CN102724647B - Method and system for access capability authorization - Google Patents
Method and system for access capability authorization Download PDFInfo
- Publication number
- CN102724647B CN102724647B CN201210184762.2A CN201210184762A CN102724647B CN 102724647 B CN102724647 B CN 102724647B CN 201210184762 A CN201210184762 A CN 201210184762A CN 102724647 B CN102724647 B CN 102724647B
- Authority
- CN
- China
- Prior art keywords
- authorization
- access
- capability
- party
- billing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 370
- 238000000034 method Methods 0.000 title claims abstract description 90
- 238000012795 verification Methods 0.000 claims description 32
- 238000012545 processing Methods 0.000 claims description 13
- 238000010586 diagram Methods 0.000 description 5
- 238000007726 management method Methods 0.000 description 4
- 230000007812 deficiency Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
本发明公开了一种能力访问授权方法及系统,针对业务能力开放平台的授权进行管理:(1)第三方应用在访问业务能力时,需要获得业务计费方的显示授权;(2)第三方应用访问与终端用户私有数据相关的业务能力时,为保证终端用户数据的安全性、隐私性,需要获得私有数据拥有者的显示授权;(3)需要获得能力开放平台服务等级协定系统的授权;在获得多方授权以后,由授权系统生成相应的访问令牌,发放给第三方应用,第三方应用携带访问令牌,以访问令牌作为能力访问授权凭证即可直接访问对应的能力接口,从而确保业务能力开放平台的业务能力被合法的第三方应用进行合理的访问。
The invention discloses a capability access authorization method and system, which manages the authorization of the service capability open platform: (1) when the third-party application accesses the service capability, it needs to obtain the display authorization of the service billing party; (2) the third-party When the application accesses the business capabilities related to the end user's private data, in order to ensure the security and privacy of the end user's data, it needs to obtain the display authorization of the private data owner; (3) it needs to obtain the authorization of the service level agreement system of the capability opening platform; After obtaining multi-party authorization, the authorization system generates the corresponding access token and issues it to the third-party application. The third-party application carries the access token and uses the access token as the capability access authorization credential to directly access the corresponding capability interface, thus ensuring The business capabilities of the business capability open platform are reasonably accessed by legitimate third-party applications.
Description
技术领域 technical field
本发明属于互联网技术领域,更为具体地讲,涉及一种面向业务能力开放平台的能力访问授权方法。The invention belongs to the technical field of the Internet, and more specifically relates to a capability access authorization method for a business capability open platform.
背景技术 Background technique
随着移动通信带宽的大幅提高和移动终端的智能化,传统的移动或互联网业务已经不能满足移动终端用户多样化、个性化的需求。为了进一步促进移动互联网业务的繁荣,国内外著名的互联网公司和电信运营商都推出了自己的业务能力开放平台,例如Google App、中国电信的“天翼空间应用工厂”等。这类业务能力开放平台将自己的业务能力封装成统一格式的API接口,向第三方应用开发者(包括企业开发者和个人开发者)提供,从而使移动互联网业务的开发、部署、推广更加便捷。With the substantial improvement of mobile communication bandwidth and the intelligence of mobile terminals, traditional mobile or Internet services can no longer meet the diverse and personalized needs of mobile terminal users. In order to further promote the prosperity of mobile Internet business, well-known Internet companies and telecom operators at home and abroad have launched their own business capability open platforms, such as Google App, China Telecom's "Tianyi Space Application Factory", etc. This type of business capability open platform encapsulates its own business capabilities into an API interface in a unified format and provides them to third-party application developers (including enterprise developers and individual developers), thus making the development, deployment and promotion of mobile Internet services more convenient. .
业务能力开放平台提供的业务能力通常包括短信、语音、定位、手机支付等电信能力,搜索、微博、云存储等互联网能力,以及终端用户的私有数据和信息的访问能力等。The business capabilities provided by the business capability open platform usually include telecommunications capabilities such as SMS, voice, positioning, and mobile payment, Internet capabilities such as search, Weibo, and cloud storage, and the ability to access private data and information of end users.
目前,业务能力开放平台的能力访问授权方法处于逐步完善中,还没有综合提供授权管理的方法。例如中国电信的业务能力开放平台只提供第三方应用开发者授权计费的能力访问方式,即开发者必须预先购买相应的能力,第三方应用才能访问所订购的能力接口,还不能提供由终端用户授权计费的能力访问以及由用户授权的私有数据访问等授权管理功能。针对用户私有数据的访问授权,互联网开放平台通常采用基于OAuth协议的授权方法。该方法无需用户向第三方应用暴露自身的身份认证凭证(例如用户名/密码等),即可完成用户对第三方应用在自身范围内数据访问的授权。但是OAuth授权协议主要针对使用第三方应用的终端用户需要访问自身私有数据的情况,没有考虑其他私有数据拥有者提供第三方应用授权访问的功能。此外,OAuth授权协议也没有考虑能力访问的计费授权和SLA系统授权等功能。At present, the capability access authorization method of the business capability open platform is gradually being improved, and there is no comprehensive authorization management method. For example, China Telecom's business capability open platform only provides third-party application developers with authorized billing capability access methods, that is, developers must pre-purchase the corresponding capabilities before third-party applications can access the ordered capability interface, and cannot provide end users with Authorization management functions such as capability access for authorization billing and private data access authorized by users. For the access authorization of user private data, the Internet open platform usually adopts an authorization method based on the OAuth protocol. This method can complete the user's authorization of the third-party application's data access within its own scope without the user exposing its own identity authentication credentials (such as user name/password, etc.) to the third-party application. However, the OAuth authorization protocol is mainly aimed at the situation that end users using third-party applications need to access their own private data, and does not consider the function of other private data owners to provide third-party application authorization access. In addition, the OAuth authorization protocol does not consider functions such as billing authorization and SLA system authorization for capability access.
发明内容Contents of the invention
本发明的目的在于克服现有技术的不足,提供一种完善、综合的面向业务能力开放平台的能力访问授权方法,对第三方应用访问业务能力开放平台提供的业务能力进行授权管理,从而确保业务能力开放平台的业务能力被合法的第三方应用进行合理的访问。The purpose of the present invention is to overcome the deficiencies of the prior art, provide a comprehensive and comprehensive capability access authorization method for the open business capability platform, and perform authorization management on the business capabilities provided by the third-party application access service capability open platform, thereby ensuring business The business capabilities of the capability exposure platform are reasonably accessed by legitimate third-party applications.
