[go: up one dir, main page]

CN119484033A - A multi-mode unified identity authentication method based on OAuth2.0 technology - Google Patents

A multi-mode unified identity authentication method based on OAuth2.0 technology Download PDF

Info

Publication number
CN119484033A
CN119484033A CN202411485493.2A CN202411485493A CN119484033A CN 119484033 A CN119484033 A CN 119484033A CN 202411485493 A CN202411485493 A CN 202411485493A CN 119484033 A CN119484033 A CN 119484033A
Authority
CN
China
Prior art keywords
authentication
user
authorization
mode
unified
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411485493.2A
Other languages
Chinese (zh)
Inventor
徐阳旦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Unicloud Technology Co Ltd
Original Assignee
Unicloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Unicloud Technology Co Ltd filed Critical Unicloud Technology Co Ltd
Priority to CN202411485493.2A priority Critical patent/CN119484033A/en
Publication of CN119484033A publication Critical patent/CN119484033A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/082Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

本发明提供了一种基于OAuth2.0技术的多模式统一身份认证方法,基于OAuth2.0协议构建统一的组织机构和用户管理体系,所述组织机构和用户管理体系集成统一账户、授权、认证、应用及审计管理模块;根据多种预设的认证授权模式为应用系统提供单点登录、安全接入与集中管控,其中所述预设的认证授权模式包括授权码模式、隐式模式、密码模式、客户端模式。本发明有益效果:通过集中式的数字身份管理、认证、授权、监控和审计平台,保证合法的用户、以适当的权限访问受信任的系统和设备,并对异常访问行为进行实时预警和有效防范,为应用系统和相关人员提供全方位的安全服务和支持,在提升用户体验的同时,减少系统运维的工作量。

The present invention provides a multi-mode unified identity authentication method based on OAuth2.0 technology, and builds a unified organization and user management system based on the OAuth2.0 protocol, wherein the organization and user management system integrate unified account, authorization, authentication, application and audit management modules; and provides single sign-on, secure access and centralized control for application systems according to a variety of preset authentication and authorization modes, wherein the preset authentication and authorization modes include authorization code mode, implicit mode, password mode and client mode. The present invention has the following beneficial effects: through a centralized digital identity management, authentication, authorization, monitoring and audit platform, it ensures that legitimate users access trusted systems and devices with appropriate permissions, and provides real-time warning and effective prevention of abnormal access behaviors, providing all-round security services and support for application systems and related personnel, while improving user experience and reducing the workload of system operation and maintenance.

