CN111431972A - Application authorization method, device, storage medium and system based on IDP proxy - Google Patents

Application authorization method, device, storage medium and system based on IDP proxy Download PDF

Info

Publication number
CN111431972A
CN111431972A CN202010147686.2A CN202010147686A CN111431972A CN 111431972 A CN111431972 A CN 111431972A CN 202010147686 A CN202010147686 A CN 202010147686A CN 111431972 A CN111431972 A CN 111431972A
Authority
CN
China
Prior art keywords
idp
service
proxy
agent
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010147686.2A
Other languages
Chinese (zh)
Other versions
CN111431972B (en
Inventor
尹力炜
李新军
杨瀚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Longgui Technology Co ltd
Original Assignee
Beijing Longgui Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Longgui Technology Co ltd filed Critical Beijing Longgui Technology Co ltd
Priority to CN202010147686.2A priority Critical patent/CN111431972B/en
Publication of CN111431972A publication Critical patent/CN111431972A/en
Application granted granted Critical
Publication of CN111431972B publication Critical patent/CN111431972B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/51Discovery or management thereof, e.g. service location protocol [SLP] or web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention discloses an application authorization method, equipment, a storage medium and a system based on an IDP proxy. The method comprises the following steps: providing an IDP proxy; completing registration of at least one IDP service and at least one third party application in an IDP proxy; displaying a login entry of the IDP agent on a login page of a third-party application; and the IDP agent skips to the login page of the selected IDP service according to the IDP service selected by the user, applies for obtaining the authorization of the selected IDP, and forwards the authorization to the third-party application to finish login. The user can log in through the unified identity authentication system when using a plurality of third-party applications, and repeated registration and login operations of the user are avoided.