为实现上述发明目的,本发明能力访问授权方法,其特征在于,包括以下步骤:In order to achieve the purpose of the above invention, the capability access authorization method of the present invention is characterized in that it includes the following steps:
步骤1、第三方应用向业务能力开放平台的授权系统发送申请某个能力接口访问令牌的请求消息,请求消息至少包括:申请访问的能力接口的名称,能力访问的计费方,第三方应用标识符,授权用户的终端地址,授权用户的终端MSISDN号,需用户授权私有数据的列表,以及含有第三方应用密钥的签名等;Step 1. The third-party application sends a request message to the authorization system of the service capability open platform to apply for a certain capability interface access token. The request message includes at least: the name of the capability interface to apply for access, the billing party for capability access, and the third-party application Identifier, terminal address of the authorized user, terminal MSISDN number of the authorized user, a list of private data requiring user authorization, and a signature containing a third-party application key, etc.;
步骤2、业务能力开放平台的授权系统接收申请访问令牌的请求消息,然后进行:Step 2. The authorization system of the business capability opening platform receives the request message for applying for an access token, and then performs:
2.1)、验证访问令牌申请请求消息本身的合法性2.1), verify the legitimacy of the access token application request message itself
验证请求消息本身的合法性包括第三方应用的合法性、申请访问的能力接口的合法性以及请求消息参数的合法性;Verify the legitimacy of the request message itself, including the legitimacy of the third-party application, the legitimacy of the capability interface applying for access, and the legitimacy of the request message parameters;
其中,第三方应用的合法性由请求消息中携带的第三方应用标识符和含有第三方应用密钥的签名为基础进行验证;Among them, the legitimacy of the third-party application is verified based on the third-party application identifier carried in the request message and the signature containing the third-party application key;
申请访问的能力接口的合法性由请求消息中携带的申请访问的能力接口的名称为基础进行验证;The legitimacy of the capability interface requested for access is verified based on the name of the capability interface applied for access carried in the request message;
请求消息参数的合法性验证例如请求消息中所有携带参数的格式和范围是否符合规范;Verify the legality of request message parameters, such as whether the format and range of all parameters carried in the request message conform to the specification;
如果请求消息不合法,则授权系统返回“访问令牌申请不合法”的响应消息给第三方应用,终止授权过程,如果请求消息合法,则进行步骤2.2;If the request message is invalid, the authorization system returns a response message of "access token application is invalid" to the third-party application, and terminates the authorization process. If the request message is legal, proceed to step 2.2;
2.2)、计费授权与验证2.2), billing authorization and verification
如果申请访问的能力接口是免费的,则直接执行步骤2.3,否则根据请求消息中标识的计费方,计费方根据请求消息中携带的能力访问的计费方参数确定,向计费方发送计费授权的请求消息;If the capability interface applied for access is free, go to step 2.3 directly; otherwise, according to the billing party identified in the request message, the billing party determines the billing party parameters based on the capability access carried in the request message, and sends the Request message for charging authorization;
计费方接收计费授权的请求消息,对申请的能力访问的计费进行授权,并将授权信息返回给授权系统;The billing party receives the billing authorization request message, authorizes the billing for the applied capability access, and returns the authorization information to the authorization system;
授权系统根据计费方返回的授权信息进行判断,如果计费方不同意授权,则返回“无计费方授权”的响应消息给第三方应用,终止授权过程;如果计费方同意授权,则要求能力开放平台的计费系统根据计费方式,验证计费方是否合法,如果计费方合法,则执行步骤2.3,否则返回“计费方资费不够”或“信用度不够”的响应消息给第三方应用,终止授权过程;The authorization system judges according to the authorization information returned by the billing party. If the billing party does not agree to the authorization, it will return a response message of "no authorization by the billing party" to the third-party application and terminate the authorization process; if the billing party agrees to the authorization, then The billing system of the capability open platform is required to verify whether the billing party is legal according to the billing method. If the billing party is legal, perform step 2.3; Third-party application, terminate the authorization process;
2.3)、私有数据访问授权与验证2.3), private data access authorization and verification
如果申请访问的能力接口不涉及私有数据,则直接执行步骤2.4;否则发送私有数据访问授权的请求消息给私有数据的拥有者,如果该拥有者为在线状态,则其地址由请求消息中携带的授权用户的终端地址标识,如果该拥有者处于离线状态,则其地址由授权用户的终端MSISDN号标识;If the capability interface to apply for access does not involve private data, then directly perform step 2.4; otherwise, send a request message for private data access authorization to the owner of the private data, if the owner is online, its address is determined by the The terminal address identification of the authorized user, if the owner is offline, its address is identified by the terminal MSISDN number of the authorized user;
私有数据的拥有者收到私有数据访问授权的请求消息,对申请的私有数据,即以访问令牌请求消息中携带的需用户授权私有数据的列表中数据的访问进行授权,并将授权信息返回给授权系统;The owner of the private data receives the private data access authorization request message, authorizes the access to the applied private data, that is, the data in the list of private data that needs to be authorized by the user carried in the access token request message, and returns the authorization information to to the authorization system;
授权系统根据私有数据拥有者返回的授权信息进行判断,如果私有数据拥有者不同意授权,则返回“访问私有数据出错”的响应消息给第三方应用,终止授权过程;如果私有数据拥有者同意授权,则要求能力开放平台的认证系统验证私有数据拥有者,即授权用户是否合法,如果合法,则执行步骤2.4,否则返回“授权用户不合法”的响应消息给第三方应用,终止授权过程;The authorization system judges according to the authorization information returned by the private data owner. If the private data owner does not agree to the authorization, it will return a response message of "accessing private data error" to the third-party application and terminate the authorization process; if the private data owner agrees to authorize , then the authentication system of the capability openness platform is required to verify the owner of the private data, that is, whether the authorized user is legal. If it is legal, go to step 2.4, otherwise, return a response message of "authorized user is not legal" to the third-party application, and terminate the authorization process;
2.4)、SLA(Service Level Agreement)授权2.4), SLA (Service Level Agreement) authorization
授权系统要求能力开放平台的SLA(Service Level Agreement,服务等级协定)系统对第三方应用访问能力接口的合理性进行授权,如果第三方应用访问能力接口的频率符合预先签署的SLA合约,则SLA系统同意授权,否则SLA系统拒绝授权;The authorization system requires the SLA (Service Level Agreement) system of the capability openness platform to authorize the rationality of third-party application access capability interfaces. If the frequency of third-party application access capability interfaces conforms to the pre-signed SLA contract, the SLA system Agree to authorize, otherwise the SLA system refuses to authorize;
授权系统根据SLA系统的授权情况,如果SLA系统同意授权,则执行步骤3;否则返回“请求过于频繁”的响应消息给第三方应用,终止授权过程;According to the authorization status of the SLA system, if the SLA system agrees to the authorization, the authorization system will perform step 3; otherwise, it will return a response message of "request too frequently" to the third-party application, and terminate the authorization process;
步骤3、访问令牌生成及发放Step 3. Access token generation and issuance
授权系统根据第三方应用的能力接口访问申请请求,生成一个唯一的涵盖计费、私有数据访问以及SLA授权的访问令牌发放给第三方应用;The authorization system generates a unique access token covering billing, private data access and SLA authorization according to the third-party application's capability interface access application request and issues it to the third-party application;
步骤4、能力接口访问Step 4. Capability interface access
第三方应用携带访问令牌,以访问令牌作为能力访问授权凭证可直接访问业务能力开放平台相应的能力接口,能力服务器执行相应的能力访问,并将能力访问结果返回给第三方应用,完成能力访问。The third-party application carries the access token, and uses the access token as the capability access authorization credential to directly access the corresponding capability interface of the business capability open platform. The capability server performs the corresponding capability access and returns the capability access result to the third-party application to complete the capability access.
此外,本发明还提供了一种能力访问授权系统,包括:In addition, the present invention also provides a capability access authorization system, including:
令牌申请合法性验证模块,用于验证访问令牌申请本身请求消息的合法性,包括第三方应用的合法性、申请访问的能力接口的合法性以及请求消息参数的合法性;The token application legitimacy verification module is used to verify the legitimacy of the request message of the access token application itself, including the legitimacy of the third-party application, the legitimacy of the capability interface for applying for access, and the legitimacy of the request message parameters;
如果请求消息不合法,则授权系统返回“访问令牌申请不合法”的响应消息给第三方应用,终止授权过程,如果请求消息合法,则将令牌申请请求消息递交给计费授权模块继续处理;If the request message is invalid, the authorization system returns a response message of "access token application is invalid" to the third-party application, terminating the authorization process; if the request message is legal, the token application request message is submitted to the billing authorization module for further processing ;
计费授权模块,用于向计费方发起授权请求,以及接收计费方返回的授权响应:The billing authorization module is used to initiate an authorization request to the billing party and receive an authorization response returned by the billing party:
如果申请访问的能力接口是免费的,则将令牌申请请求消息递交给私有数据访问授权模块继续处理,否则根据请求消息中标识的计费方,计费授权模块向计费方发送计费授权的请求消息;If the capability interface for applying for access is free, submit the token application request message to the private data access authorization module for further processing; otherwise, the accounting authorization module sends the accounting authorization to the accounting party according to the billing party identified in the request message request message;
计费方收到计费授权的请求消息,对申请的能力访问的计费进行授权,并将授权信息返回给计费授权模块;The billing party receives the billing authorization request message, authorizes the billing for the applied capability access, and returns the authorization information to the billing authorization module;
计费授权模块根据计费方返回的授权信息进行判断,如果计费方不同意授权,则返回“无计费方授权”的响应消息给第三方应用,终止授权过程;如果计费方同意授权,则要求能力开放平台的计费系统根据计费方式验证计费方是否合法,如果计费方合法,则令牌申请请求消息递交给私有数据访问授权模块继续处理,否则返回“计费方资费不够”或“信用度不够”的响应消息给第三方应用,终止授权过程;The billing authorization module judges according to the authorization information returned by the billing party. If the billing party does not agree to the authorization, it returns a response message of "no billing party authorization" to the third-party application and terminates the authorization process; if the billing party agrees to authorize , the billing system of the capability open platform is required to verify whether the billing party is legal according to the billing method. If the billing party is legal, the token application request message is submitted to the private data access authorization module for further processing, otherwise it returns "the billing party charges Not enough" or "not enough credit" response message to the third-party application, terminating the authorization process;
私有数据访问授权模块,用于向私有数据拥有者发起授权请求,以及接收资源拥有者返回的授权响应:The private data access authorization module is used to initiate an authorization request to the private data owner and receive the authorization response returned by the resource owner:
如果申请访问的能力接口不涉及私有数据,则将令牌申请请求消息递交给SLA授权模块继续处理;否则发送私有数据访问授权的请求消息给私有数据的拥有者;If the capability interface for applying for access does not involve private data, submit the token application request message to the SLA authorization module for further processing; otherwise, send a private data access authorization request message to the owner of the private data;
私有数据的拥有者收到私有数据访问授权的请求消息,对申请的私有数据访问进行授权,并将授权信息返回给私有数据访问授权模块;The private data owner receives the private data access authorization request message, authorizes the requested private data access, and returns the authorization information to the private data access authorization module;
私有数据访问授权模块根据私有数据拥有者返回的授权信息进行判断,如果私有数据拥有者不同意授权,否则返回“访问私有数据出错”的响应消息给第三方应用,终止授权过程;如果私有数据拥有者同意授权,则要求能力开放平台的认证系统验证私有数据拥有者是否合法,如果合法,则将令牌申请请求消息递交给SLA授权模块继续处理,否则返回“授权用户不合法”的响应消息给第三方应用,终止授权过程;The private data access authorization module judges according to the authorization information returned by the private data owner. If the private data owner does not agree to the authorization, otherwise it will return a response message of "error accessing private data" to the third-party application and terminate the authorization process; if the private data owner If the author agrees to the authorization, the authentication system of the capability openness platform is required to verify whether the private data owner is legal. If it is legal, the token application request message is submitted to the SLA authorization module for further processing; otherwise, a response message of "authorized user is not legal" is returned to Third-party applications, terminate the authorization process;
SLA授权模块,用于请求能力开放平台的SLA系统对第三方应用访问能力接口的合理性进行授权,如果第三方应用访问能力接口的频率符合预先签署的SLA合约,则SLA系统同意授权,否则SLA系统拒绝授权;The SLA authorization module is used to request the SLA system of the capability open platform to authorize the rationality of the third-party application access capability interface. If the frequency of the third-party application access capability interface conforms to the pre-signed SLA contract, the SLA system agrees to authorize, otherwise the SLA The system denies authorization;
SLA授权模块根据SLA系统的授权情况,如果SLA系统同意授权,则将令牌申请请求消息递交给令牌发放模块继续处理;否则返回“请求过于频繁”的响应消息给第三方应用,终止授权过程;According to the authorization situation of the SLA system, if the SLA system agrees to the authorization, the SLA authorization module will submit the token application request message to the token issuance module for further processing; otherwise, return the response message of "request too frequently" to the third-party application, and terminate the authorization process ;
令牌发放模块,用于根据第三方应用的能力接口访问申请请求,生成一个唯一的涵盖计费、私有数据访问以及SLA授权的访问令牌发放给第三方应用,第三方应用携带访问令牌,以访问令牌作为能力访问授权凭证即可直接访问业务能力开放平台相应的能力接口;The token issuance module is used to generate a unique access token covering billing, private data access and SLA authorization according to the application request of the third-party application's capability interface, and issue it to the third-party application. The third-party application carries the access token. Use the access token as the capability access authorization credential to directly access the corresponding capability interface of the business capability open platform;
令牌验证模块,用于第三方应用携带访问令牌,以访问令牌作为能力访问授权凭证访问业务能力开放平台相应的能力接口时,接收能力服务器发送的访问令牌,并验证其合法性,如果验证合法,业务能力开放平台的能力服务器执行相应的能力访问。The token verification module is used for the third-party application to carry the access token and use the access token as the capability access authorization credential to access the corresponding capability interface of the business capability open platform, receive the access token sent by the capability server, and verify its legitimacy, If the verification is legal, the capability server of the service capability opening platform performs corresponding capability access.
本发明的目的是这样实现的:The purpose of the present invention is achieved like this:
本发明能力访问授权方法是针对业务能力开放平台的授权进行管理,主要涉及以下内容:The capability access authorization method of the present invention is to manage the authorization of the business capability open platform, and mainly involves the following contents:
(1)第三方应用在访问业务能力时,需要获得业务计费方的显示授权,例如终端用户或者应用提供者是否允许以自己的账户作为本次能力访问的计费账户;(1) When the third-party application accesses the service capability, it needs to obtain the display authorization of the service billing party, such as whether the end user or the application provider allows their own account to be used as the billing account for this capability access;
(2)第三方应用访问与终端用户私有数据相关的业务能力(如获取用户信息、使用用户资源等)时,为保证终端用户数据的安全性、隐私性,需要获得该私有数据拥有者的显示授权,例如是否允许第三方应用获取终端用户的位置信息,是否允许第三方应用以终端用户的名义发送呼叫或者发送短信等;(2) When third-party applications access business capabilities related to end-user private data (such as obtaining user information, using user resources, etc.), in order to ensure the security and privacy of end-user data, it is necessary to obtain the display of the private data owner Authorization, such as whether to allow third-party applications to obtain the location information of end users, whether to allow third-party applications to send calls or text messages in the name of end users;
(3)出于能力接口的可控性考虑,保证能力接口的合理利用、数据访问权限的多粒度控制等,第三方应用在访问业务能力时,还需要获得能力开放平台服务等级协定(Service Level Agreement,SLA)系统的授权;(3) Considering the controllability of the capability interface, ensuring the reasonable use of the capability interface and the multi-granularity control of data access rights, third-party applications need to obtain the service level agreement (Service Level Agreement) of the capability open platform when accessing business capabilities. Agreement, SLA) system authorization;
在获得多方授权以后,由授权系统生成相应的访问令牌,发放给第三方应用,第三方应用携带访问令牌,以访问令牌作为能力访问授权凭证即可直接访问对应的能力接口,从而确保业务能力开放平台的业务能力被合法的第三方应用进行合理的访问。After obtaining multi-party authorization, the authorization system generates the corresponding access token and issues it to the third-party application. The third-party application carries the access token and uses the access token as the capability access authorization credential to directly access the corresponding capability interface, thus ensuring The business capabilities of the business capability open platform are reasonably accessed by legitimate third-party applications.
附图说明 Description of drawings
图1是本发明能力访问授权方法的流程图;Fig. 1 is a flow chart of the capability access authorization method of the present invention;
图2是本发明能力访问授权方法中各系统部署图;Fig. 2 is a deployment diagram of each system in the capability access authorization method of the present invention;
图3是本发明能力访问授权方法一具体实施方式的流程图;Fig. 3 is a flow chart of a specific embodiment of the capability access authorization method of the present invention;
图4是本发明能力访问授权方法中访问令牌申请请求合法性判断方法一种具体实施方式流程图;Fig. 4 is a flow chart of a specific embodiment of a method for judging the legitimacy of an access token application request in the capability access authorization method of the present invention;
图5是本发明能力访问授权方法中以访问令牌作为能力访问授权凭证的进行能力访问一种具体实施方式流程图;Fig. 5 is a flow chart of a specific implementation of capability access using an access token as a capability access authorization credential in the capability access authorization method of the present invention;
图6是本发明能力访问授权方法中授权系统的原理框图。Fig. 6 is a functional block diagram of the authorization system in the capability access authorization method of the present invention.
具体实施方式 Detailed ways
下面结合附图对本发明的具体实施方式进行描述,以便本领域的技术人员更好地理解本发明。需要特别提醒注意的是,在以下的描述中,当已知功能和设计的详细描述也许会淡化本发明的主要内容时,这些描述在这里将被忽略。Specific embodiments of the present invention will be described below in conjunction with the accompanying drawings, so that those skilled in the art can better understand the present invention. It should be noted that in the following description, when detailed descriptions of known functions and designs may dilute the main content of the present invention, these descriptions will be omitted here.
图1是本发明能力访问授权方法的流程图。Fig. 1 is a flow chart of the capability access authorization method of the present invention.
如图1所示,本发明能力访问授权方法包括:As shown in Figure 1, the capability access authorization method of the present invention includes:
步骤1:第三方应用发送申请访问令牌的请求消息;Step 1: The third-party application sends a request message to apply for an access token;
步骤2:业务能力开放平台的授权系统接收申请访问令牌的请求消息,然后进行请求消息验证与能力访问的授权:Step 2: The authorization system of the business capability opening platform receives the request message for applying for an access token, and then performs request message verification and authorization of capability access:
步骤2.1验证申请请求消息的合法性;Step 2.1 Verify the legitimacy of the application request message;
步骤2.2进行计费授权和验证;Step 2.2 performs billing authorization and verification;
步骤2.3:进行私有数据访问授权与验证;Step 2.3: Perform private data access authorization and verification;
步骤2.4:SLA授权Step 2.4: SLA Authorization
步骤3:生成访问令牌并发放给第三方应用,第三方应用以此为授权凭证访问相应的能力接口。Step 3: Generate an access token and issue it to the third-party application. The third-party application uses this as an authorization credential to access the corresponding capability interface.
图2是本发明能力访问授权方法中各系统部署图。Fig. 2 is a deployment diagram of various systems in the capability access authorization method of the present invention.
各系统在业务能力开放平台内部实现,其部署示意图如图2所示。Each system is implemented inside the business capability open platform, and its deployment diagram is shown in Figure 2.
首先,对本发明中所涉及的角色及其功能进行说明。本发明中涉及的角色包括:第三方应用、终端用户、计费方、私有数据拥有者、授权系统、认证系统、计费系统、SLA系统、能力服务器。其中,第三方应用是基于开放平台提供的能力接口开发的程序与软件,第三方应用既可以是有后台服务器的应用,也可以是无后台服务器的桌面应用;终端用户是正在使用第三方应用的人;计费方为本次能力访问支付费用,既可以是使用第三方应用的终端用户,也可以是第三方应用的提供者,后者主要针对有后台服务器应用的情况;私有数据拥有者既可以是正在使用第三方应用的终端用户,也可以是其他开放平台用户;授权系统完成第三方应用访问能力接口的授权管理功能;认证系统完成对开放平台用户的认证功能;计费系统完成对开放平台用户的计费功能;SLA系统判断第三方应用访问能力接口的频率是否符合预先签署的SLA合约;能力服务器通过能力接口,提供短信、语音、定位、微博、云存储等能力访问服务。First, the roles and their functions involved in the present invention will be described. The roles involved in the present invention include: third-party application, terminal user, billing party, private data owner, authorization system, authentication system, billing system, SLA system, and capability server. Among them, the third-party application is a program and software developed based on the capability interface provided by the open platform. The third-party application can be an application with a background server or a desktop application without a background server; the end user is using the third-party application person; the billing party pays for this ability access, which can be either the end user using the third-party application or the provider of the third-party application. The latter is mainly for the background server application; the private data owner is both It can be an end user who is using a third-party application or other open platform users; the authorization system completes the authorization management function of the third-party application access capability interface; the authentication system completes the authentication function for open platform users; The billing function of platform users; the SLA system judges whether the frequency of third-party application access capability interface conforms to the pre-signed SLA contract; the capability server provides capability access services such as SMS, voice, location, Weibo, and cloud storage through the capability interface.
图3是本发明能力访问授权方法一具体实施方式的流程图。Fig. 3 is a flow chart of a specific embodiment of the capability access authorization method of the present invention.
在本实施例中,如图3所示,本发明能力访问授权方法具体步骤如下:In this embodiment, as shown in FIG. 3 , the specific steps of the capability access authorization method of the present invention are as follows:
步骤101:第三方应用向能力开放平台的授权系统发送申请某个能力接口访问令牌的请求消息,所述请求消息包括:申请访问的能力接口的名称,能力访问的计费方,第三方应用标识符,授权用户的终端地址,授权用户的终端MSISDN号,用户授权列表,以及含有第三方应用密钥的签名。Step 101: The third-party application sends a request message to the authorization system of the capability opening platform to apply for a certain capability interface access token. The request message includes: the name of the capability interface to apply for access, the billing party for capability access, and the third-party application Identifier, terminal address of authorized user, terminal MSISDN number of authorized user, user authorization list, and signature containing third-party application key.
步骤102:授权系统接收请求消息,验证访问令牌申请请求本身的合法性,包括第三方应用的合法性,申请访问能力接口的合法性,以及请求消息参数的合法性;如果请求消息合法,则执行步骤104,否则执行步骤103;Step 102: The authorization system receives the request message, and verifies the legitimacy of the access token application request itself, including the legitimacy of the third-party application, the legitimacy of the application access capability interface, and the legitimacy of the request message parameters; if the request message is legal, then Execute step 104, otherwise execute step 103;
步骤103:授权系统返回“访问令牌申请不合法”的响应消息给第三方应用,终止授权过程;Step 103: the authorization system returns a response message of "the application for the access token is invalid" to the third-party application, and terminates the authorization process;
步骤104:授权系统判断申请访问的能力接口是否免费,如果是免费的,则直接执行步骤114,否则执行步骤105;Step 104: The authorization system judges whether the capability interface for which access is applied for is free, and if it is free, directly executes Step 114, otherwise executes Step 105;
步骤105:授权系统根据请求消息中标识的计费方,向计费方发送计费授权的请求消息,在实施例中,计费方可以是第三方应用的提供者、也可以是使用第三方应用的终端用户;Step 105: The authorization system sends a request message for charging authorization to the billing party according to the billing party identified in the request message. In the embodiment, the billing party can be a provider of a third-party application or use a third-party application. end users of the application;
步骤106:计费方收到计费授权的请求消息,计费方对本次能力访问的计费进行授权,并将授权信息返回给授权系统;Step 106: The billing party receives the billing authorization request message, and the billing party authorizes the billing for this capability access, and returns the authorization information to the authorization system;
步骤107:授权系统判断计费方是否同意计费授权,如果同意,则执行步骤109,否则执行步骤108;Step 107: The authorization system judges whether the billing party agrees to the billing authorization, if yes, then executes step 109, otherwise executes step 108;
步骤108:授权系统返回“无计费方授权”的响应消息给第三方应用,终止授权过程;Step 108: The authorization system returns a response message of "no billing party authorization" to the third-party application, terminating the authorization process;
步骤109:授权系统请求能力开放平台的计费系统验证计费授权是否合法;Step 109: The authorization system requests the billing system of the capability opening platform to verify whether the billing authorization is legal;
步骤110:计费系统根据计费方采用的计费方式验证计费授权的合法性:在本实施例中,计费方式分为预付费方式和后付费方式两种,如果是预付费方式,判断计费方是否有余额支持本次访问;如果是后付费方式,判断计费方的信用度是否有问题;Step 110: The billing system verifies the legitimacy of the billing authorization according to the billing method adopted by the billing party: In this embodiment, the billing methods are divided into two types: pre-paid and post-paid. If it is a pre-paid, Determine whether the billing party has a balance to support this visit; if it is a post-payment method, determine whether there is a problem with the credit of the billing party;
步骤111:计费系统将本次计费授权的验证结果返回给授权系统;Step 111: the billing system returns the verification result of the billing authorization to the authorization system;
步骤112:授权系统根据验证结果,如果本次计费授权合法,则执行步骤114,否则执行步骤113;Step 112: According to the verification result, the authorization system executes Step 114 if the charging authorization is legal, otherwise executes Step 113;
步骤113:授权系统返回“计费方资费不够”或“信用度不够”的响应消息给第三方应用,终止授权过程;Step 113: The authorization system returns a response message of "the billing party's tariff is not enough" or "the credit is not enough" to the third-party application, terminating the authorization process;
步骤114:授权系统判断申请访问的能力接口是否涉及终端用户的私有数据,如果涉及,则执行步骤115,否则直接执行步骤124;Step 114: The authorization system judges whether the capability interface requested for access involves the private data of the end user, and if so, executes step 115, otherwise directly executes step 124;
步骤115:授权系统发送数据访问授权的请求消息给私有数据的拥有者,在本实施例中,即私有数据访问的终端用户,该请求消息携带有本次能力访问需用户授权私有数据的列表;Step 115: The authorization system sends a data access authorization request message to the owner of the private data, in this embodiment, the end user who accesses the private data, and the request message carries a list of private data that needs to be authorized by the user for this capability access;
步骤116:私有数据拥有者对申请访问的私有数据进行授权,并将自己的认证凭证及授权信息返回给授权系统;Step 116: The private data owner authorizes the private data requested for access, and returns his authentication credentials and authorization information to the authorization system;
步骤117:授权系统判断私有数据拥有者是否同意授权,如果同意,则执行步骤119,否则执行步骤118;Step 117: The authorization system judges whether the owner of the private data agrees to the authorization, if yes, then executes Step 119, otherwise executes Step 118;
步骤118:授权系统返回“访问私有数据出错”的响应消息给第三方应用,终止授权过程;Step 118: The authorization system returns a response message of "error in accessing private data" to the third-party application, terminating the authorization process;
步骤119:授权系统请求能力开放平台的认证系统验证私有数据拥有者,即授权用户是否合法;Step 119: The authorization system requests the authentication system of the capability opening platform to verify whether the private data owner, that is, the authorized user is legal;
步骤120:认证系统根据授权用户提交的认证凭证对其合法性进行验证;Step 120: the authentication system verifies the legitimacy of the authentication credential submitted by the authorized user;
步骤121:认证系统将授权用户合法性的验证结果返回给授权系统;Step 121: the authentication system returns the verification result of the legality of the authorized user to the authorization system;
步骤122:授权系统根据验证结果,如果授权用户合法,则执行步骤124,否则执行步骤123;Step 122: According to the verification result, the authorization system executes Step 124 if the authorized user is legal, otherwise executes Step 123;
步骤123:授权系统返回“授权用户不合法”的响应消息给第三方应用,终止授权过程;Step 123: the authorization system returns a response message of "authorized user is invalid" to the third-party application, and terminates the authorization process;
步骤124:授权系统请求能力开放平台的SLA系统对第三方应用访问能力接口的合理性进行授权;Step 124: The authorization system requests the SLA system of the capability opening platform to authorize the rationality of the third-party application access capability interface;
步骤125:SLA系统判断第三方应用访问能力接口的频率是否符合预先签署的SLA合约,如果符合则SLA系统同意授权,否则SLA系统拒绝授权;Step 125: The SLA system judges whether the frequency of the third-party application access capability interface complies with the pre-signed SLA contract. If so, the SLA system agrees to authorize, otherwise the SLA system refuses to authorize;
步骤126:SLA系统将SLA授权结果返回给授权系统;Step 126: the SLA system returns the SLA authorization result to the authorization system;
步骤127:授权系统根据SLA系统的授权情况,如果SLA系统同意授权,则执行步骤129,否则执行步骤128;Step 127: The authorization system executes step 129 if the SLA system agrees to authorize according to the authorization situation of the SLA system, otherwise executes step 128;
步骤128:授权系统返回“请求过于频繁”的响应消息给第三方应用,终止授权过程;Step 128: The authorization system returns a response message of "request too frequently" to the third-party application, terminating the authorization process;
步骤129:授权系统生成一个唯一的访问令牌,生成一个唯一的涵盖计费、私有数据访问以及SLA授权的访问令牌发放给第三方应用,第三方应用携带访问令牌,以访问令牌作为能力访问授权凭证即可直接访问业务能力开放平台相应的能力接口。Step 129: The authorization system generates a unique access token, generates a unique access token covering billing, private data access, and SLA authorization, and issues it to the third-party application. The third-party application carries the access token, and the access token is used as The capability access authorization certificate can directly access the corresponding capability interface of the business capability exposure platform.
图4是本发明能力访问授权方法中访问令牌申请请求合法性判断方法一种具体实施方式流程图。FIG. 4 is a flow chart of a specific embodiment of a method for judging the legitimacy of an access token application request in the capability access authorization method of the present invention.
在本实施例中,如图4所示,访问令牌申请请求本身的合法性判断步骤如下:In this embodiment, as shown in FIG. 4 , the steps for judging the legitimacy of the access token application request itself are as follows:
步骤201:授权系统判断申请令牌的第三方应用是否合法,包括开发者的状态是否正常、第三方应用的状态是否正常、第三方应用是否与请求携带的第三方应用标识符一致;如果合法,则执行步骤203;否则执行步骤202;Step 201: The authorization system judges whether the third-party application applying for the token is legal, including whether the status of the developer is normal, whether the status of the third-party application is normal, and whether the third-party application is consistent with the third-party application identifier carried in the request; if legal, Then execute step 203; otherwise execute step 202;
步骤202:返回“访问令牌申请不合法”的响应消息给第三方应用,终止授权过程;Step 202: return a response message of "access token application is invalid" to the third-party application, and terminate the authorization process;
步骤203:授权系统判断申请访问的能力接口是否合法,即判断申请访问的能力接口是否在该第三方应用允许访问的接口范围内;如果合法,则执行步骤204;否则执行步骤202;Step 203: The authorization system judges whether the capability interface requested for access is legal, that is, judges whether the capability interface applied for access is within the range of interfaces allowed by the third-party application; if it is legal, execute step 204; otherwise, execute step 202;
步骤204:授权系统判断请求消息中携带的参数是否合法,如果合法,则完成访问令牌请求本身的合法性检查;否则执行步骤202。Step 204: the authorization system judges whether the parameters carried in the request message are legal, and if so, completes the legality check of the access token request itself; otherwise, executes step 202.
图5是本发明能力访问授权方法中以访问令牌作为能力访问授权凭证的进行能力访问一种具体实施方式流程图。Fig. 5 is a flow chart of a specific implementation of capability access using an access token as a capability access authorization credential in the capability access authorization method of the present invention.
在本实施例中,如图5所示,以访问令牌作为能力访问授权凭证的进行能力访问方法,包括步骤如下:In this embodiment, as shown in FIG. 5, the capability access method using the access token as the capability access authorization credential includes the following steps:
步骤301:第三方应用接收授权系统返回的能力接口访问令牌,然后向业务能力开放平台的能力服务器发送能力接口访问的请求消息,所述请求消息包括访问的能力接口的名称、属性参数及对应接口的访问令牌;Step 301: The third-party application receives the capability interface access token returned by the authorization system, and then sends a request message for capability interface access to the capability server of the service capability open platform. The request message includes the name of the capability interface to be accessed, attribute parameters and corresponding the access token for the interface;
步骤302:能力服务器接收访问请求,检验属性参数的合法性,如果参数不合法,则执行步骤303,否则执行步骤304;Step 302: The capability server receives the access request, checks the validity of the attribute parameters, and if the parameters are not legal, executes step 303, otherwise executes step 304;
步骤303:能力服务器返回“属性参数不合法”的响应消息给第三方应用,终止执行所述能力访问过程;Step 303: The capability server returns a response message of "the attribute parameter is invalid" to the third-party application, and terminates the capability access process;
步骤304:能力服务器请求业务能力开放平台的授权系统对收到的访问令牌进行验证;Step 304: the capability server requests the authorization system of the service capability open platform to verify the received access token;
步骤305:授权系统验证访问令牌的有效性;Step 305: the authorization system verifies the validity of the access token;
步骤306:授权系统返回访问令牌有效性验证结果给能力服务器;Step 306: The authorization system returns the verification result of the validity of the access token to the capability server;
步骤307:能力服务器接收验证结果,如果访问令牌有效,则执行步骤309;否则执行步骤308;Step 307: The capability server receives the verification result, and if the access token is valid, execute step 309; otherwise, execute step 308;
步骤308:能力服务器返回“访问令牌失效”的响应消息给第三方应用,终止执行所述能力访问过程;Step 308: The capability server returns a response message of "access token invalidation" to the third-party application, and terminates the capability access process;
步骤309:能力服务器相应的能力接口执行能力访问;Step 309: The corresponding capability interface of the capability server performs capability access;
步骤310:能力服务器将能力访问结果返回给第三方应用,完成能力访问。Step 310: The capability server returns the capability access result to the third-party application to complete the capability access.
图6是本发明能力访问授权方法中授权系统的原理框图。Fig. 6 is a functional block diagram of the authorization system in the capability access authorization method of the present invention.
在本实施例中,如图6所示,能力访问授权系统包括令牌申请合法性验证模块401、计费授权模块402、私有数据访问授权模块403、SLA授权模块404、访问令牌发放模块405、访问令牌验证模块406。In this embodiment, as shown in Figure 6, the capability access authorization system includes a token application legality verification module 401, a billing authorization module 402, a private data access authorization module 403, an SLA authorization module 404, and an access token issuance module 405 , access token verification module 406 .
令牌申请合法性验证模块401,用于验证请求消息本身的合法性,包括验证第三方应用的合法性,申请访问能力接口的合法性,以及请求消息参数的合法性。如果请求消息合法,则将令牌请求消息递交给计费授权模块继续处理;否则,请求消息不合法,令牌申请合法性验证模块直接返回“访问令牌申请不合法”的响应消息给第三方应用,终止授权过程。The token application legitimacy verification module 401 is used to verify the legitimacy of the request message itself, including verifying the legitimacy of the third-party application, the legitimacy of the application access capability interface, and the legitimacy of the request message parameters. If the request message is legal, submit the token request message to the billing authorization module for further processing; otherwise, the request message is invalid, and the token application legitimacy verification module directly returns a response message of "access token request is not legal" to the third party Apply, terminating the authorization process.
计费授权模块402,用于完成能力访问的计费授权功能,主要包括:首先分析申请访问的能力接口是否免费,如果是免费的,则直接执行后续的私有数据访问授权过程;否则根据令牌请求消息携带的参数分析本次能力访问的计费方,向计费方发起授权请求,并接收计费方返回的授权响应:如果计费方不同意授权,则计费授权模块返回“无计费方授权”的响应消息给第三方应用,终止授权过程;如果计费方同意授权,则计费授权模块请求能力开放平台的计费系统验证本次计费授权是否合法,如果计费授权合法,则继续执行后续的私有数据访问授权过程;如果计费授权不合法,则返回“计费方资费不够”或“信用度不够”的响应消息给第三方应用,终止授权过程。The billing authorization module 402 is used to complete the billing authorization function of capability access, mainly including: firstly analyze whether the capability interface for access is free, if it is free, then directly execute the subsequent private data access authorization process; otherwise, according to the token The parameters carried in the request message analyze the billing party for this capability access, initiate an authorization request to the billing party, and receive the authorization response returned by the billing party: if the billing party does not agree to the authorization, the billing authorization module returns "No billing Authorization by the billing party” response message to the third-party application, terminating the authorization process; if the billing party agrees to the authorization, the billing authorization module requests the billing system of the capability open platform to verify whether the billing authorization is legal. If the billing authorization is legal , then continue to execute the subsequent private data access authorization process; if the billing authorization is illegal, return a response message of "the billing party's tariff is not enough" or "not enough credit" to the third-party application, and terminate the authorization process.
私有数据访问授权模块403,用于完成私有数据访问的授权功能,主要包括:首先分析申请访问的能力接口是否涉及终端用户私有数据,如果不涉及,则直接执行后续的SLA授权过程;否则发送数据访问授权的请求消息给私有数据的拥有者,如果私有数据拥有者不同意授权,则返回“访问私有数据出错”的响应消息给第三方应用,终止授权过程;如果同意授权,则要求能力开放平台的认证系统验证授权用户是否合法,如果合法,则继续执行后续的SLA授权过程;否则返回“授权用户不合法”的响应消息给第三方应用,终止授权过程。The private data access authorization module 403 is used to complete the authorization function of private data access, mainly including: first analyzing whether the capability interface for applying for access involves the end user's private data, if not, then directly execute the subsequent SLA authorization process; otherwise, send the data The request message for access authorization is sent to the owner of the private data. If the owner of the private data does not agree to the authorization, a response message of "error accessing the private data" is returned to the third-party application, and the authorization process is terminated; if the authorization is agreed, the capability opening platform is required The authentication system verifies whether the authorized user is legal. If it is legal, the subsequent SLA authorization process is continued; otherwise, a response message of "authorized user is not valid" is returned to the third-party application, and the authorization process is terminated.
SLA授权模块404,用于请求能力开放平台的SLA系统对第三方应用访问能力接口的频率是否符合预先签署的SLA合约进行授权,以及接收SLA系统返回的授权响应。The SLA authorization module 404 is configured to request the SLA system of the capability opening platform to authorize whether the frequency of the third-party application accessing the capability interface complies with the pre-signed SLA contract, and receive an authorization response returned by the SLA system.
令牌发放模块405,用于在申请合法且获得各方授权的情况下,产生一个新的全局唯一的访问令牌发送给第三方应用。The token issuing module 405 is configured to generate a new globally unique access token and send it to a third-party application when the application is legal and authorized by all parties.
访问令牌验证模块406,用于第三方应用携带访问令牌,以访问令牌作为能力访问授权凭证访问业务能力开放平台相应的能力接口时,接收能力服务器发送访问令牌,并验证其合法性,如果验证合法,业务能力开放平台的能力服务器执行相应的能力访问。The access token verification module 406 is used for the third-party application to carry the access token and use the access token as the capability access authorization credential to access the corresponding capability interface of the service capability open platform, receive the access token sent by the capability server, and verify its legitimacy , if the verification is legal, the capability server of the service capability opening platform performs corresponding capability access.
实例example
本发明提供一个具体的定位服务(Location Based Service,LBS)的能力访问实例。The present invention provides a specific location service (Location Based Service, LBS) capability access instance.
假设第三方应用需要访问能力开放平台提供的LBS能力,以获取终端用户当前的地理位置信息。假设该LBS能力由第三方应用购买并作为每次能力访问的计费方。此外,获取终端用户的地理位置信息属于该终端用户的私有数据,因此需要向终端用户进行私有数据访问授权。综上分析,能力开放平台的授权系统在向第三方应用发放LBS能力访问授权凭证前,首先要完成付费方授权、用户私有数据访问授权以及SLA授权三个过程,具体实施步骤如下:It is assumed that a third-party application needs to access the LBS capability provided by the capability opening platform to obtain the current geographic location information of the terminal user. It is assumed that the LBS capability is purchased by a third-party application and serves as the billing party for each capability access. In addition, obtaining the geographical location information of the terminal user belongs to the private data of the terminal user, so it is necessary to authorize access to private data to the terminal user. In summary, before the authorization system of the capability openness platform issues LBS capability access authorization certificates to third-party applications, it must first complete three processes: payer authorization, user private data access authorization, and SLA authorization. The specific implementation steps are as follows:
步骤501:第三方应用向能力开放平台的授权系统发送申请LBS能力接口访问令牌的请求消息,请求包含如下参数:申请访问的能力接口的名称(api_name),能力访问的计费方(pay_account),第三方应用标识符(app_key),终端用户的IP地址(ip_client),终端用户的MSISDN号(msisdn),地理位置信息的列表(list),以及含有第三方应用密钥的签名(md5)。在本实施例中,具体参数如表1所示的访问令牌请求消息中携带的参数说明。Step 501: The third-party application sends a request message to the authorization system of the capability open platform to apply for an LBS capability interface access token. The request includes the following parameters: the name of the capability interface to apply for access (api_name), and the billing party for capability access (pay_account) , the third-party application identifier (app_key), the IP address of the end user (ip_client), the MSISDN number of the end user (msisdn), the list of geographical location information (list), and the signature (md5) containing the third-party application key. In this embodiment, the specific parameters are described in the parameter description carried in the access token request message shown in Table 1.
步骤502:授权系统接收申请请求消息,验证访问令牌申请请求消息本身的合法性,具体包括第三方应用的合法性,申请访问能力接口的合法性,以及请求消息参数的合法性等;如果请求消息合法,则执行步骤503,否则授权系统返回“访问令牌申请不合法”的响应消息给第三方应用,终止授权过程;Step 502: The authorization system receives the application request message, and verifies the legitimacy of the access token application request message itself, specifically including the legitimacy of the third-party application, the legitimacy of the application access capability interface, and the legitimacy of the request message parameters; if the request If the message is legal, execute step 503; otherwise, the authorization system returns a response message of "access token application is invalid" to the third-party application, and terminates the authorization process;
步骤503:授权系统判断申请访问的能力接口LBS_BY_MSISDN是由第三方应用作为计费方,因此向第三方应用发起计费授权请求;Step 503: The authorization system judges that the capability interface LBS_BY_MSISDN applying for access is a third-party application as the billing party, so it initiates a billing authorization request to the third-party application;
步骤504:第三方应用对本次能力访问的计费进行授权(提供本应用的APP_KEY和APP_SECRET,以及同意计费授权的信息),并将授权信息返回给授权系统;Step 504: The third-party application authorizes the charging of this capability access (provide the APP_KEY and APP_SECRET of this application, and the information of agreeing to the charging authorization), and returns the authorization information to the authorization system;
步骤505:授权系统判断第三方应用是否同意计费授权,如果同意,则请求能力开放平台的计费系统验证计费授权是否合法;否则,授权系统返回“无计费方授权”的响应消息给第三方应用,终止授权过程;Step 505: The authorization system judges whether the third-party application agrees to the billing authorization, and if yes, requests the billing system of the capability openness platform to verify whether the billing authorization is legal; otherwise, the authorization system returns a response message of "no billing party authorization" to Third-party applications, terminate the authorization process;
步骤506:计费系统根据第三方应用订购能力时签订的计费方式验证计费授权的合法性,假设本实施例中的计费方式为预付费方式,则计费系统判断第三方应用是否有足够的余额支持本次访问,并将本次计费授权的验证结果返回给授权系统;Step 506: The billing system verifies the legitimacy of the billing authorization according to the billing method signed when the third-party application ordered the capability. Assuming that the billing method in this embodiment is a prepaid Sufficient balance to support this visit, and return the verification result of this billing authorization to the authorization system;
步骤507:授权系统根据验证结果,如果本次计费授权合法,则执行步骤508;否则,返回“计费方资费不够”的响应消息给第三方应用,终止授权过程;Step 507: According to the verification result, the authorization system executes step 508 if the charging authorization is legal; otherwise, returns a response message of "the charge of the billing party is not enough" to the third-party application, and terminates the authorization process;
步骤508:授权系统判断申请访问的LBS_BY_MSISDN能力接口,需要终端用户对其私有数据访问进行授权,因此向用户终端发送私有数据访问的授权请求消息(可通过IP_CLIENT信息进行在线授权,也可通过MSISDN号进行短信方式授权),该请求消息携带有本次能力访问需用户授权的列表list;Step 508: The authorization system judges the LBS_BY_MSISDN capability interface that is applying for access, and requires the end user to authorize its private data access, so it sends an authorization request message for private data access to the user terminal (online authorization can be performed through IP_CLIENT information, or through the MSISDN number SMS authorization), the request message carries the list list that needs to be authorized by the user for this capability access;
步骤509:终端用户对本次LBS能力访问授权(即允许第三方应用通过MSISDN号查找终端对应的地理位置信息),并将自己的认证凭证及授权信息返回给授权系统;Step 509: The terminal user authorizes this LBS capability access (that is, allows a third-party application to find the geographic location information corresponding to the terminal through the MSISDN number), and returns its own authentication credentials and authorization information to the authorization system;
步骤510:授权系统判断终端用户是否同意授权,如果同意,则执行步骤511,否则授权系统返回“访问私有数据出错”的响应消息给第三方应用,终止授权过程;Step 510: The authorization system judges whether the end user agrees to the authorization, and if yes, then executes step 511, otherwise the authorization system returns a response message of "error in accessing private data" to the third-party application, and terminates the authorization process;
步骤511:授权系统请求能力开放平台的认证系统验证授权的终端用户是否合法;Step 511: the authorization system requests the authentication system of the capability opening platform to verify whether the authorized terminal user is legal;
步骤512:认证系统根据授权用户提交的凭证对其合法性进行验证;Step 512: the authentication system verifies the legitimacy of the credential submitted by the authorized user;
步骤513:认证系统将授权用户合法性的验证结果返回给授权系统;Step 513: the authentication system returns the verification result of the legality of the authorized user to the authorization system;
步骤514:授权系统根据验证结果,如果授权用户合法,则执行步骤515,否则授权系统返回“授权用户不合法”的响应消息给第三方应用,终止授权过程;Step 514: According to the verification result, the authorization system executes step 515 if the authorized user is legal; otherwise, the authorization system returns a response message of "the authorized user is not legal" to the third-party application, and terminates the authorization process;
步骤515:授权系统请求能力开放平台的SLA系统对第三方应用访问能力接口的合理性进行授权;Step 515: The authorization system requests the SLA system of the capability opening platform to authorize the rationality of the third-party application access capability interface;
步骤516:SLA系统判断第三方应用访问能力接口的频率是否符合预先签署的SLA合约,如果符合则SLA系统同意授权,否则SLA系统拒绝授权;Step 516: The SLA system judges whether the frequency of the third-party application's access capability interface complies with the pre-signed SLA contract. If so, the SLA system agrees to authorize, otherwise the SLA system refuses to authorize;
步骤517:SLA系统将SLA授权结果返回给授权系统;Step 517: the SLA system returns the SLA authorization result to the authorization system;
步骤518:授权系统根据SLA系统的授权情况,如果SLA系统同意授权,则执行步骤519,否则授权系统返回“请求过于频繁”的响应消息给第三方应用,终止授权过程;Step 518: According to the authorization status of the SLA system, if the SLA system agrees to the authorization, the authorization system executes step 519, otherwise the authorization system returns a response message of "too frequent requests" to the third-party application, and terminates the authorization process;
步骤519:授权系统生成一个唯一的访问令牌,发送给第三方应用,完成本次LBS能力访问的授权。Step 519: The authorization system generates a unique access token and sends it to the third-party application to complete the authorization of this LBS capability access.
尽管上面对本发明说明性的具体实施方式进行了描述,以便于本技术领的技术人员理解本发明,但应该清楚,本发明不限于具体实施方式的范围,对本技术领域的普通技术人员来讲,只要各种变化在所附的权利要求限定和确定的本发明的精神和范围内,这些变化是显而易见的,一切利用本发明构思的发明创造均在保护之列。Although the illustrative specific embodiments of the present invention have been described above, so that those skilled in the art can understand the present invention, it should be clear that the present invention is not limited to the scope of the specific embodiments. For those of ordinary skill in the art, As long as various changes are within the spirit and scope of the present invention defined and determined by the appended claims, these changes are obvious, and all inventions and creations using the concept of the present invention are included in the protection list.
Claims (3)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210184762.2A CN102724647B (en) | 2012-06-06 | 2012-06-06 | Method and system for access capability authorization |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210184762.2A CN102724647B (en) | 2012-06-06 | 2012-06-06 | Method and system for access capability authorization |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102724647A CN102724647A (en) | 2012-10-10 |
| CN102724647B true CN102724647B (en) | 2014-08-13 |
Family
ID=46950278
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210184762.2A Expired - Fee Related CN102724647B (en) | 2012-06-06 | 2012-06-06 | Method and system for access capability authorization |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102724647B (en) |
Families Citing this family (30)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102946396B (en) * | 2012-11-26 | 2015-09-16 | 北京奇虎科技有限公司 | User agent's device, host web server and user authen method |
| CN102946397B (en) * | 2012-11-26 | 2015-11-25 | 北京奇虎科技有限公司 | User authen method and system |
| CN103312515B (en) * | 2013-06-21 | 2016-04-20 | 百度在线网络技术(北京)有限公司 | The generation method of authorization token, generating apparatus, authentication method and Verification System |
| CN104283678B (en) * | 2013-07-04 | 2017-11-24 | 中国移动通信集团公司 | A kind of weight discriminating method and apparatus |
| CN103401844B (en) * | 2013-07-12 | 2016-09-14 | 天地融科技股份有限公司 | The processing method of operation requests and system |
| US9819661B2 (en) * | 2013-09-12 | 2017-11-14 | The Boeing Company | Method of authorizing an operation to be performed on a targeted computing device |
| CN104869102B (en) * | 2014-02-24 | 2019-04-02 | 腾讯科技(北京)有限公司 | Authorization method, device and system based on xAuth agreement |
| CN105025455A (en) * | 2014-04-30 | 2015-11-04 | 中兴通讯股份有限公司 | Triggering method and device for charging procedure |
| CN105207974B (en) * | 2014-06-18 | 2018-09-11 | 中国电信股份有限公司 | A kind of method, platform, application and system realized user resources differentiation and opened |
| CN104301443B (en) * | 2014-10-09 | 2018-06-12 | 百度在线网络技术(北京)有限公司 | A kind of method and system that end ability interface is called on web page |
| CN105847220A (en) * | 2015-01-14 | 2016-08-10 | 北京神州泰岳软件股份有限公司 | Authentication method and system, and service platform |
| CN106302332B (en) * | 2015-05-22 | 2019-10-15 | 阿里巴巴集团控股有限公司 | User data access control method, device and system |
| CN106713244B (en) * | 2015-11-17 | 2021-01-15 | 中国移动通信集团公司 | Capability access method and network element |
| CN105744520B (en) * | 2016-03-30 | 2019-12-24 | 华为技术有限公司 | Method, device and system for issuing and verifying application services |
| CN107645474B (en) * | 2016-07-20 | 2020-02-14 | 腾讯科技(深圳)有限公司 | Method and device for logging in open platform |
| CN106209907B (en) * | 2016-08-30 | 2021-04-30 | 新华三技术有限公司 | Method and device for detecting malicious attack |
| CN108156122B (en) * | 2016-12-06 | 2021-08-13 | 中移(杭州)信息技术有限公司 | Capability introduction method, system and device for capability open platform |
| CN108259434B (en) * | 2016-12-29 | 2020-12-22 | 中国移动通信集团浙江有限公司 | A method and server for opening user side QoS guarantee capability |
| CN109428873A (en) * | 2017-08-31 | 2019-03-05 | 中兴通讯股份有限公司 | Multiside calling method, device and realization system and computer readable storage medium |
| US11057778B2 (en) | 2019-02-28 | 2021-07-06 | Ebay Inc. | Complex composite tokens |
| CN109902499A (en) * | 2019-03-13 | 2019-06-18 | 广州市网星信息技术有限公司 | A kind of resource authorization and access method, device, system, equipment and storage medium |
| CN110049041A (en) * | 2019-04-17 | 2019-07-23 | 北京网聘咨询有限公司 | The interface call method and interface calling system of recruitment website open platform |
| US11750598B2 (en) | 2019-07-19 | 2023-09-05 | Ebay Inc. | Multi-legged network attribution using tracking tokens and attribution stack |
| CN111314315B (en) * | 2020-01-20 | 2022-07-08 | 重庆富民银行股份有限公司 | Open platform multi-dimensional safety control system and method |
| CN111639327A (en) * | 2020-05-29 | 2020-09-08 | 深圳前海微众银行股份有限公司 | Authentication method and device for open platform |
| US11354439B2 (en) | 2020-06-03 | 2022-06-07 | International Business Machines Corporation | Content control through third-party data aggregation services |
| CN112131021B (en) * | 2020-09-21 | 2024-01-12 | 博泰车联网科技(上海)股份有限公司 | Access request processing method and device |
| CN112953892B (en) * | 2021-01-26 | 2022-04-19 | 浪潮通用软件有限公司 | Access authentication method and device of third-party system |
| CN113612724B (en) * | 2021-06-10 | 2022-01-25 | 广州大学 | Internet of things access control method and device based on capability |
| CN114257583A (en) * | 2021-12-22 | 2022-03-29 | 贵州东彩供应链科技有限公司 | Safe downloading method for solving JWT authorization |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101789973A (en) * | 2010-02-05 | 2010-07-28 | 中兴通讯股份有限公司 | Method and system for constructing Mashup application |
| CN102196012A (en) * | 2010-03-17 | 2011-09-21 | 华为技术有限公司 | Service opening method, system and service opening server |
| CN102394887A (en) * | 2011-11-10 | 2012-03-28 | 杭州东信北邮信息技术有限公司 | OAuth protocol-based safety certificate method of open platform and system thereof |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7221935B2 (en) * | 2002-02-28 | 2007-05-22 | Telefonaktiebolaget Lm Ericsson (Publ) | System, method and apparatus for federated single sign-on services |
-
2012
- 2012-06-06 CN CN201210184762.2A patent/CN102724647B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101789973A (en) * | 2010-02-05 | 2010-07-28 | 中兴通讯股份有限公司 | Method and system for constructing Mashup application |
| CN102196012A (en) * | 2010-03-17 | 2011-09-21 | 华为技术有限公司 | Service opening method, system and service opening server |
| CN102394887A (en) * | 2011-11-10 | 2012-03-28 | 杭州东信北邮信息技术有限公司 | OAuth protocol-based safety certificate method of open platform and system thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102724647A (en) | 2012-10-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102724647B (en) | Method and system for access capability authorization | |
| US9661666B2 (en) | Apparatus and methods of identity management in a multi-network system | |
| WO2020052271A1 (en) | Method, device, and apparatus for processing cloud service in cloud system | |
| CN107925668B (en) | Resource-driven dynamic authorization framework | |
| WO2013075661A1 (en) | Login and open platform identifying method, open platform and system | |
| KR20180048766A (en) | Service layer dynamic authorization | |
| CN107672469A (en) | Electric vehicle charging method and system based on certificate management | |
| US20110173105A1 (en) | Utilizing AAA/HLR infrastructure for Web-SSO service charging | |
| CN102571693A (en) | Capability safety calling method, device and system | |
| CN106357629B (en) | Intelligent terminal identity authentication and single sign-on system and method based on digital certificate | |
| WO2015077993A1 (en) | Installation package authorization method and device | |
| CN103179176B (en) | The call method that web applies under cloud/cluster environment, device and system | |
| WO2019056971A1 (en) | Authentication method and device | |
| WO2017041562A1 (en) | Method and device for identifying user identity of terminal device | |
| CN103685244A (en) | Differentiated authentication method and differentiated authentication device | |
| CN111224952B (en) | Network resource acquisition method, device and storage medium for directed traffic | |
| CN112929881A (en) | Machine card verification method applied to extremely simple network and related equipment | |
| CN105207974A (en) | Method for realizing user resource differentiated openness, platform, application and system | |
| CN101557383A (en) | Professional ability resource management system and professional ability resource use management method | |
| WO2013071836A1 (en) | Method and apparatus for processing client application access authentication | |
| CN108833334B (en) | Equipment safety access system and method for digital home network | |
| CN102572762A (en) | Method for scheduling service capacity by application, charging method and device | |
| JP4979723B2 (en) | COMMUNICATION METHOD, COMMUNICATION SYSTEM, SERVICE PROVIDING BASE ACCESS METHOD | |
| WO2006116908A1 (en) | A method and interface apparatus for authentication and charging | |
| US20230292127A1 (en) | Wireless device privacy within wireless mobile |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140813 Termination date: 20170606 |