Description

Multi-mode unified identity authentication method based on OAuth2.0 technology
Technical Field
The invention belongs to the technical field of computers, and particularly relates to a multimode unified identity authentication method based on an OAuth2.0 technology.
Background
Nowadays, various fields are accelerated to develop into digitization, mobility and internetworking rapidly, a plurality of management systems are added to perfect the demands of informatization development, the information environment is huge and complex, the service management systems are numerous, the application systems are relatively isolated, the service collaboration is difficult, the service systems are not communicated, the account authority is not uniform, and users need to input different account passwords to log in corresponding service systems. The chimney of the application system is vertical, fragmentation is serious, the service coordination capability among the systems is weak, a plurality of sets of user names/passwords are generated, and the phenomenon that user management is not standard and the like also brings challenges to information security management.
Disclosure of Invention
In view of the above, the present invention is directed to a multimode unified identity authentication method based on oauth2.0 technology, so as to solve at least one problem in the background art.
In order to achieve the above purpose, the technical scheme of the invention is realized as follows:
A multimode unified identity authentication method based on OAuth2.0 technology is characterized in that:
constructing a unified organization mechanism and a user management system based on an OAuth2.0 protocol, wherein the organization mechanism and the user management system integrate a unified account, authorization, authentication, application and audit management module;
Providing single sign-on, secure access and centralized management and control for an application system according to a plurality of preset authentication and authorization modes, wherein the preset authentication and authorization modes comprise an authorization code mode, an implicit mode, a password mode and a client mode.
Further, when the preset authentication and authorization mode is an authorization code mode, the authorized login process includes the following steps:
The user accesses the application system, and the application system carries an authorization code to request to acquire an access token from the authentication service;
The authentication service verifies the authorization code, and returns an access token after verification is passed;
the application system carries an access token to request authentication service and acquire user information;
after receiving the user information, the application system completes login and returns to the system page.
Further, when the user accesses the application system, if the user does not log in, the system redirects the user to an authentication authorization page of the unified authentication service, and when the user does not authorize, the user is redirected to the unified authentication login page, fills in authentication credentials, authorizes after submitting, redirects the authentication service back to the application system, and returns an authorization code.
Further, when the preset authentication and authorization mode is an implicit mode, the authorized login process includes the following steps:
The user requests the authentication service to carry out authentication and authorization, and when the user is not authorized, the user is redirected to a unified authentication login page, fills in authentication credentials, submits and authorizes;
after the authentication service passes the verification, the access token is returned to the front-end application;
The front-end application carries an access token to request authentication service and acquire user information;
and the client receives the user information returned by the authentication service, completes login and returns to the system page.
Further, when the preset authentication and authorization mode is a password mode, the authorized login process includes the following steps:
the user accesses the application system, wherein if the user does not log in, the user returns an application system login page, fills in the authentication credentials and submits the authentication credentials to the application system.
The application system requests authentication service authentication authorization with the user authentication credentials, the authentication service authentication authorization passes through verification, and an access token is returned to the application system;
The application system carries an access token to request authentication service to acquire user information;
and the application system receives the user information returned by the authentication service and completes login and return to the system page.
Further, when the preset authentication and authorization mode is a client mode, the system level api authentication of the unified authentication platform is invoked by the application service, and the application can choose whether to start the system api after creating, and allocate clientid and CLIENTSECRET for invoking the system level api after starting so as to perform the client mode authentication
Further, when the preset authentication and authorization mode is a client mode, the authorized login procedure includes the following steps:
The application system carrying the assigned systems API CLIENTID and CLIENTSECRET requests authentication service authentication;
returning an access token after the authentication service is successfully authenticated;
the application system carries an access token to call a system-level api of the authentication service;
and the authentication service checks the access token, executes the system api service logic after the check is successful, and returns api interface data.
Further, the method may further comprise the step of performing a multi-factor authentication during the authentication process, wherein the multi-factor authentication comprises verification of the user credentials and verification of a second authentication factor, such as a short message authentication code, a hardware token or biometric data.
Further, the method comprises the steps of encrypting, transmitting and storing the access token, and encrypting the token by adopting an asymmetric encryption algorithm to ensure the security of the token.
Further, the access token has a dynamic authority management function, and the authority can be dynamically adjusted according to the operation behavior, the geographic position or the time of the user;
The method also comprises a life cycle management step of accessing the token, wherein the token is updated by a token refreshing mechanism before invalidation so as to avoid frequent login of the user.
Compared with the prior art, the multi-mode unified identity authentication method based on the OAuth2.0 technology has the following beneficial effects:
(1) The multimode unified identity authentication method based on the OAuth2.0 technology provided by the invention provides unified application entrance and unified identity authentication capability for each application through the unified authentication platform, ensures legal users to access trusted systems and devices with proper authority through the centralized digital identity management, authentication, authorization, monitoring and auditing platform, carries out real-time early warning and effective precaution on abnormal access behaviors, provides omnibearing security service and support for application systems and related personnel, and reduces the workload of system operation and maintenance while improving user experience;
(2) According to the multi-mode unified identity authentication method based on the OAuth2.0 technology, the reliability of user identity authentication is remarkably improved through multi-factor authentication, the security problem caused by password leakage is prevented, meanwhile, a plurality of second authentication factor modes are supported, a user can select a proper authentication mode according to own needs, and meanwhile, multi-factor authentication steps are seamlessly integrated in the OAuth2.0 authentication flow and do not affect the original system architecture;
(3) The multimode unified identity authentication method based on the OAuth2.0 technology prevents the token from being intercepted, tampered or replay attack by encrypting and transmitting and storing the token, and meanwhile, adopts asymmetric encryption, thereby facilitating the safety management and distribution of the secret key, improving the safety and maintainability of the system, simultaneously ensuring the compatibility and expandability of the system without changing the basic flow of the OAuth2.0 protocol;
(4) The multimode unified identity authentication method based on the OAuth2.0 technology can dynamically adjust the user authority according to real-time data, timely cope with security threat and service change, simultaneously support fine-granularity authority management, improve the security and resource utilization efficiency of the system, and simultaneously the authority strategy of the scheme is configurable to adapt to different service demands and security levels;
(5) According to the multimode unified identity authentication method based on the OAuth2.0 technology, the token refreshing mechanism is used for reducing the frequent login times of users, improving the use experience, preventing the long-term effective token from being abused by the validity period and the revocation mechanism of the token, improving the system safety, enabling the token life cycle management strategy to be configurable, and adapting to different security levels and service requirements.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention. In the drawings:
FIG. 1 is a schematic diagram of an authorized login procedure in an authorized code mode according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an authorized login procedure of a hidden mode access according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a password mode access authorization login procedure according to an embodiment of the present invention;
fig. 4 is a schematic diagram of an authorized login procedure of client mode access according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a unified identity authentication service platform for constructing an OAuth2.0 technology-based infrastructure according to an embodiment of the present invention;
Fig. 6 is a schematic diagram of a portal presentation page after logging in a unified authentication platform according to an embodiment of the present invention.
Detailed Description
It should be noted that, without conflict, the embodiments of the present invention and features of the embodiments may be combined with each other.
The invention will be described in detail below with reference to the drawings in connection with embodiments.
The unified organization and user management system covering each level of units is constructed, unified maintenance of the application systems of each level of units, unified management of the organization and user, unified management of system resources, application data sharing and comprehensive centralized management and control are realized through the application modules such as unified account management, authorization management, authentication management, application management and audit management, and the like, single sign-on of the user and unified pushing of the message are realized, and meanwhile, application security access and data security access services are provided for each level of application systems.
The platform realizes authentication and authorization based on the standard OAuth2 protocol, and the application meeting the standard protocol can be accessed to the unified authentication platform with little development. The unified authentication platform provides four authentication and authorization modes of OAuth2, and simultaneously provides an authentication and authorization interface in the authorization process.
Authorization code pattern
Most of the most important authentication modes are the authentication code mode, and the mode requires a unified login page of a unified authentication platform.
The authorization code mode authorization login process is shown in fig. 1, and specifically includes the following steps:
1. the user accesses the application system;
2. The user is not logged in to the authentication authorization that will be redirected to the authentication service;
3. unauthorized return of unified authentication login page;
4. the user fills in the authentication credentials (user name and password), submits and authorizes;
5. the authentication service redirects to the application system and returns an authorization code;
6. The application system carries an authorization code to request an authentication service to acquire a token;
7. The authentication service authorization code passes verification, and accesstoken is returned to the application system;
8. The application system carries accesstoken a request authentication service to acquire user information;
9. And the application system receives the user information returned by the authentication service and completes login and return to the system page.
Hidden mode access
When the application is a pure front-end application, and there is no back-end, the token must be stored at the front-end, and then the hidden mode is adopted for butt joint.
The authorized login process is shown in fig. 2, and specifically includes the following steps:
1. the user does not log in to request authentication authorization of the authentication service;
2. Unauthorized return of unified authentication login page;
3. The user fills in the authentication credentials (user name and password), submits and authorizes;
4. after unified authentication platform, returning accesstoken to the client;
5. The client carries accesstoken a request authentication service to acquire user information;
6. and the client receives the user information returned by the authentication service and finishes logging in and returning to the system page.
Cipher mode access
When the application has a self login page or is not suitable for using a unified authentication platform login page (such as a native app autonomous login interface), the application uses a password mode for login;
the authorized login process is shown in fig. 3, and specifically includes the following steps:
1. the user accesses the application system;
2. The user is not logged in and returns to the login page of the application system;
3. the user fills in the authentication credentials (user name and password) and submits the authentication credentials to the application system;
4. The application system carries a user authentication credential to request authentication service authentication authorization;
5. The authentication service returns accesstoken to the application system after the authentication authorization check passes;
6. The application system carries accesstoken a request authentication service to acquire user information;
7. And the application system receives the user information returned by the authentication service and completes login and return to the system page.
Client mode access
The mode is only related to the application service, is used for the application service to call the unified authentication platform system level api authentication, the application can select whether to start the system api after creating, and clientid and CLIENTSECRET for calling the system level api can be allocated after starting so as to perform client mode authentication.
The authorized login process is shown in fig. 4, and specifically includes the following steps:
1. The application system carrying the assigned systems API CLIENTID and CLIENTSECRET requests authentication service authentication;
2. Returning accesstoken after the authentication service is successfully authenticated;
3. The application system carries accesstoken a system-level api for calling authentication service;
4. And checking accesstoken by the authentication service, executing system api service logic after the verification is successful, and returning api interface data.
Fig. 6 is a schematic diagram of a unified identity authentication service platform based on oauth2.0 technology as a basic framework, which realizes the core goals of account unification, system resource integration, application data sharing and comprehensive centralized management and control. And providing a unified portal module, integrating single sign-on and calling a unified identity authentication platform service, realizing sign-on aiming at different users, and displaying different contents. Through unified message module, unified message is created, pushed message and statistical message are provided for application, unified message sending interface is provided for application, message sending capability of each business system is integrated and comprehensively managed, and message is ensured to reach users through each channel through unified channel butt joint management;
FIG. 6 is a portal presentation page after logging into the unified authentication platform, where all application systems within the personal permission range will be presented and support click-through direct entry;
Meanwhile, the scheme aims at the problem that only a single user name and password are generally used as authentication credentials in the traditional OAuth2.0 authentication flow, a certain security risk exists, and Multi-factor authentication (Multi-Factor Authentication, MFA) is introduced to effectively improve the security of the system and prevent an account from being illegally accessed, and the method comprises the following specific steps:
Accessing an application system by a user, wherein the user accesses an entry page of a target application system through a browser or a client application program;
The application system detects that the user is not logged in and redirects the user to an authentication authorization page of the unified authentication service, wherein the application system recognizes that the user is not logged in yet and redirects the user request to the authentication authorization page of the unified identity authentication platform;
The user inputs the first authentication factor (user name and password) that the user inputs the user name and password as the first authentication factor on the unified authentication page;
The unified authentication service verifies the first authentication factor, namely the authentication service verifies the user name and the password submitted by the user, if the user name and the password pass the verification, the next step is carried out, otherwise, error information is returned to prompt the user to input again;
triggering the verification of the second authentication factor, wherein the authentication service triggers the verification flow of the second authentication factor according to the user's setting or system policy, such as sending a short message verification code, generating a one-time dynamic password (OTP) or requesting biometric verification;
The user completes the verification of the second authentication factor according to the prompt, for example, the user inputs the received short message verification code, generates a dynamic password by using OTP equipment or verifies through biological characteristics such as fingerprint, facial recognition and the like;
The unified authentication service verifies the second authentication factor, wherein the authentication service verifies the second authentication factor, if the verification is passed, the user identity is confirmed, and if the verification is failed, the user is prompted to carry out the second factor verification again or return error information;
Generating an authorization code or an access token, namely generating a corresponding authorization code or an access token after the authentication service passes multi-factor authentication according to the used OAuth2.0 authentication authorization mode (such as an authorization code mode, an implicit mode and the like);
and returning to the application system to finish the subsequent OAuth2.0 authentication flow, namely receiving the authorization code or the access token by the application system, requesting the access token from the authentication service or directly acquiring the user information according to the flow of the corresponding mode, and finishing the login process.
In summary, the scheme remarkably improves the reliability of user authentication through multi-factor authentication, prevents the security problem caused by password leakage, supports multiple second authentication factor modes, enables a user to select a proper authentication mode according to own needs, and simultaneously enables multi-factor authentication steps to be seamlessly integrated in an OAuth2.0 authentication flow without affecting the original system architecture.
Meanwhile, the scheme aims at the problem that the prior access token is possibly stolen or tampered to cause safety risk if not encrypted in the transmission and storage processes, and can effectively prevent illegal acquisition and use by encrypting the token, and the method comprises the following specific steps:
Generating and encrypting the access token, namely encrypting the token by using an asymmetric encryption algorithm (such as RSA and ECC) after the authentication service generates the access token, wherein a public key is used for encryption and a private key is used for decryption;
The transmission of the encrypted token, namely the encrypted access token is returned to the application system through a secure communication protocol (such as HTTPS), so as to ensure that the encrypted access token is not intercepted or tampered in the transmission process;
the application system stores the encrypted access token, namely the application system stores the encrypted access token in a server or a client safely, so that plaintext storage is avoided, and token leakage is prevented;
when the application system calls the authentication service or the API of the resource server, the application system carries the encrypted access token as an identity credential;
After receiving the request, decrypting the access token by using a private key, and verifying the validity, the integrity and the authority range (scope) of the token;
And processing the request and returning a response, namely executing corresponding business logic after the verification is passed, returning the requested resource or data, and returning error information after the verification is failed.
In summary, the scheme prevents the tokens from being intercepted, tampered or replay attacked by encrypting and transmitting and storing the tokens, meanwhile, asymmetric encryption is adopted, so that the safety management and distribution of the secret key are facilitated, the safety and maintainability of the system are improved, the basic flow of the OAuth2.0 protocol is not changed, and the compatibility and the expandability of the system are ensured.
Meanwhile, the scheme aims at the problem that the existing static authority management cannot adapt to complex and changeable business requirements and security strategies, and the authority can be dynamically adjusted according to the real-time behaviors and environments of users by setting dynamic authority management, so that the safety and flexibility of the system are improved, and the method comprises the following specific steps:
Defining authority policies and rules, wherein a system administrator configures the authority policies in a unified authentication platform, and the authority policies comprise authority models based on Roles (RBACs), based on attributes (ABACs) and the like, and dynamically adjusts the rules;
after the user completes the authentication flow, the user acquires an access token containing an initial authority range (scope);
Monitoring user behavior and environment in real time, wherein the system monitors operation behavior, access frequency, access resource type and environment information (such as IP address, equipment type and geographic position) of a user;
Dynamically evaluating and adjusting the authority, namely evaluating whether the authority range of a user needs to be adjusted or not by the system according to a preset authority strategy and real-time monitoring data;
for example, when abnormal behavior (such as a large number of requests in a short time, abnormal location login) is detected, the permission range is tightened or additional security verification is triggered;
Updating the authority range of the access token, namely generating a new access token by the system, wherein the new access token comprises the updated authority range;
pushing the new access token to the application system or notifying the application system to reacquire the token;
The application system uses the updated access token, namely, when the application system invokes the protected resource, the application system uses the new access token to ensure that the authority of the user is consistent with the latest strategy;
The system records the process and reason of authority adjustment in detail, so as to facilitate post audit and analysis;
In summary, the scheme can dynamically adjust the user authority according to the real-time data, timely cope with security threat and service change, simultaneously support fine-granularity authority management, improve the security and resource utilization efficiency of the system, and simultaneously the authority strategy of the scheme is configurable to adapt to different service demands and security levels.
Meanwhile, the scheme aims at the problem that the existing frequent login causes inconvenience for users and prevents the long-term effective token from being abused, and provides the life cycle management of the access token, which comprises the following specific steps:
Generating an access token and a refresh token, wherein the authentication service generates a short-term effective access token and a long-term effective refresh token after the user authentication is passed;
The access token is used for accessing the protected resource, and the refresh token is used for acquiring a new access token;
The validity period of the token is set, namely the validity period of the access token is short (such as 15 minutes to 1 hour), and the validity period of the refresh token is long (such as 7 days to 30 days);
flexibly setting the validity period of the token according to the service demand and the security policy;
The use and invalidation of the access token, when the application system accesses the protected resource, the access token is used for authorization;
When the access token expires, the system refuses access and prompts that a new token needs to be acquired;
The application system uses the refresh token to request the new access token to the authentication service after detecting the expiration of the access token;
The authentication service verifies the validity and legitimacy of the refresh token and generates a new access token and a new refresh token;
Failure and revocation of refresh tokens:
The refresh token is disabled or revoked if it reaches a validity period, the user actively logs off or modifies the password, the system detects security risks (e.g., abnormal login, token leakage), the token is actively revoked.
And the authentication service provides an interface for the revocation of the token, so that an application system or a user can actively revoke the access token and refresh the token, and the token is immediately invalid after the revocation, so that the token is prevented from being used continuously.
Token blacklist and whitelist management the system maintains a blacklist of tokens (tokens that have been invalidated or revoked) and a whitelist (trusted tokens);
when verifying the token, the resource server inquires the blacklist and the whitelist, and ensures the effectiveness and the safety of the token;
notification mechanism-when the token is about to expire or has been revoked, the system can notify the user by means of a message, mail, etc., prompting him to re-log in or paying attention to account security.
In summary, the scheme reduces the frequent login times of users through the token refreshing mechanism, improves the use experience, prevents the long-term effective tokens from being abused by the token validity period and the revocation mechanism, improves the system safety, and ensures that the token life cycle management strategy is configurable and adapts to different security levels and business requirements.
In summary, the unified identity authentication platform based on the oauth2.0 technology can provide a unified login entrance, integrate all current application systems, and form a set of comprehensive user system, a set of standard organization system and normalized management of all applications. The login problem of multiple system addresses and multiple accounts is eliminated, the assistance realizes collaborative office, repeated construction of the system is avoided, and the relevance of the service is enhanced. The specific implementation effect is as follows:
1) SSO single sign on
SSO technology is supported, multiple standard authentication protocols of OAuth2.0, OIDC, SAML2.0, JWT and CAS (1.0/2.0/3.0 versions are all supported) are supported, single sign-on among application systems is realized, and integration of browser-side and client-side applications and desktop-side and mobile-side applications is supported.
2) Refined authorization
The role-based access control and attribute-based authority control model realizes multidimensional and fine-grained authority control, provides a centralized and flexible authorization management function of an application system, and can reduce the operation and maintenance workload of the system and improve the management efficiency.
3) Compliance audit
And the comprehensive log management is carried out aiming at user behaviors, application access, risk operation and the like, so that the audit capability of a person is traced afterwards, and the security of unified identity authentication is ensured.
Those of ordinary skill in the art will appreciate that the elements and method steps of each example described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the elements and steps of each example have been described generally in terms of functionality in the foregoing description to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the several embodiments provided in the present application, it should be understood that the disclosed methods and systems may be implemented in other ways. For example, the above-described division of units is merely a logical function division, and there may be another division manner when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted or not performed. The units may or may not be physically separate, and components shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the embodiment of the present application.
It should be noted that the above embodiments are only used to illustrate the technical solution of the present invention, but not to limit the technical solution of the present invention, and although the detailed description of the present invention is given with reference to the above embodiments, it should be understood by those skilled in the art that the technical solution described in the above embodiments may be modified or some or all technical features may be equivalently replaced, and these modifications or substitutions do not make the essence of the corresponding technical solution deviate from the scope of the technical solution of the embodiments of the present invention, and all the modifications or substitutions are included in the scope of the claims and the specification of the present invention.
The foregoing description of the preferred embodiments of the invention is not intended to be limiting, but rather is intended to cover all modifications, equivalents, alternatives, and improvements that fall within the spirit and scope of the invention.