Description

Application authorization method, device, storage medium and system based on IDP proxy
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to an application authorization method, device, storage medium, and system based on an IDP proxy.
Background
With the development of cloud technology, more and more SaaS (Software-as-a-Service) services are being popularized and used.
Idp (identity provider), meaning identity provider. The identity credentials (account and password) provided by the IDP can be used directly at the third party application to which the IDP has access, i.e., Single Sign-On (Single Sign-On).
At present, when different SaaS services are used by enterprises or individuals, the users need to register and log in separately, a large amount of communication and development work is needed, and meanwhile, the users need to perform repeated registration and login operations when using each SaaS service, so that user experience is seriously influenced.
Therefore, an application authorization method is needed to be provided, which can avoid such repeated login behavior, so that multiple third-party applications can log in through a unified authentication manner.
Disclosure of Invention
The invention aims to provide an application authorization method, equipment, a storage medium and a system based on an IDP (identity-based proxy), which can realize that a plurality of third-party applications can log in a unified identity authentication mode.
In order to achieve the above object, the present invention provides an application authorization method based on an IDP agent, including:
providing an IDP proxy, wherein the IDP proxy is used for providing proxy service of IDP service and is in communication connection with the IDP service and a third-party application;
the method comprises the steps that at least one IDP service and at least one third party are applied to the IDP proxy to complete registration, wherein the IDP service stores user information and can provide a login page, and the identity of a user is verified in an account password mode;
displaying a login entry of the IDP proxy on a login page of the third-party application so that a user can select the IDP service registered in the IDP proxy;
and the IDP proxy jumps to the login page of the selected IDP service according to the IDP service selected by the user, applies for obtaining the authorization of the selected IDP service, and forwards the authorization to the third-party application to complete login.
Optionally, the performing registration of the at least one IDP service and the at least one third party application in the IDP proxy comprises:
the IDP agent records the network address of the IDP service and exchanges a public key with the IDP service;
and the IDP proxy records the callback address of the third-party application and exchanges a public key with the third-party application.
Optionally, the IDP service includes a private IDP service and a public IDP service.
Optionally, the network address of the IDP service comprises an IP address and/or a domain name;
optionally, each IDP registered in the IDP proxy has a unique number, and the user selecting the IDP service registered in the IDP proxy includes:
and after the user inputs the number of the IDP and confirms, if the number or the similar number really exists, displaying a plurality of IDP services for the user to select one needed IDP service.
The present invention also proposes an electronic device, comprising:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the IDP agent-based application authorization method described above.
The present invention also proposes a non-transitory computer-readable storage medium storing computer instructions for causing a computer to execute the above-mentioned IDP-agent-based application authorization method.
The invention also provides an application authorization system based on the IDP proxy, which comprises the IDP proxy, at least one IDP service and at least one third-party application, wherein the IDP service and the third-party application are registered in the IDP proxy and are respectively in communication connection with the IDP proxy;
the login page of the third-party application can show a login entry of the IDP proxy so that a user can select the IDP service registered in the IDP proxy;
the IDP service is used for storing user information and can provide a login page to verify the user identity in the form of an account number and a password. And being capable of returning authorization to log in a user to the IDP agent;
and the IDP proxy is used for jumping to a login page of the selected IDP service according to the IDP service selected by the user, applying for obtaining the authorization of the selected IDP, and forwarding the authorization to the third-party application to complete login.
Optionally, the IDP service and the third party application each completing registration in the IDP proxy includes: the IDP agent records the network address of the IDP service and exchanges a public key with the IDP service; and the IDP proxy records the callback address of the third-party application and exchanges a public key with the third-party application.
Optionally, the IDP service includes a private IDP service and a public IDP service, and each of the IDP services that completes registration in the IDP proxy has a unique number.
The invention has the beneficial effects that:
through the mode of IDP proxy, the IDP service and the third-party application can complete registration at the IDP proxy and respectively establish communication connection with the IDP proxy, so that the IDP service can be rapidly used by the three-party application which is accessed to the IDP proxy, a user can log in through a unified identity verification system when using a plurality of third-party applications, repeated registration and login operations of the user are avoided, an enterprise or an individual can look like using private applications when using SaaS service, and communication, development work and use cost of the user are greatly reduced.
The apparatus of the present invention has other features and advantages which will be apparent from or are set forth in detail in the accompanying drawings and the following detailed description, which are incorporated herein, and which together serve to explain certain principles of the invention.
Drawings
The above and other objects, features and advantages of the present invention will become more apparent by describing in more detail exemplary embodiments thereof with reference to the attached drawings, in which like reference numerals generally represent like parts.
Fig. 1 is a schematic diagram illustrating an IDP service completing authorization for a third-party application according to the prior art.
Fig. 2 shows a step diagram of an IDP proxy based application authorization method according to the present invention.
Fig. 3 shows an authorization flow diagram of an IDP proxy-based application authorization method according to an embodiment of the present invention.
Fig. 4 is a schematic diagram of an IDP proxy-based application authorization system according to an embodiment of the present invention
Detailed Description
Referring to fig. 1, in the prior art, an effect of separating an IDP service from a three-party application is achieved through an oauth2.0 protocol, for example, a mode that a wechat is provided to other third-party websites and directly logs in through a wechat is adopted, the wechat can be regarded as a private IDP service, the wechat stores information such as an account password of a user, and authorization of the third-party application is completed through the oauth2.0 protocol. Here, the wechat is served as an IDP, and the third party application performs registration and docking directly on the IDP of the wechat.
However, the private IDP service itself may often be unstable and the user identity may disappear when the address is changed or other situations arise.
Therefore, the scheme of the invention can rapidly use the private IDP service by the third-party application which is accessed into the IDP proxy in an IDP proxy mode, and can greatly reduce communication and development work.
