CN112685718A - Method for invalidating original access token during multi-terminal login of same account based on OAuth protocol - Google Patents
Method for invalidating original access token during multi-terminal login of same account based on OAuth protocol Download PDFInfo
- Publication number
- CN112685718A CN112685718A CN202110141479.0A CN202110141479A CN112685718A CN 112685718 A CN112685718 A CN 112685718A CN 202110141479 A CN202110141479 A CN 202110141479A CN 112685718 A CN112685718 A CN 112685718A
- Authority
- CN
- China
- Prior art keywords
- access token
- client
- user
- token
- resource
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a method for invalidating an original access token when logging in a same account at multiple ends based on an OAuth protocol, which comprises the following steps: an access token generation step of marking the existing access token as a foreign login and generating a new access token when the user logs in through a user name and a password; and when the client carries the access token to request the resource service, judging whether the access token carried by the client is legal and valid, and preventing the client from accessing the resource when the access token is invalid. The method can effectively prevent the unsafe condition that the user is utilized by other people when the user logs in by another terminal under the condition of not logging out of the system when using the platform system based on the OAuth protocol, and can ensure that the same user only has one effective access token at the same time.
Description
Technical Field
The invention belongs to the field of electronic information network security, and particularly relates to a method for invalidating an original access token when logging in at multiple ends of the same account based on an OAuth protocol.
Background
In the existing platform based on OAuth2.0 protocol standard, the problems of authentication and authorization of users are solved, but the following problems often exist in the current platform: if a user logs in at one terminal but does not log off in time and logs in at another terminal, the original terminal can still be used before the access token expires. In this case, there is a risk that the original login is used by another person.
In order to solve the problem that the same account can only log in on one terminal, a method for immediately disabling the access token of another terminal when a user logs in on one terminal is needed.
Disclosure of Invention
The problems to be solved by the invention are as follows:
in order to solve the above problems, an object of the present invention is to provide a method for invalidating an original access token when logging in a plurality of terminals of a same account based on an OAuth protocol, which can prevent an insecure situation of the original login used by others.
The technical means for solving the problems are as follows:
the invention provides a method for invalidating an original access token when logging in a same account at multiple ends based on an OAuth protocol, which comprises the following steps: an access token generation step of marking the existing access token as a foreign login and generating a new access token when the user logs in through a user name and a password; and when the client carries the access token to request the resource service, judging whether the access token carried by the client is legal and valid, and preventing the client from accessing the resource when the access token is invalid.
According to the invention, the existing access token can be invalidated when the user logs in, and the resource request of the client with the invalid token is refused.
In the present invention, the access token generation step may include: 1) when the current valid access token of the user exists in a Redis cache database, marking the access token as allopatric login; 2) generating the new access token; 3) storing the new access token and the identity data of the user in a Redis cache database; 4) and sending the new access token to the client. Thus, an existing access token can be invalidated by marking it as a foreign login.
In the present invention, the access token verifying step may include: 1) the authentication server verifies whether the access token exists; 2) retrieving in a Redis cache database whether the access token is a token marked as a foreign login; 3) and when the access token is judged to be the token marked as allopatric login, judging that the access token is illegal, and preventing the client from accessing the resource. Thus, each time the client requests a resource from the resource server, it can be verified whether the current access token is the newly generated and still valid access token, and it can be ensured that the current access is from a unique terminal.
The invention has the following effects:
the invention can effectively prevent the unsafe condition that the user is utilized by other people when the user logs in by another terminal under the condition of not logging out of the system when using the platform system based on the OAuth protocol, and can ensure that the same user only has one effective access token at the same time.
Drawings
FIG. 1 is a system architecture diagram of an OAuth protocol platform according to one embodiment of the present invention;
FIG. 2 is a functional block diagram of an authentication server in the OAuth protocol platform of FIG. 1;
FIG. 3 is a functional block diagram of a resource server in the OAuth protocol platform of FIG. 1;
FIG. 4 is a flowchart of the access token generation steps of a method for invalidating an original access token when logging in to multiple terminals of the same account based on an OAuth protocol;
fig. 5 is a flowchart of the access token verification step of the method for invalidating the original access token when logging in with multiple terminals of the account based on OAuth protocol.