Claims (10)

1. A multimode unified identity authentication method based on OAuth2.0 technology is characterized in that:
constructing a unified organization mechanism and a user management system based on an OAuth2.0 protocol, wherein the organization mechanism and the user management system integrate a unified account, authorization, authentication, application and audit management module;
Providing single sign-on, secure access and centralized management and control for an application system according to a plurality of preset authentication and authorization modes, wherein the preset authentication and authorization modes comprise an authorization code mode, an implicit mode, a password mode and a client mode.
2. The oauth2.0 technology-based multimode unified identity authentication method according to claim 1, wherein when the preset authentication authorization mode is an authorization code mode, the authorized login procedure includes the following steps:
The user accesses the application system, and the application system carries an authorization code to request to acquire an access token from the authentication service;
The authentication service verifies the authorization code, and returns an access token after verification is passed;
the application system carries an access token to request authentication service and acquire user information;
after receiving the user information, the application system completes login and returns to the system page.
3. The oauth2.0 technology-based multimode unified identity authentication method according to claim 2, wherein when the user accesses the application system, if the user is not logged in, the system redirects the user to an authentication authorization page of the unified authentication service, and when the user is not authorized, the user is redirected to the unified authentication login page, fills in authentication credentials, authorizes after submission, redirects the authentication service back to the application system, and returns an authorization code.
4. The oauth2.0 technology-based multimode unified identity authentication method according to claim 1, wherein when the preset authentication authorization mode is an implicit mode, the authorized login procedure includes the following steps:
The user requests the authentication service to carry out authentication and authorization, and when the user is not authorized, the user is redirected to a unified authentication login page, fills in authentication credentials, submits and authorizes;
after the authentication service passes the verification, the access token is returned to the front-end application;
The front-end application carries an access token to request authentication service and acquire user information;
and the client receives the user information returned by the authentication service, completes login and returns to the system page.
5. The oauth2.0 technology-based multimode unified identity authentication method according to claim 1, wherein when the preset authentication authorization mode is a password mode, the authorized login procedure includes the following steps:
The user accesses the application system, wherein if the user does not log in, the user returns an application system login page, fills in an authentication credential and submits the authentication credential to the application system;
The application system requests authentication service authentication authorization with the user authentication credentials, the authentication service authentication authorization passes through verification, and an access token is returned to the application system;
The application system carries an access token to request authentication service to acquire user information;
and the application system receives the user information returned by the authentication service and completes login and return to the system page.
6. The oauth2.0 technology-based multimode unified identity authentication method according to claim 1, wherein when the preset authentication authorization mode is a client mode, the method is used for calling unified authentication platform system level api authentication for use by an application service, and the application can select whether to start a system api after creation, and allocate clientid and CLIENTSECRET for calling the system api after start so as to perform client mode authentication.
7. The oauth2.0 technology-based multimode unified identity authentication method according to claim 6, wherein when the preset authentication authorization mode is a client mode, the authorized login procedure includes the following steps:
The application system carrying the assigned systems API CLIENTID and CLIENTSECRET requests authentication service authentication;
returning an access token after the authentication service is successfully authenticated;
the application system carries an access token to call a system-level api of the authentication service;
and the authentication service checks the access token, executes the system api service logic after the check is successful, and returns api interface data.
8. The oauth2.0 technology-based multi-mode unified identity authentication method of claim 1, further comprising the step of multi-factor authentication during authentication, wherein the multi-factor authentication comprises user credential verification and verification of a second authentication factor, such as a short message verification code, a hardware token, or biometric data.
9. The oauth2.0 technology-based multimode unified identity authentication method according to claim 1, wherein the method comprises the steps of encrypting, transmitting and storing an access token, encrypting the token by adopting an asymmetric encryption algorithm, and ensuring the security of the token.
10. The oauth2.0 technology-based multimode unified identity authentication method of claim 9, wherein the access token has a dynamic rights management function, and can dynamically adjust rights according to user operation behaviors, geographic positions or time;
The method also comprises a life cycle management step of accessing the token, wherein the token is updated by a token refreshing mechanism before invalidation so as to avoid frequent login of the user.
CN202411485493.2A 2024-10-23 2024-10-23 A multi-mode unified identity authentication method based on OAuth2.0 technology Pending CN119484033A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411485493.2A CN119484033A (en) 2024-10-23 2024-10-23 A multi-mode unified identity authentication method based on OAuth2.0 technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411485493.2A CN119484033A (en) 2024-10-23 2024-10-23 A multi-mode unified identity authentication method based on OAuth2.0 technology