The invention will be described in more detail below with reference to the accompanying drawings. While the preferred embodiments of the present invention are shown in the drawings, it should be understood that the present invention may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Fig. 2 shows a step diagram of an IDP proxy based application authorization method according to the present invention.
The application authorization method based on the IDP agent comprises the following steps:
providing an IDP proxy, wherein the IDP proxy is used for providing proxy service of the IDP service and is in communication connection with the IDP service and a third party application;
the method comprises the steps that at least one IDP service and at least one third party are applied to an IDP proxy to complete registration, wherein the IDP service stores user information and can provide a login page, and the user identity is verified in an account password mode;
displaying a login entry of the IDP proxy on a login page of a third-party application so that a user can select the IDP service registered in the IDP proxy;
and the IDP proxy jumps to the login page of the selected IDP service according to the IDP service selected by the user, applies for obtaining the authorization of the selected IDP service, and forwards the authorization to the third-party application to complete login.
Specifically, by means of the IDP proxy, the IDP service and the third-party application can both complete registration at the IDP proxy and establish communication connection with the IDP proxy, so that the IDP service can be quickly used by the three-party application that has accessed the IDP proxy, and a user can log in through a unified identity authentication system when using a plurality of third-party applications, thereby avoiding repeated registration and login operations of the user.
Further, by means of the IDP proxy, IDP services can be virtualized. In the time span, one IDP is behind another IDP, and may correspond to a plurality of actual IDP services. When the IDP service changes in address migration and the like, the stability of the IDP service can be ensured by changing information such as addresses and the like, and the function similar to a domain name is achieved.
In one example, completing registration of the at least one IDP service and the at least one third party application in the IDP proxy comprises:
the IDP agent records the network address of the IDP service and exchanges a public key with the IDP service;
the IDP agent records the callback address of the third party application and exchanges the public key with the third party application.
In one example, the IDP services include private IDP services and public IDP services;
the network address of the IDP service includes an IP address and/or a logical address.
Specifically, a private IDP may be understood as an organization (individual or enterprise) that owns an IDP service installed and running in a public cloud service or an own computer room or own equipment; public IDPs provide SaaS-version IDP services for use by multiple organizations; whether a common IDP or a private IDP may be registered in the IDP proxy, with the difference that the private IDP is provided with a real network address, such as an IP address; the public IDP provides the logical address of the actual IDP service in the public IDP in addition to the network address.
In one example, each IDP service that completes registration in the IDP agent has a unique number, and the user selecting the IDP service registered in the IDP agent includes:
and after the user inputs the number of the IDP and confirms, if the number or the similar number really exists, displaying a plurality of IDP services for the user to select one needed IDP service.
One embodiment is as follows:
1. preparation work:
(1) the IDP service (public IDP or private IDP) is used to store user information, and registers to IDP proxy to inform the IDP proxy its specific position and complete the exchange of public key, and the information of IDP proxy and IDP service are encrypted in the communication process. Wherein each IDP service is assigned a unique number;
(2) the three-party application completes registration and public key exchange at the IDP proxy, and then displays the login entry of the IDP proxy on the login page of the three-party application by using the SDK or API service provided by the IDP proxy.
2. Authorization flow, refer to fig. 3:
(1) the user clicks an IDP proxy login entrance to start an authorization process;
(2) the IDP agent will return the selection page of the IDP service and request to input the number of the IDP service;
(3) the user enters the IDP service number and confirms. If the number or the similar number really exists, a plurality of IDP services are displayed for the user to select a needed IDP service.
(4) The IDP agent specifies the selected IDP service. Skipping to the IDP service according to the registration information of the IDP service in the IDP proxy;
(5) the IDP service returns a login page to the user;
(6) a user inputs an account password;
(7) IDP service completes verification, generates authorization code and returns to IDP proxy
(8) And the IDP proxy forwards the authorization to the third-party application according to the callback address provided during the registration of the third-party application to complete the login.
Those skilled in the art can easily implement the specific development procedures of the above embodiments, and the details are not described herein.
An embodiment of the present invention further provides an electronic device, where the electronic device includes:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the IDP agent-based application authorization method described above.
An embodiment of the present invention further provides a non-transitory computer-readable storage medium storing computer instructions for causing a computer to execute the above IDP-agent-based application authorization method.
Referring to fig. 4, an embodiment of the present invention further provides an IDP agent-based application authorization system, including an IDP agent, at least one IDP service, and at least one third-party application, where the IDP service and the third-party application are both registered in the IDP agent and are respectively in communication connection with the IDP agent;
the login page of the third-party application can show the login entry of the IDP proxy so that the user can select the IDP service registered in the IDP proxy;
the IDP service is used for storing user information, providing a login page, verifying the user identity in the form of an account number, a password and the like, and returning the authorization of a login user to the IDP agent;
and the IDP proxy jumps to the login page of the selected IDP service according to the IDP service selected by the user, applies for obtaining the authorization of the selected IDP, and forwards the authorization to the third-party application to complete login.
In one example, the IDP service and the third party application each completing registration in the IDP proxy comprises: the IDP agent records the network address of the IDP service and exchanges a public key with the IDP service; the IDP agent records the callback address of the third party application and exchanges the public key with the third party application. The IDP service includes a private IDP service and a public IDP service, and each IDP service that completes registration in the IDP proxy has a unique number.
The application authorization method and the system based on the IDP proxy can correspond to a plurality of actual IDP services on the time span and behind one IDP by the mode of the IDP proxy, when the IDP service changes in address migration and the like, the stability of the IDP service can be ensured by changing the information of the address and the like, the IDP service can be quickly used by the three-party application accessed to the IDP proxy, a user can log in through a unified identity verification system when using a plurality of third-party applications, the repeated registration and login operation of the user is avoided, an enterprise or an individual can look like using a private application when using the SaaS service, and the communication, development work and the use cost of the user are greatly reduced.
Having described embodiments of the present invention, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments.

Claims (10)

1. An application authorization method based on an IDP proxy is characterized by comprising the following steps:
providing an IDP proxy, wherein the IDP proxy is used for providing proxy service of IDP service and is in communication connection with the IDP service and a third-party application;
the method comprises the steps that at least one IDP service and at least one third party are applied to the IDP proxy to complete registration, wherein the IDP service stores user information and can provide a login page, and the identity of a user is verified in an account password mode;
displaying a login entry of the IDP proxy on a login page of the third-party application so that a user can select the IDP service registered in the IDP proxy;
and the IDP proxy jumps to the login page of the selected IDP service according to the IDP service selected by the user, applies for obtaining the authorization of the selected IDP service, and forwards the authorization to the third-party application to complete login.
2. The IDP-agent-based application authorization method of claim 1, wherein the completion of the registration of at least one IDP service and at least one third-party application in the IDP agent comprises:
the IDP agent records the network address of the IDP service and exchanges a public key with the IDP service;
and the IDP proxy records the callback address of the third-party application and exchanges a public key with the third-party application.
3. The IDP-proxy-based application authorization method of claim 2, characterized in that the IDP services comprise private IDP services and public IDP services.
4. The IDP proxy-based application authorization method according to claim 2, characterized in that the network address of the IDP service comprises an IP address and/or a domain name.
5. The IDP agent-based application authorization method of claim 1, wherein each IDP service registered in the IDP agent has a unique number, and wherein the user selecting the IDP service registered in the IDP agent comprises:
and after the user inputs the number of the IDP service and confirms, if the number or the similar number really exists, displaying a plurality of IDP services for the user to select one needed IDP service.
6. An electronic device, characterized in that the electronic device comprises:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the IDP agent-based application authorization method of any of claims 1-5.
7. A non-transitory computer-readable storage medium storing computer instructions for causing a computer to perform the IDP agent-based application authorization method of any one of claims 1 to 5.
8. An IDP agent-based application authorization system is characterized by comprising an IDP agent, at least one IDP service and at least one third-party application, wherein the IDP service and the third-party application are registered in the IDP agent and are respectively in communication connection with the IDP agent;
the login page of the third-party application can show a login entry of the IDP proxy so that a user can select the IDP service registered in the IDP proxy;
the IDP service is used for storing user information, providing a login page, verifying the user identity in an account password mode, and returning authorization information of a login user to the IDP agent;
and the IDP proxy skips to a login page of the selected IDP service according to the IDP service selected by the user, applies for obtaining the authorization of the selected IDP, and forwards the authorization to the third-party application to complete login.
9. The IDP-agent-based application authorization system of claim 8, wherein the IDP service and the third-party application each completing registration in the IDP agent comprises:
the IDP agent records the network address of the IDP service and exchanges a public key with the IDP service;
and the IDP proxy records the callback address of the third-party application and exchanges a public key with the third-party application.
10. The IDP-agent-based application authorization system according to claim 9, wherein the IDP services include private IDP services and public IDP services, and each of the IDP services that complete registration in the IDP agent has a unique number.
CN202010147686.2A 2020-03-05 2020-03-05 Application authorization method, device, storage medium and system based on IDP proxy Active CN111431972B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010147686.2A CN111431972B (en) 2020-03-05 2020-03-05 Application authorization method, device, storage medium and system based on IDP proxy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010147686.2A CN111431972B (en) 2020-03-05 2020-03-05 Application authorization method, device, storage medium and system based on IDP proxy

Publications (2)

Publication Number Publication Date
CN111431972A true CN111431972A (en) 2020-07-17
CN111431972B CN111431972B (en) 2022-09-20

Family

ID=71547449

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010147686.2A Active CN111431972B (en) 2020-03-05 2020-03-05 Application authorization method, device, storage medium and system based on IDP proxy

Country Status (1)

Country Link
CN (1) CN111431972B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104994102A (en) * 2015-07-08 2015-10-21 浪潮软件股份有限公司 Enterprise information system authentication and access control method based on reverse proxy
CN107147647A (en) * 2017-05-11 2017-09-08 腾讯科技(深圳)有限公司 A kind of webpage authorization method and device
CN107786571A (en) * 2017-11-07 2018-03-09 昆山云景商务服务有限公司 A kind of method of user's unified certification
CN109472123A (en) * 2018-11-05 2019-03-15 用友网络科技股份有限公司 A kind of cloud service integrates the method and system of third party's single-sign-on customer center
CN110035099A (en) * 2018-01-12 2019-07-19 厦门雅迅网络股份有限公司 A kind of multisystem management method, terminal device and storage medium
CN110740116A (en) * 2018-07-20 2020-01-31 北京思源理想控股集团有限公司 multi-application identity authentication system and method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104994102A (en) * 2015-07-08 2015-10-21 浪潮软件股份有限公司 Enterprise information system authentication and access control method based on reverse proxy
CN107147647A (en) * 2017-05-11 2017-09-08 腾讯科技(深圳)有限公司 A kind of webpage authorization method and device
CN107786571A (en) * 2017-11-07 2018-03-09 昆山云景商务服务有限公司 A kind of method of user's unified certification
CN110035099A (en) * 2018-01-12 2019-07-19 厦门雅迅网络股份有限公司 A kind of multisystem management method, terminal device and storage medium
CN110740116A (en) * 2018-07-20 2020-01-31 北京思源理想控股集团有限公司 multi-application identity authentication system and method
CN109472123A (en) * 2018-11-05 2019-03-15 用友网络科技股份有限公司 A kind of cloud service integrates the method and system of third party's single-sign-on customer center

Also Published As

Publication number Publication date
CN111431972B (en) 2022-09-20

Similar Documents

Publication Publication Date Title
US10516659B2 (en) User information obtaining method and apparatus, and server by an organization to deliver targated data to the user
US11281762B2 (en) Method and apparatus for facilitating the login of an account
CN109600306B (en) Method, device and storage medium for creating session
WO2019184135A1 (en) Application login method and apparatus, and computer device and storage medium
US20190109838A1 (en) Secure authentication for accessing remote resources
US8250635B2 (en) Enabling authentication of openID user when requested identity provider is unavailable
US8713589B2 (en) Registration and network access control
JP5980961B2 (en) Multi-factor certificate authority
US8646057B2 (en) Authentication and authorization of user and access to network resources using openid
CN105024975B (en) The method, apparatus and system that account logs in
CN109413096B (en) A kind of login method and device more applied
KR101635244B1 (en) User-based authentication for realtime communications
US8259694B2 (en) Methods, devices, systems, and computer program products for registration of multi-mode communications devices
CN104901970B (en) A kind of Quick Response Code login method, server and system
CN110032842B (en) Method and system for simultaneously supporting single sign-on and third party sign-on
CN109067789A (en) Web vulnerability scanning method, system based on linux system
JP2004510215A (en) Adaptable multi-tier authentication system
CN113922982B (en) Login method, electronic equipment and computer readable storage medium
CN106331003B (en) The access method and device of application door system on a kind of cloud desktop
CN101764808A (en) Authentication processing method and system for automatic login as well as server
CN110971566A (en) Account unified management method, system and computer readable storage medium
CN105095729B (en) A kind of Quick Response Code login method, server and system
CN106161356B (en) Method and system for rapidly logging in website through client
US20170250978A1 (en) Method and system for managing secure custom domains
US9697341B1 (en) Method of enhanced account authentication management integrated with real time script shifting

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant