed in a returning mode. When authentication is passed and then the authentication is skipped to a login page of the unified identity authentication system, parameters such as redirect_url and the like do not need to be spliced behind url.
Fig. 6 shows a practical implementation of the third embodiment, where the workbench shown in fig. 6 is a front-end system of a portal system, the service system represents an application system integrated with the portal system, and the IAM represents a unified identity authentication system.
Corresponding to the unified authentication method based on the Oauth authorization framework in the foregoing embodiment, the present application further provides a front-end system of a portal system, where the portal system includes a unified identity authentication system, a service interface provided by the unified identity authentication system is registered in advance to a service gateway of the portal system and issued, a page of the front-end system is integrated with link entries of a plurality of application systems, and the front-end system includes:
The first module is used for responding to a portal system access request initiated by a user and judging whether a portal system session of the user exists or not;
The second module is used for jumping to a login page of the unified identity authentication system to acquire login information of the user when the portal system session of the user is not available, calling the service interface to enable the unified identity authentication system to check the login information, generating established session information for the user to access the application system required by the session after the verification is passed, returning a unified authorization code based on an Oauth authorization framework in the session information, and displaying a page of the front-end system;
A third module, configured to determine whether a target application system session of the user exists, in response to an operation request including the unified authorization code triggered by the user through a link entry of the target application system;
And a fourth module, configured to invoke the service interface if the unified authorization code bound by the current session does not match the unified authorization code contained in the operation request or does not match the unified authorization code contained in the operation request, and if user information returned by the service interface and acquired by the unified identity authentication system according to the unified authorization code contained in the operation request is received, perform the following process based on the received user information, and establish a session between the user and the target application system in response to a login request of the user.
As an embodiment of the present application, the front-end system of the portal system may implement the embodiment shown in fig. 1 and other related method embodiments in the present application.
The process of implementing respective functions by each module in the front-end system of the portal system provided in the embodiment of the present application may refer to the foregoing description of the embodiment shown in fig. 1 and other related method embodiments, which are not repeated herein.
It should be noted that, because the content of information interaction and execution process between the modules and the embodiment of the method of the present application are based on the same concept, specific functions and technical effects thereof may be referred to in the method embodiment section, and details thereof are not repeated herein. Furthermore, the modules described above may be implemented on a computing device that includes a memory and a processor.
Corresponding to the unified authentication method based on the Oauth authorization framework in the foregoing embodiment, the present application further provides a unified identity authentication system, where a service interface provided by the unified identity authentication system is registered in advance with a service gateway of a portal system and issued, the portal system includes a front-end system, and a page of the front-end system is integrated with link entries of a plurality of application systems, and the unified identity authentication system includes:
a sixth module for receiving a request for calling the service interface sent by the front-end system;
A seventh module, configured to verify the login information, and if the verification is passed, generate session information for the user to access to an establishment of a session required by the application system, and transmit a unified authorization code based on an Oauth authorization framework in the session information to the front-end system, so as to be used for the front-end system to display a self page, receive an operation request including the unified authorization code triggered by the user through a link entry of a target application system, and determine whether the user has a target application system session;
An eighth module, configured to receive a request for calling the service interface, where the front-end system has a target application system session of the user and the unified authorization code bound by the current session does not match the unified authorization code contained in the operation request or does not have the target application system session of the user;
and a ninth module, configured to acquire user information according to the unified authorization code included in the operation request, and transmit the user information to the front-end system, so that the front-end system performs, based on the received user information, authentication, and creates a target application system session of the user in response to the login request of the user.
As an embodiment of the present application, the front-end system of the portal system may implement the embodiment shown in fig. 5 and other related method embodiments of the present application.
The process of implementing respective functions by each module in the unified identity authentication system provided in the embodiment of the present application may refer to the foregoing description of the embodiment shown in fig. 5 and other related method embodiments, which are not described herein again.
It should be noted that, because the content of information interaction and execution process between the modules and the embodiment of the method of the present application are based on the same concept, specific functions and technical effects thereof may be referred to in the method embodiment section, and details thereof are not repeated herein. Furthermore, the modules described above may be implemented on a computing device that includes a memory and a processor.
Fig. 7 is a technical architecture diagram of a portal system in practical application, and the service system 1, the service system 2 and the service system 3 shown in fig. 7 refer to different application systems according to the foregoing embodiments. The integration mode of different application systems and portal systems can be two modes, namely, integrating the names of the application systems or the portal systems, clicking a certain application system, ejecting a new tag page to display the application system, wherein the style of the application system can be different from that of the portal systems, and integrating all menus of the application systems onto the portal systems in an iframe mode, wherein the permission menu is not included. The Security framework of the portal system comprising the unified identity authentication system can adopt a Security framework with strong and flexible Spring Security function, supports authentication in modes such as user passwords, OIDC, SAML2 and the like, supports role-based access control (RBAC), adopts an Oauth2.0 open standard protocol for sub-packaging, adopts a iamCode mode for system integration, adopts jwt for cross-domain identity authentication, and supports characteristics such as cross-language, conciseness, self-inclusion, expandability, cross-domain and the like.
Fig. 8 schematically shows a block diagram of a computer device according to an embodiment of the application. In one embodiment, as shown in FIG. 8. The computer apparatus includes a processor a01, a network interface a02, a display screen a04, an input device a05, and a memory (not shown in the figure) which are connected through a system bus. Wherein the processor a01 of the computer device is adapted to provide computing and control capabilities. The memory of the computer device includes an internal memory a03 and a nonvolatile storage medium a06. The nonvolatile storage medium a06 stores an operating system B01 and a computer program B02. The internal memory a03 provides an environment for the operation of the operating system B01 and the computer program B02 in the nonvolatile storage medium a06. The network interface a02 of the computer device is used for communication with an external terminal through a network connection. The computer program, when executed by the processor a01, implements a unified authentication method based on the Oauth authorization framework. The display screen a04 of the computer device may be a liquid crystal display screen or an electronic ink display screen, and the input device a05 of the computer device may be a touch layer covered on the display screen, or may be a key, a track ball or a touch pad arranged on a casing of the computer device, or may be an external keyboard, a touch pad or a mouse.
It will be appreciated by those skilled in the art that the structure shown in FIG. 8 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In one embodiment, the present application also provides a machine-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the unified authentication method based on the Oauth authorization framework in the above embodiments.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises an element.
It should be noted that the above-mentioned embodiments are merely for illustrating the technical solution of the present application, and not for limiting the same, and although the present application has been described in detail with reference to the above-mentioned embodiments, it should be understood by those skilled in the art that the technical solution described in the above-mentioned embodiments may be modified or some technical features may be equivalently replaced, and these modifications or substitutions do not make the essence of the corresponding technical solution deviate from the spirit and scope of the technical solution of the embodiments of the present application.