Detailed Description
The present invention will be further described with reference to the accompanying drawings and the following embodiments, which are to be understood as merely illustrative and not restrictive.
Disclosed herein is a method for invalidating an original access token (hereinafter, referred to as an access token invalidation method) when logging in to a same account at multiple ends based on an OAuth protocol, which can prevent an unsafe condition that an original login is utilized by another person. The invention is based on an OAuth certified software system and a Redis cache database.
Fig. 1 is a system configuration diagram of an OAuth protocol platform according to an embodiment of the present invention, fig. 2 is a functional block diagram of an authentication server in the OAuth protocol platform, and fig. 3 is a functional block diagram of a resource server in the OAuth protocol platform.
As shown in fig. 1, the OAuth protocol platform mainly includes a Client (Client), an authentication Server (authentication Server), a Resource Server (Resource Server), and a Resource Owner (Resource Owner), which are not shown.
The resource owner is the owner, the so-called user, of the protected resource residing at the server provider. The client is a program corresponding to the server and providing local service for the client, and needs to be operated in cooperation with the server. The user is used as the owner of the resource, the login operation is initiated when the user wants to access the resource, and the client prompts the user to input a user name and a password after receiving the identity authentication requirement. The client then requests an access token from the authentication server described later.
As shown in fig. 1 and 2, the authentication server is mainly responsible for verifying the identity of the user and providing the authorization token, and includes a user identity verification module, an access token generation module, and an access token verification module. The user identity authentication module is mainly used for authenticating the validity of the user identity and accessing the token generation module. The access token generation module is mainly used for returning the access token to the client after the user identity authentication is passed. The access token verifying module is mainly used for verifying the validity of the access token when the client carries the access token to access a resource server which is described later.
As shown in fig. 1 and 3, the resource server is mainly used for storing user data and http service, and may return the user data to the authenticated client, which includes a module for verifying the access token verification request and a module for providing protected resources to the client. When the client carries the access token issued by the authentication server to request protected resources from the resource server, the module for verifying the access token verification request is used for verifying the validity of the access token, and if the verification is passed, the resource request is responded. Specifically, after receiving a resource request from a client, the resource server sends an access token carried by the resource request to an authentication server, receives verification at an access token verification module of the authentication server, and returns user information to the resource server after verification is successful. And the module for providing the protected resource to the client provides the protected resource to the user after verifying that the access token is valid.
The access token invalidation method in the embodiment includes an access token generation step and an access token verification step. The access token generation step is mainly used for calling an authorization endpoint (authorization endpoint) of the authentication server to mark the existing access token of the user in the Redis cache database as allopatric login and simultaneously generating a new access token after the user passes the user name and password verification. The access token verifying step is mainly used for judging whether the access token carried by the client is legal and valid or not and whether the access token is logged in different places or not through an authorization endpoint of the authentication server.
Fig. 4 is a flowchart of access token generation steps of a method for invalidating an original access token when logging in with multiple terminals of an account based on an OAuth protocol according to an embodiment of the present invention. As shown in fig. 4, the token generation step mainly includes the following steps.
After a user logs in the authentication server through a user name and a password at the same terminal (client), step S11 is started, and the user enters a Redis cache database of the authentication server to search whether the current user has an existing valid access token. The existing valid access token refers to a still valid access token (i.e., an access token that has not yet been invalidated) generated when the user logs in to the client on another terminal before. The access token is generated by an authorized endpoint of the authentication server and stored in a Redis cache database.
If it is determined that there is a valid access token for the user (i.e., a valid access token that the user already has is found), the process proceeds to step S15. In step S15, all existing access tokens are regarded as old address tokens, and the authorization endpoint marks the existing access tokens as a foreign login, i.e., invalidates the existing access tokens. After the marking is completed, the process proceeds to step S12.
On the other hand, if it is determined in step S11 that such an access token does not exist, the process proceeds directly to step S12.
In step S12, the authentication server generates a new access token for the current user. After the new access token is generated, the process proceeds to step S13.
Next, in step S13, the system stores the new access token along with the identity information of the current user in the Redis cache database. After the storage is completed, the process proceeds to step S14, where the newly generated access token is sent to the client.
In this way, whether and when the current user logs in another terminal can be judged by entering the Redis cache database to check whether a valid access token existing in the current access user exists. When the user is judged to have the valid access token, the existing access token can be marked to be logged in different places to be invalid.
Fig. 5 is a flowchart of the access token verifying step of the method for invalidating the original access token when logging in with multiple terminals of an account based on the OAuth protocol according to an embodiment of the present invention. And when the client carries the access token to request resources from the resource server, the resource server sends the access token to the authentication server, and an access token verification process for verifying the access token is performed in the authentication server. As shown in fig. 5, the access token authentication flow mainly includes the following steps.
An authorization endpoint at the authentication server determines whether the access token received from the resource server is valid. Specifically, in step S21, the authentication server retrieves the access token from the Redis cache database. If the access token is found to have been marked as a foreign login (e.g., step S15 above), it is determined that the access token is not legitimate, and an error message indicating that the token is invalid is returned, i.e., the process proceeds to step S23, and the client is prevented from accessing the resource. Otherwise, if the access token is found not to be logged in different places after retrieval, the access token is a new access token generated after the user logs in the client by inputting a user name and a password on the current terminal, step S21 determines that the access token is valid, and step S22 is proceeded.
In step S22, the authentication server determines that the access token is verified and returns the resource to which the client lock requested access.
This makes it possible to verify, each time a client requests a resource from the resource server, whether the current access token is the most recently generated and still valid access token, i.e. to ensure that the current access comes from a unique terminal.
In addition, in the event that the access token authentication fails in step S23, the system may require the user to re-enter the username and password. And after the user inputs the user name and the password to log in the authentication system again, starting a new round of access token generation steps.
In addition, the present invention may also include the step of determining whether an access token is present in the Redis cache database, thereby determining whether the access token is expired and automatically cleared. For example, in step 12, the authentication server may record the login occurrence time while generating a new access token for the current user. When a new access token is stored in the Redis cache database, a pre-defined cache expiration time may be set as the valid time. The self-defined cache expiration time is an operation parameter set when the server is deployed. And a caching mechanism of the Redis cache database is utilized, so that the new access token is automatically expired and automatically cleared after the valid time is exceeded.
According to the invention, when the platform system based on the OAuth protocol is used, even if a user forgets to log out of the system from the previous terminal, the access token on the original terminal can be invalidated by logging in the verification system on the new terminal, so that the same user only has one valid access token at the same time, the unsafe condition of being utilized by other people can be avoided, and the safety of the platform is improved.
The above embodiments are intended to illustrate and not to limit the scope of the invention, which is defined by the claims, but rather by the claims, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present invention shall be included in the protection scope of the present invention.
Claims (3)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110141479.0A CN112685718A (en) | 2021-02-02 | 2021-02-02 | Method for invalidating original access token during multi-terminal login of same account based on OAuth protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110141479.0A CN112685718A (en) | 2021-02-02 | 2021-02-02 | Method for invalidating original access token during multi-terminal login of same account based on OAuth protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112685718A true CN112685718A (en) | 2021-04-20 |
Family
ID=75457866
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110141479.0A Pending CN112685718A (en) | 2021-02-02 | 2021-02-02 | Method for invalidating original access token during multi-terminal login of same account based on OAuth protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112685718A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113271296A (en) * | 2021-04-28 | 2021-08-17 | 北京沃东天骏信息技术有限公司 | Login authority management method and device |
| CN113923010A (en) * | 2021-09-30 | 2022-01-11 | 上海影创信息科技有限公司 | Method and system for single sign-on of head-mounted display device based on virtual reality |
| CN114386090A (en) * | 2021-12-09 | 2022-04-22 | 航天信息股份有限公司 | Authority extension method and device for multi-terminal system |
| CN115580416A (en) * | 2021-07-01 | 2023-01-06 | 深圳富桂精密工业有限公司 | Authorization method based on OAuth standard, OAuth server and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106534175A (en) * | 2016-12-07 | 2017-03-22 | 西安电子科技大学 | Open platform authorization and authentication system and method based on OAuth protocol |
| CN109309683A (en) * | 2018-10-30 | 2019-02-05 | 泰华智慧产业集团股份有限公司 | The method and system of client identity verifying based on token |
| CN110493202A (en) * | 2019-07-29 | 2019-11-22 | 深圳壹账通智能科技有限公司 | Log in generation and the verification method, device and server of token |
| US20190372962A1 (en) * | 2018-05-31 | 2019-12-05 | Oracle International Corporation | Single sign-on enabled oauth token |
| CN111447180A (en) * | 2020-03-04 | 2020-07-24 | 国电南瑞科技股份有限公司 | Security access control strategy for power Internet of things edge access management system |
-
2021
- 2021-02-02 CN CN202110141479.0A patent/CN112685718A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106534175A (en) * | 2016-12-07 | 2017-03-22 | 西安电子科技大学 | Open platform authorization and authentication system and method based on OAuth protocol |
| US20190372962A1 (en) * | 2018-05-31 | 2019-12-05 | Oracle International Corporation | Single sign-on enabled oauth token |
| CN109309683A (en) * | 2018-10-30 | 2019-02-05 | 泰华智慧产业集团股份有限公司 | The method and system of client identity verifying based on token |
| CN110493202A (en) * | 2019-07-29 | 2019-11-22 | 深圳壹账通智能科技有限公司 | Log in generation and the verification method, device and server of token |
| CN111447180A (en) * | 2020-03-04 | 2020-07-24 | 国电南瑞科技股份有限公司 | Security access control strategy for power Internet of things edge access management system |
Non-Patent Citations (1)
| Title |
|---|
| 周凯: "《云安全:安全即服务》", 31 August 2020, 机械工业出版社, pages: 300 - 305 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113271296A (en) * | 2021-04-28 | 2021-08-17 | 北京沃东天骏信息技术有限公司 | Login authority management method and device |
| CN113271296B (en) * | 2021-04-28 | 2023-08-04 | 北京沃东天骏信息技术有限公司 | Login authority management method and device |
| CN115580416A (en) * | 2021-07-01 | 2023-01-06 | 深圳富桂精密工业有限公司 | Authorization method based on OAuth standard, OAuth server and storage medium |
| CN113923010A (en) * | 2021-09-30 | 2022-01-11 | 上海影创信息科技有限公司 | Method and system for single sign-on of head-mounted display device based on virtual reality |
| CN114386090A (en) * | 2021-12-09 | 2022-04-22 | 航天信息股份有限公司 | Authority extension method and device for multi-terminal system |
| CN114386090B (en) * | 2021-12-09 | 2024-08-06 | 航天信息股份有限公司 | Authority expansion method and device for multi-terminal system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP4880699B2 (en) | Method, system, and apparatus for protecting a service account | |
| CN109787988B (en) | Identity strengthening authentication and authorization method and device | |
| KR101694744B1 (en) | Shared registration system multi-factor authentication | |
| CN112685718A (en) | Method for invalidating original access token during multi-terminal login of same account based on OAuth protocol | |
| CN110149328B (en) | Interface authentication method, device, equipment and computer readable storage medium | |
| CN109756446B (en) | Access method and system for vehicle-mounted equipment | |
| JP5571854B2 (en) | User account recovery | |
| CN102571873B (en) | Bidirectional security audit method and device in distributed system | |
| CN107241329B (en) | Account login processing method and device | |
| US20230412400A1 (en) | Method for suspending protection of an object achieved by a protection device | |
| KR101273285B1 (en) | Authentification agent and method for authentificating online service and system thereof | |
| CN113364798A (en) | Redis-based user access frequency processing device | |
| KR100976040B1 (en) | User Authentication Method and System Using USB Storage System | |
| KR101803535B1 (en) | Single Sign-On Service Authentication Method Using One-Time-Token | |
| JP6842951B2 (en) | Unauthorized access detectors, programs and methods | |
| KR101195027B1 (en) | System and method for service security | |
| CN119945688B (en) | Safe login and verification method for network service system | |
| CN117574349B (en) | Single sign-on authentication method, device, electronic device and storage medium | |
| JP7636456B2 (en) | Server system and method for detecting unauthorized users | |
| CN112597528B (en) | Information security protection method, device, electronic device and storage medium | |
| CN117221019B (en) | Access control method, device, electronic equipment and storage medium | |
| TWI838149B (en) | Secure enabling system and method for enterprise authentication | |
| KR101499965B1 (en) | How to authenticate and protect security information using tickets | |
| KR20250099091A (en) | Cross authentication method and system between online service server and client | |
| CN114238920A (en) | Operating system login method, device, electronic device, storage medium and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20210420 |