Publications (1)

Publication Number Publication Date
CN119484033A true CN119484033A (en) 2025-02-18

Family

ID=94575972

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411485493.2A Pending CN119484033A (en) 2024-10-23 2024-10-23 A multi-mode unified identity authentication method based on OAuth2.0 technology

Country Status (1)

Country Link
CN (1) CN119484033A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120354390A (en) * 2025-06-19 2025-07-22 中国科学技术信息研究所 Implementation method for constructing unified user authentication center based on OIDC framework

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120354390A (en) * 2025-06-19 2025-07-22 中国科学技术信息研究所 Implementation method for constructing unified user authentication center based on OIDC framework

Similar Documents

Publication Publication Date Title
AU2019206006B2 (en) System and method for biometric protocol standards
US10489574B2 (en) Method and system for enterprise network single-sign-on by a manageability engine
US8997196B2 (en) Flexible end-point compliance and strong authentication for distributed hybrid enterprises
CA2744971C (en) Secure transaction authentication
US8141138B2 (en) Auditing correlated events using a secure web single sign-on login
JP5795604B2 (en) Method and apparatus for providing trusted single sign-on access to applications and Internet-based services
EP2115654B1 (en) Simplified management of authentication credentials for unattended applications
CN109587101B (en) Digital certificate management method, device and storage medium
WO2018219056A1 (en) Authentication method, device, system and storage medium
US12289310B2 (en) Decentralized application authentication
US9160545B2 (en) Systems and methods for A2A and A2DB security using program authentication factors
US7757275B2 (en) One time password integration with Kerberos
CN117972787A (en) A large model knowledge base access control method and system based on JWT
CN116668190A (en) A method and system for cross-domain single sign-on based on browser fingerprint
US7571311B2 (en) Scheme for sub-realms within an authentication protocol
CN119484033A (en) A multi-mode unified identity authentication method based on OAuth2.0 technology
KR20180087543A (en) Key management method and fido authenticator software authenticator
CN109245880B (en) Hadoop component safety reinforcement method
US20230064529A1 (en) User controlled identity provisioning for software applications
CN114640490A (en) Method and architecture for terminal use safety, monitoring and management of equipment account
US12101408B2 (en) Distribution of one-time passwords for multi-factor authentication via blockchain
JP6722746B2 (en) Terminal
TWI773025B (en) Processes and method for safe of use, monitoring and management of device accounts in terminal manner
US20250028845A1 (en) Secret Replacement for Web Browsers
US20240205225A1 (en) Open id connect electronic access control system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination