CN116668065B - Identity authentication method, platform, electronic device and computer readable medium - Google Patents
Identity authentication method, platform, electronic device and computer readable medium Download PDFInfo
- Publication number
- CN116668065B CN116668065B CN202310402940.2A CN202310402940A CN116668065B CN 116668065 B CN116668065 B CN 116668065B CN 202310402940 A CN202310402940 A CN 202310402940A CN 116668065 B CN116668065 B CN 116668065B
- Authority
- CN
- China
- Prior art keywords
- environment
- user
- information
- identity
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 58
- 230000015654 memory Effects 0.000 claims description 18
- 238000012795 verification Methods 0.000 claims description 16
- 230000004044 response Effects 0.000 claims description 10
- 238000012790 confirmation Methods 0.000 claims description 7
- 238000005516 engineering process Methods 0.000 abstract description 2
- 238000007726 management method Methods 0.000 description 19
- 230000008569 process Effects 0.000 description 17
- 238000012360 testing method Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 238000004519 manufacturing process Methods 0.000 description 6
- 238000011161 development Methods 0.000 description 5
- 239000008186 active pharmaceutical agent Substances 0.000 description 4
- 230000000977 initiatory effect Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 238000002955 isolation Methods 0.000 description 3
- 230000002093 peripheral effect Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000003190 augmentative effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- FFBHFFJDDLITSX-UHFFFAOYSA-N benzyl N-[2-hydroxy-4-(3-oxomorpholin-4-yl)phenyl]carbamate Chemical compound OC1=C(NC(=O)OCC2=CC=CC=C2)C=CC(=C1)N1CCOCC1=O FFBHFFJDDLITSX-UHFFFAOYSA-N 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000004146 energy storage Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000013439 planning Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
本申请涉及云计算技术领域,具体涉及一种身份认证方法、平台、电子设备及计算机可读介质。该云管理平台从多个运行环境中预先确定出第一环境、并确定第一环境对至少一个第二环境具有管理权限的关联关系,多个运行环境包括至少一个第二环境;该方法包括:第一环境接收用户操作请求,其中用户操作请求用于请求目标环境中的服务或数据,目标环境为至少一个第二环境中的任一环境;第一环境确认用户操作请求对应的第一用户信息满足第一认证条件,向目标发送访问请求;目标环境确定访问请求中的第一身份信息指示的第一环境满足第二认证条件,向第一环境发送自身的第二身份信息。如此,能够提高多个环境中的身份认证效率,并且能够保障各环境的安全性。
The present application relates to the field of cloud computing technology, and specifically to an identity authentication method, platform, electronic device, and computer-readable medium. The cloud management platform predetermines a first environment from multiple operating environments, and determines the association relationship in which the first environment has management authority over at least one second environment, and the multiple operating environments include at least one second environment; the method includes: the first environment receives a user operation request, wherein the user operation request is used to request services or data in a target environment, and the target environment is any environment in at least one second environment; the first environment confirms that the first user information corresponding to the user operation request meets the first authentication condition, and sends an access request to the target; the target environment determines that the first environment indicated by the first identity information in the access request meets the second authentication condition, and sends its own second identity information to the first environment. In this way, the efficiency of identity authentication in multiple environments can be improved, and the security of each environment can be guaranteed.
Description
Technical Field
The invention relates to the technical field of cloud computing, in particular to an identity authentication method, a platform, electronic equipment and a computer readable medium.
Background
Cloud computing is a new way of internet-based computing and services that utilizes internet technology to aggregate huge and scalable IT capabilities, such as computing, storage, network, etc., resource provisioning capabilities, as a service to users. Today, with the development of cloud computing, more and more cloud service providers at home and abroad begin to provide cloud services to users, where the cloud services include infrastructure services, platform services, software services, and the like.
However, because each cloud service provider has its own service coverage region and service characteristics, when a user needs to use cloud services across regions, the user may use different cloud services across the clouds, and at this time, identity authentication needs to be repeated. The above-mentioned transregional includes transnational/regional and the like. It will be appreciated that many environments used in different countries/regions and at different stages will have corresponding independent databases, and that data between different environments will be isolated from each other. When the client responds to the data processing request of the user to access different environments, the client needs to correspondingly record the identity information and the authentication information of the corresponding user in each environment so as to finish the identity authentication of the user and ensure the data security. Management and maintenance of such identity information and authentication information in numerous environments is also a significant challenge. In addition, the identity information and authentication information recorded in different environments may be different, and when the environments require the user to input corresponding information for identity authentication, great inconvenience is brought to the user.
Therefore, how to provide a scheme that is convenient for users to quickly perform identity authentication in accessing different environments is a current urgent problem to be solved.
Disclosure of Invention
The application provides an identity authentication method, a platform, electronic equipment and a computer readable medium, which can rapidly finish the identity authentication of a corresponding user in each operation environment providing service or data under the condition that service or data is required to be accessed across environments, thereby improving the response rate of a service platform to a user side request and guaranteeing the safety of each operation environment.
Specifically, in a first aspect, the present application provides an identity authentication method applied to a cloud management platform for managing a plurality of operating environments, where the cloud management platform determines a first environment in advance from the plurality of operating environments and determines an association relationship of the first environment with management rights to at least one second environment, and the plurality of operating environments include at least one second environment, and the method includes:
The method comprises the steps that a first environment receives a user operation request, wherein the user operation request is used for requesting service or data in a target environment, the target environment is any one of at least one second environment, the first environment confirms that first user information corresponding to the user operation request meets first authentication conditions, an access request is sent to a target, the target environment confirms that the first environment indicated by first identity information in the access request meets second authentication conditions, second identity information of the target environment is sent to the first environment, the first authentication conditions are used for authenticating whether a user identity has operation authority, the second authentication conditions are used for reversely authenticating whether the first environment has management authority to the target environment, and the second identity information is used for providing acquisition authority to the service or the data in the target environment.
For example, the first environment may be a main control environment (main environment) set by the cloud management platform, which is a unified access environment for a user operation request. The second environment may be another running environment (runtime environment) managed by the host environment, i.e., the first environment has management authority over the second environment. The management right may be, for example, a right that the first environment has access to a service or data required for the second environment to acquire, or the like. The target environment may correspond to a specific second environment requested by the corresponding user operation request.
Therefore, the unified main control environment records the identity information and authentication information of the user, and the unified main control environment receives the user operation request and performs user identity authentication, so that the repeated authentication problem caused by the fact that each running environment needs to record the corresponding identity information of the user can be avoided, and the improvement of the identity authentication efficiency is facilitated. And after user identity authentication is performed by the unified main control environment, in the process of acquiring the service or data in the corresponding operation environment, the corresponding operation environment can perform reverse identity authentication to the main control environment, namely, the authentication process for confirming that the first environment meets the second authentication condition is performed to confirm that the main control environment is an environment with management authority, and is not an environment forged by an intruder of a service platform. Thus, the security of providing corresponding service or data by each running environment can be ensured.
In one possible implementation manner of the first aspect, the first environment confirms that the first user information corresponding to the user operation request meets the first authentication condition, and the method includes that the first environment obtains a token (token) for user identity verification, wherein the token is generated based on second user information recorded in the first environment, and the first environment detects that the first user information is matched with the second user information corresponding to the token and confirms that the first user information corresponding to the user operation request meets the first authentication condition.
I.e. the first environment may complete the user authentication process by means of a token for user authentication. The first environment may record, in advance, identity information and authentication information for verifying the identity of the user, for example, account name and password, that is, the second user information. In this way, the first environment can verify whether the first user information corresponding to the input of the user operation request satisfies the first authentication condition using the recorded second user information. The user terminal initiating the user operation request can quickly acquire the service or data in each operation environment without repeatedly carrying out identity authentication without recording the second user information in each operation environment managed by the main control environment.
In one possible implementation manner of the first aspect, the matching of the first user information with the second user information corresponding to the token includes that the account name and the password in the first user information are the same as the account name and the password corresponding to the second user information carried by the token.
In a possible implementation of the first aspect, the access request includes a header request and a check Bao Wen, where the header request is used to request a service or data in the target environment, and the check Bao Wen is used to provide first identity information to the target environment.
In one possible implementation of the first aspect, the target environment determines that the first environment indicated by the first identity information in the access request meets the second authentication condition, where the determining includes determining that the first environment indicated by the first identity information meets the second authentication condition by using a target environment parsing check Bao Wen to obtain the first identity information, sending, by the target environment, an identity authentication request to the first environment according to the first identity information, and determining that the first environment indicated by the first identity information meets the second authentication condition by using the target environment to receive a confirmation result returned by the first environment in response to the identity authentication request.
The identity authentication request sent to the first environment is, for example, a reverse authentication request sent by the target environment (one of the second environments) to the master environment. When the first environment (i.e. the master control environment) responds to the identity authentication request and returns a confirmation result to the target environment, the target environment can determine that the first environment has the management authority on the first environment, namely the second authentication condition is met.
In one possible implementation of the first aspect, the target environment determines that the first environment indicated by the first identity information in the access request meets the second authentication condition, and the method includes the steps that the target environment analyzes and checks Bao Wen to obtain the first identity information, the target environment determines management authority related information matched with the first environment according to the first identity information, and sends an identity authentication request to the first environment according to the management authority related information, wherein the management authority related information is used for indicating that the first environment has an association relationship of management authority to the target environment, and the target environment receives a confirmation result returned by the first environment in response to the identity authentication request and determines that the first environment indicated by the first identity information meets the second authentication condition.
In a possible implementation of the first aspect, the verification Bao Wen is further configured to provide the first user information to the target environment, and send the second identity information of the target environment to the first environment, where the verification includes determining, by the target environment according to the first user information obtained by the parsing verification Bao Wen, that third user information exists in the target environment, where a user name indicated by the third user information is the same as a user name indicated by the first user information, and binding the second identity information and the third user information by the target environment and sending the second identity information and the third user information to the first environment.
In one possible implementation of the first aspect, the method further includes the steps that the target environment determines that the target environment does not have third user information according to the first user information acquired by the analysis check Bao Wen, creates the third user information according to the user name indicated by the first user information, binds the second identity information with the third user information, and sends the second identity information and the third user information to the first environment.
In a possible implementation of the first aspect, the binding of the second identity information with the third user information includes any of adding the third user information as a tag to the second identity information, adding the second identity information and the third user information to a data packet sent to the first environment, and adding the second identity information to the third user information.
The application provides a cloud management platform, which comprises a first environment and at least one second environment which are determined in advance from a plurality of running environments, wherein the first environment has management authority for the at least one second environment, the first environment is used for receiving a user operation request and sending an access request to a target environment when confirming that first user information corresponding to the user operation request meets a first authentication condition, the user operation request is used for requesting service or data in the target environment, the target environment is any one of the at least one second environment, the target environment is used for sending second identity information of the target environment to the first environment when confirming that the first environment indicated by first identity information in the access request meets a second authentication condition, the first authentication condition is used for authenticating whether the user identity has the operation authority, the second authentication condition is used for reversely authenticating whether the first environment has the management authority for the target environment, and the second identity information is used for providing acquisition of the service or the data in the target environment.
In a third aspect, the present application provides an electronic device comprising one or more processors, one or more memories, the one or more memories storing one or more programs which, when executed by the one or more processors, cause the device to perform the identity authentication method provided in the above first aspect and in various possible implementations of the above first aspect.
In a fourth aspect, the present application provides a computer readable medium having stored thereon instructions which, when executed on a computer, cause the computer to perform the identity authentication method provided in the above first aspect and in various possible implementations of the above first aspect.
Drawings
Fig. 1 is a schematic diagram of an application scenario of an identity authentication method according to an embodiment of the present application.
Fig. 2 is a schematic diagram of an operation principle of an identity authentication method according to an embodiment of the present application.
Fig. 3 is a schematic flow chart of an implementation of an identity authentication method according to an embodiment of the present application.
Fig. 4 is a schematic software structure diagram of a cloud management platform according to an embodiment of the present application.
Fig. 5 is a schematic diagram of a hardware structure of a server according to an embodiment of the present application.
Detailed Description
In order to facilitate understanding of the solution of the present application, concepts of some technical fields related to the embodiments of the present application will be explained first.
(1) Cloud-a collection of hardware resources and software resources. Typically, a cloud is provided with a plurality of areas in each country/region, each area including at least one data center, and each data center is provided with hardware resources and software resources. Different cloud service providers build different clouds that provide users with rentals of resources (including computing, storage, networking, applications, etc.) in the form of cloud services. Cloud computing supports a user to acquire cloud services at various positions by using various terminals, and hardware resources and software resources supporting the cloud services come from the cloud.
(2) Database for storing a large number of data entities. The database design is a process of planning and structuring data entities in the database and relationships between the data entities.
(3) The geographical locations of the areas (regions), available Zone (AZ) and data center (DATA CENTER, DC) are typically far apart. Different countries may be used as different areas, and different regions of the same country may also be used as different areas, for example, a northern china area, a southern china area, a singapore area, etc. of a cloud service provider. Each region has a plurality of regions isolated from each other, which are called usable regions. The available areas in the same area are connected through a low-delay network, and the power supply and the network are mutually independent to improve the reliability of the area. Each available area within an area includes at least one data center, each data center containing a quantity of hardware resources and software resources.
Fig. 1 shows a schematic view of a scenario in which an identity authentication method is applied according to an embodiment of the present application.
As shown in fig. 1, the scenario includes a plurality of terminals 100 and a server 200. The server 200 may be a cloud server, or may be a cluster of servers distributed in one or more areas. Each region may also include one or more available areas providing computing resources, each available area including at least one data center. The hardware resources comprised by the data center may be provided, for example, by a host computer, and the software resources comprised by the respective data center may be provided, for example, by a software program or service running on the host computer. That is, each available region may provide corresponding computing resources through the host, and these computing resources may be provided for use by different environments isolated from each other, such as a development environment, a testing environment, a pre-release environment, a production environment (also referred to as a release environment), etc., while services with specific functions may be run within each environment to provide corresponding capabilities to handle various types of service requests initiated by clients.
With continued reference to fig. 1, a cloud management platform may be run on server 200 to manage multiple environments that serve a business platform. The multiple environments may include one or more running environments distributed in different areas, and the service platform may provide services to corresponding clients through the environments in different areas, such as area a, area B, and the like. For example, the area a may provide an environment a01, an environment a02, and the like shown in fig. 1, where the environment a01 may provide a service a, a service b, and the like, and the environment a02 may provide a service c, a service d, and the like. The area B may provide an environment B01, an environment B02, and the like shown in fig. 1, where a service e, a service f, and the like may be provided in the environment B01, and a service g, a service h, and the like may be provided in the environment B02. The services provided in different environments such as the environment a01, the environment a02, the environment B01, the environment B02 and the like may also be used for meeting the service requirements, the data requirements and the like of different stages. For example, a user may need to request some development debugging services, etc. in a development environment during a development phase, a user may need to obtain configuration services, simulation services, etc. in a test environment during a test phase, and a user may need to obtain databases, configuration services, or synchronization services, etc. of a pre-release environment during a pre-release phase, without limitation.
Each terminal 100 may run a corresponding client capable of accessing the service platform served by the server 200 to request a corresponding service to process the service request input by the user. It will be appreciated that different terminals 100 may be distributed in different areas. In some scenarios, different environments for each region may provide the required services or data to corresponding different clients. For example, a client a01 located within an area a may need to access the environment a01 to obtain the corresponding service, and a client a02 may need to access the environment a02. While a client B01 located within region B may need to access environment B01, a client B02 may need to access environment B02. The clients running on the respective terminals 100 may need to access different environments of different areas. In other scenarios, clients within an area may also need to access different environments within the area, or to access environments within other areas. For example, the client a01 may need to access the environment a01 of the area a, the environment a02, the environment B01 of the area B, and the like. It will be appreciated that the user may be, for example, a developer, an administrator of a service platform, or the like, and is not limited herein.
It will be appreciated that since middleware such as databases on different environments must be separated, the data and resources etc. of each environment are typically isolated from each other. The data and resources between the production environment of the area a and the production environment of the area B are isolated from each other, and the data and resources between the production environment of the area a and the test environment of the area a are also typically isolated from each other. Therefore, the safety of data and resources in each area can be ensured.
However, the user may need to use data, resources, etc. in different environments at different stages, and accordingly the user may access the environments of the respective stages through the client to obtain services or data interfaces (Application Programming Interface, APIs), etc. The user may also need to acquire data or services provided by environments located in different areas, and accordingly the user may access the environments of the corresponding areas through the client to acquire the required services or required data interfaces, and so on.
As described above, in view of the isolation mechanism between different environments, each environment needs to record the identity information and authentication information of the user, so that when the user uses the account to log in to access the corresponding environment, the identity authentication of the user can be completed, and services or data can be provided for the user. The identity information and authentication information corresponding to different users in the same environment are also different. Therefore, the number of user identity information and corresponding authentication information to be recorded and managed in many environments is large, which is inconvenient to maintain and manage. When different environments require a user to input identity information or authentication information, a large information burden is brought to the user, and the user cannot conveniently use cross-environment service or data interfaces.
In order to solve the problems, the application provides an identity authentication method which is applied to electronic equipment such as a cloud management platform or a server for managing the environments.
Specifically, one of a plurality of environments which independently run is preset as a main control environment (also called main environment), and the other environments are used as independent running environments (also called runtime environments) and interact with the main control environment through reserved data interfaces so as to establish an association relationship between the main control environment and each running environment. Further, access requests to the respective operating environments, such as requests for services or data acquisition in the respective operating environments, may be initiated by a unified host environment. At this time, the main control environment can complete one-time user identity authentication according to the authentication information of the corresponding user recorded and operated. When the running environment receives an access request initiated by the main control environment, the main control environment can be reversely authenticated, for example, whether the identity information of the main control environment corresponds to the identity of the associated main control environment or not is checked, so that the user identity authentication in the running environment is completed. After verifying the identity of the master control environment, each running environment can uniformly provide the service or data acquisition authority requested by the corresponding user through the master control environment.
Therefore, when a plurality of independent running environments are accessed to acquire service or data, the identity authentication can be rapidly completed in the main control environment and each running environment only by recording and operating the user identity information and the authentication information through the main control environment. The method is convenient for unified management of the identity information and authentication information of different users, simplifies the operation of inputting the identity information and authentication information by the users, and does not need to repeatedly input the identity authentication information when the users access different environments. Moreover, the access request to each running environment can firstly complete primary identity authentication through the main control environment, then the affiliated relationship between the main control environment and the running environment is checked, and then secondary identity authentication is carried out on the user in each running environment, so that the security can be higher.
It can be understood that the above-mentioned main control environment and each operation environment may belong to the same service platform, or may belong to an associated service platform for mutually authorizing and managing user identity information and authentication information. The master control environment may be a certain environment to which each operating environment on the same service platform is correspondingly subordinate, or may be any environment which is selected from a plurality of parallel and independent operating environments and has management authority for other environments. The management rights may include at least rights to access other environments. The application is not limited in this regard.
The authentication information for performing the user identity authentication may be token information generated based on an account or a password input by the user, and the authentication mode used by the token may be, for example, an authentication mode corresponding to an access token, which is not limited herein. The Identity information may include Identity (ID) information of the master control environment, identity information corresponding to each operating environment, and the like. It can be understood that the above-mentioned master control environment can obtain the corresponding token through account and password to authenticate when receiving user operation. After authentication is completed, the host environment may send the token and the identity information of the host environment to the requested operating environment. And then, the running environment can carry out identity reverse authentication on the main control environment according to the received token and the identity information, and provide the identity information of the running environment to the main control environment after the authentication is successful so as to provide the requested service or data and the like through the main control environment.
In some actual authentication scenarios, some running environments may not record user identity information corresponding to an access request initiated by the master control environment, and at this time, the running environments may create corresponding user identity information, bind their own authentication information with the user identity information, and provide the user identity information to the master control environment for use.
It can be appreciated that the server 200 to which the configuration data management method provided in the embodiment of the present application is applicable may be an application server, a database server, or the like, or may be other clusters or other electronic devices with a relatively high energy storage capability and a relatively high computing capability. There is no limitation in this regard.
It will be appreciated that the identity authentication method provided in the embodiment of the present application, the applicable terminal 100 may include, but is not limited to, a notebook, a tablet, a desktop, a laptop, a handheld computer, a netbook, a mobile phone, and an augmented reality (augmentedreality, AR) \virtual reality (VR) device, a smart tv, a device with one or more processors embedded or coupled therein, or other devices capable of accessing a network.
Based on the scenario shown in fig. 1, fig. 2 is a schematic diagram illustrating an operation principle of an identity authentication method according to an embodiment of the present application.
As shown in fig. 2, the identity authentication scheme provided by the present application may process the gateway 211 of the unified access master control environment 210 with respect to the process ① shown in fig. 2 by using the user operation request received through the terminal 100 and the like. The user operation request may be, for example, a service acquisition request or a data acquisition request for a remote execution environment in another area, or the like. At this time, the gateway 211 of the hosting environment 210 may obtain the corresponding token according to the account, password, etc. recorded or input by the user to perform the user authentication, referring to the process ② shown in fig. 2.
After confirming that the logged-in user identity is legitimate, the hosting environment 210 then sends a corresponding access request to the requested running environment 220. In some embodiments, referring to process ③ shown in fig. 2, the access request sent by master environment 210 to running environment 220 may include a header request based on header information (header) and check Bao Wen, which may be accessed by gateway 221 of running environment 220 to the corresponding environment. The header request may include the acquired token information and the identity information of the host environment 210, so as to request the execution environment 220 for acquiring services or data. The check packet may also include token information and identity information of the hosting environment 210 and may be parsed by the runtime environment 220, as described with reference to process ④ of FIG. 2. Further, referring to the process ⑤ shown in fig. 2, the running environment 220 may use the identity information obtained by parsing the packet to verify whether the master environment 210 is the environment to which it belongs, i.e. perform the reverse verification of the identity to the master environment 210.
After the running environment 220 successfully verifies the identity in the reverse direction to the master environment 210, referring to the process ⑥ shown in fig. 2, the running environment 220 may provide the identity information of the running environment to the master environment 210, so as to provide the master environment 210 with the requested access rights of the service or data, etc. in response to the header request of the master environment 210.
Based on the application scenario shown in fig. 1, fig. 3 shows an interaction flow diagram for implementing an identity authentication method according to an embodiment of the present application. The flow shown in fig. 3 mainly relates to interaction between the hosting environment 210 and the running environment 220. The master control environment 210 and the running environment 220 may be managed by the cloud management platform in a unified manner, and the cloud management platform may determine the master control environment from the managed multiple environments, and set an association relationship between the master control environment and each running environment, for example, a relationship that the running environment belongs to the master control environment.
It should be stated that, in the embodiment of the present application, the steps in the method and the flow are numbered for convenience of reference, but not for limiting the sequence, and the sequence exists among the steps, and the description is based on the text.
As shown in fig. 3, specifically, the process includes the steps of:
The hosting environment 210 receives an operation request from a user requesting to obtain services or data, etc. from a remote running environment 301.
By way of example, a user may initiate, via a handheld electronic device, such as a laptop, an acquisition request for services or data in some environments, such as an environment running on the same area server, an environment provided in different available areas in different areas, or an environment running in different phases, such as a test environment, a pre-release environment, etc.
As described above, in each environment belonging to the same service platform or different service platforms, one of the environments may be preset as a master control environment, and the master control environment and other operating environments may be connected through an API and establish a relationship therebetween. Wherein the hosting environment 210 may be used to access service or data acquisition requests in all environments, which may include acquisition requests for service or data in the remote operating environment 220.
302, The master control environment 210 obtains token information for verifying whether the user identity is legal based on the recorded account information.
Illustratively, the hosting environment 210 may pre-record accounts, passwords, etc. registered by the respective users, for verifying the legitimacy of the user identities, for marking the respective users or the tenant to which the respective users belong for obtaining rights to services or data within the respective environments, etc. When a user logs in through a webpage of a terminal or an installed client, account information such as an account and a password can be input for verification. At this time, the hosting environment 210 may receive an authentication request issued by the terminal 100 in response to a user operation, and acquire a token (token) for user authentication based on recorded account information, such as account, password, etc. After the key is acquired by the hosting environment 210, it may be saved and used to perform steps 303-304 described below.
And 303, the master control environment 210 confirms that the identity of the user is legal according to the token information.
Illustratively, the master control environment 210 may use the token information obtained above to verify whether the account password input by the user during login is correct, thereby verifying whether the user identity is legal. If the account password information corresponding to the token information can be matched with the account password information input by the user, the master control environment 210 can determine that the user identity is legal and has access to services or data, etc. in the requested environment. Otherwise, if the account password information corresponding to the token information cannot be matched with the account password information input by the user, the master control environment 210 can determine that the identity of the user is illegal and cannot access the requested environment.
304, The master control environment 210 invokes the first environment interface to initiate an access request to the execution environment 220.
For example, after determining that the identity of the user initiating the operation is legal, the master control environment 210 may invoke an interface of the corresponding operating environment to initiate the access request according to the operating environment related information corresponding to the request by the user's operation request. Such as the first environment interface of the runtime environment 220 described above, initiates an access request to the runtime environment 220. The access request may include a header request, a check packet, and the like. The header request may be used to request a desired service or data from the target's runtime environment, etc., and the check packet may be parsed by the runtime environment 220 to provide the token information to the runtime environment 220.
In addition, the master control environment 210 may also provide the identity information corresponding to the master control environment 210 through the check packet Wen Xiang running environment 220, so as to be used when the running environment 220 performs a reverse check on the identity validity of the master control environment 210. Reference may be made specifically to the following description of step 306, and details are not described here.
305, The running environment 220 analyzes the check Bao Wen in the access request to obtain the token information and the first identity information of the master control environment.
For example, after receiving an access request sent by the master control environment 210, the running environment 220 may analyze a check Bao Wen carried by the access request to obtain token information and first identity information corresponding to the master control environment 210. The running environment 220 may be used to bind the corresponding user identity when providing the requested service or data, and the first identity information may be used by the running environment 220 to verify the identity of the above-mentioned master environment 210, for example, to verify whether the master environment 210 is an environment to which the running environment 220 belongs, or to verify whether the master environment 210 has a management authority for the corresponding running environment 220, etc.
306, The running environment 220 calls the second environment interface to initiate a reverse identity authentication request to the master control environment 210.
Illustratively, after resolving the first identity information of the master environment 210, the running environment 220 may initiate an authentication request to the master environment 210 based on determining the master environment identification information matching the first identity information, or directly according to the first identity information. The running environment 220 may invoke a second environment interface provided by the master environment 210, and initiate an identity authentication request to the master environment 210.
In the embodiment of the present application, for ease of understanding, the previous process of the master control environment 210 initiating the access request to the running environment may be described as a forward process, and the process of the running environment 220 performed in this step initiating the identity authentication request to the master control environment may be described as a reverse process. Thus, the runtime environment 220 may invoke a second environment interface to initiate a reverse authentication request to the hosting environment 210.
It will be appreciated that in some embodiments, the identity information of the hosting environment may be pre-recorded in each of the operating environments that belong to the same hosting environment. Thus, when each running environment receives an access request initiated by the master control environment, the master control environment identity information matched with the received first identity information can be determined from the recorded master control environment identity information, and a reverse identity authentication request is initiated based on the matched identity information. In other embodiments, each operating environment may also directly send an identity authentication request to the corresponding master control environment according to the received first identity information, which is not limited herein. The identity authentication request initiated by the running environment 220 may be used, for example, to request confirmation whether the running environment 220 is subordinate to the corresponding master control environment, etc.
307, The master control environment 210 returns an authentication result to the running environment 220 in response to the identity authentication request.
Illustratively, the master control environment 210 may feed back the authentication result to the running environment 220 when receiving the above-mentioned authentication request issued in reverse by the requested running environment 200. For example, the master control environment 210 may return a message such as "true" or "false" to the running environment 220 as the authentication result, which is not limited herein.
It will be appreciated that the reverse authentication of the running environment 220 to the hosting environment 210 described in steps 306-307 above ensures that the access request for access to the running environment 220 to obtain services or data is from a legitimate hosting environment, not an illegitimate environment that is forged by an illegitimate user or an intruder of a service platform. In this way, the security of the data in the accessed execution environment 220 may be ensured. The legal host environment may be, for example, a host environment to which the running environment 220 belongs or an authenticated environment having other authorized relationship with the running environment 220, which is not limited herein.
The running environment 220 confirms the authentication pass according to the received authentication result 308.
Illustratively, the running environment 220 confirms whether the identity authentication of the master environment 210 is passed according to the authentication result information fed back by the master environment 210, such as "true" or "false" described above.
309, The running environment 220 judges whether the same name user information exists in the environment.
If the result is yes, the running environment 220 may execute the following step 311 to provide the identity information of the running environment to the corresponding master control device.
If the result is negative, the operation environment 220 may execute step 310, where the user information identical to the user information in the received token information, that is, the same-name user information, is created.
For example, the running environment 220 may confirm the user information that needs to obtain the service or the data, such as the account name or the account information such as the user name and the password, according to the token information obtained by parsing in the step 305, and determine whether the user information with the same account name or user name exists in the environment. If the runtime environment 220 determines that corresponding user information exists within the local environment and the user information is the same as the user information indicated by the token, e.g., the corresponding user name, etc., then the runtime environment 220 may determine that the same name user information exists within the local environment. If the running environment 220 determines that no corresponding user information exists in the local environment, or the recorded user information is different from the user information indicated by the token, for example, the corresponding user name is different, the running environment 220 may determine that no user information with a different name exists in the local environment.
Running environment 220 creates the same name user information 310.
Illustratively, the runtime environment 220 may correspondingly create homonymous user information based on the user information indicated by the parsed token. For example, if the corresponding user name in the user information indicated by the parsed token is "yibao01", the user name of the same-name user information created by the runtime environment 220 at this time is also "yibao" as well.
It will be appreciated that the same name user information in the above-mentioned running environment 220 is mainly used to mark the second identity information provided to the master environment 210 that initiated the access request when performing the following step 311. Reference may be made specifically to the following related descriptions, which are not repeated here.
It will be appreciated that in some scenarios of remote access to the runtime environment, the runtime environment 220 can ensure successful execution of the corresponding user operation after the identity authentication of steps 301 to 310 is completed by automatically creating the same-name user information to keep the corresponding user information synchronized with the master control environment 210. For example, the same name user information can ensure that the runtime environment 220 successfully performs step 311, described below, and the hosting environment 210 successfully performs step 312, described below, completing the process of returning the requested service or data to the user.
311, The runtime environment 220 provides the second identity information of the runtime environment to the host environment 210 using the same name user information.
For example, after confirming that the identity of the master control environment 210 is legal, the running environment 220 may bind its identity information with the existing user information with the same name and send the binding information to the master control device 210. In order to distinguish from the first identity information corresponding to the above-mentioned master control environment 210, the identity information provided by the running environment 220 may be marked as second identity information. The binding manner may include, but is not limited to, marking the same name user information on the second identity information, adding the second identity information to the same name user information, or compressing the second identity information and the same name user information into the same package.
It is to be appreciated that the second identity information provided by the runtime environment 220 to the authenticated master environment 210 can be utilized to authorize the master environment 210 to obtain services or data, etc. within the corresponding runtime environment.
The master control environment 210 invokes a service interface or a data interface within the operating environment to obtain the service or data using the received second identity information 312.
For example, the master control environment 210 may obtain, from the running environment 220, a required service or data, etc. according to the second identity information fed back by the running environment 220, and then provide the service or data to the user to operate the terminal 100 with the corresponding function or the client running on the terminal 100, etc.
In this way, through the execution of steps 301 to 312, the unified management and control user of the main control environment 220 obtains the identity authentication required to be performed when the service or data in each operation environment is obtained, the user does not need to repeatedly input account passwords and the like to perform the identity authentication, so that the operation of the user is facilitated, and particularly, the scheduling access of the user to the service or data in the remote operation environment is facilitated. In addition, the mode of carrying out reverse authentication to the master control environment when the operation environment belongs to the corresponding master control environment and receiving the access request of the master control environment can also improve the security of the information related to the unified management and control of the identity authentication by the master control environment, and is beneficial to continuously guaranteeing the security of each user, the tenant to which each user belongs and the data in each area and each environment.
It can be understood that the user can integrate the services provided by different environments corresponding to different service platforms according to the service requirements or the use scenes of the user. For different environments of the same service platform, different users can have different user names, account names, passwords and the like, so as to verify the identity and the authority of the users. For the environments of different service platforms, the users of each service platform can also be distinguished by the identification information of the corresponding service platform. Therefore, each service platform can control the unique information difference of the corresponding environment of each service platform, such as domain name, environment interface (API), login account, password and the like, and can carry out consistency switching with the corresponding user in different service platforms or different environments, so that the environment that the corresponding user uses different service platforms can be supported.
For example, a user may integrate some services in the environments of the production environment of area a, the test environment of area a, the production environment of area B, and the test environment of area B to develop or test functions on a certain client or a certain service platform web page. As described above, the different areas a and B may refer to the area isolation between different countries, the area isolation between different provinces and cities, and the like, which are not limited herein.
Fig. 4 shows a schematic structural diagram of a cloud management platform according to an embodiment of the present application.
As shown in fig. 4, the cloud management platform 400 may manage a plurality of environments. As previously described, these environments may serve the same business platform or different business platforms, these environments may provide corresponding phases of service for different phases of software products such as clients, etc., and these environments may be distributed in the same area or different areas, e.g., environments A01, A02 may be distributed in area A, environments B01, B02 may be distributed in area B, etc. The application is not limited in this regard.
Based on the identity authentication method provided by the application, the cloud management platform 400 can set the environment A01 in the multiple environments as a main control environment. And, a master-slave relationship may be established between the master control environment a01 and the running environments a02, B01, B02 through some environment interfaces (APIs) to set the environments a02, B01, B02, etc. as running environments subordinate to the master control environment a 01. As an example, the above-mentioned environment interface may include an interface I shown in fig. 4, which is a reverse authentication interface provided to the running environment set on the master environment 01. The environment interfaces may also include interface II and interface III shown in fig. 4, as two interfaces provided to the master control environment 01. The interface II can be used for receiving access requests initiated by the master control environment, and the interface III can be used for providing requested services, data and the like to the master control environment.
Through the interface I and the interfaces II and III preset on the main control environment and the running environment, the main control environment and the running environment can execute the interaction flow shown in the figure 3, and the identity authentication method provided by the application is implemented.
Fig. 5 shows a schematic hardware structure of a server 200 according to an embodiment of the application.
As shown in FIG. 5, in some embodiments, the server 200 may include one or more processors 504, system control logic 508 coupled to at least one of the processors 504, system memory 512 coupled to the system control logic 508, non-volatile memory (NVM) 516 coupled to the system control logic 508, and a network interface 520 coupled to the system control logic 508.
In some embodiments, processor 504 may include one or more single-core or multi-core processors. In some embodiments, processor 504 may include any combination of general-purpose and special-purpose processors (e.g., graphics processor, application processor, baseband processor, etc.). In embodiments where the server 200 employs an eNB (enhanced Node B) 101 or a RAN (Radio Access Network ) controller 102, the processor 504 may be configured to perform various conforming embodiments, such as the embodiments described above as shown in fig. 2-fig. or other embodiments.
In some embodiments, system control logic 508 may include any suitable interface controller to provide any suitable interface to at least one of processors 504 and/or any suitable device or component in communication with system control logic 508.
In some embodiments, system control logic 508 may include one or more memory controllers to provide an interface to system memory 512. The system memory 512 may be used for loading and storing data and/or instructions. In some embodiments, memory 512 of server 200 may include any suitable volatile memory, such as suitable Dynamic Random Access Memory (DRAM).
NVM 516 may include one or more tangible, non-transitory computer-readable media for storing data and/or instructions. In some embodiments, NVM 516 can include any suitable nonvolatile memory, such as flash memory, and/or any suitable nonvolatile storage device, such as at least one of a HDD (HARD DISK DRIVE ), CD (Compact Disc) drive, DVD (DIGITAL VERSATILE DISC ) drive.
NVM 516 may include a portion of a storage resource on the device on which server 200 is installed, or it may be accessed by, but not necessarily part of, a device. For example, NVM/storage 516 may be accessed over a network via network interface 520.
In particular, system memory 512 and NVM 516 may include a temporary copy and a permanent copy of instructions 524, respectively. The instructions 524 may include instructions that when executed by at least one of the processors 504 cause the server 200 to implement the method shown in fig. 3. In some embodiments, instructions 524, hardware, firmware, and/or software components thereof may additionally/alternatively be disposed in system control logic 508, network interface 520, and/or processor 504.
Network interface 520 may include a transceiver to provide a radio interface for server 200 to communicate with any other suitable device (e.g., front end module, antenna, etc.) over one or more networks. In some embodiments, network interface 520 may be integrated with other components of server 200. For example, network interface 520 may be integrated with at least one of processor 504, system memory 512, nvm 516, and a firmware device (not shown) having instructions which, when executed by at least one of processor 504, implement the method described above in fig. 3.
Network interface 520 may further include any suitable hardware and/or firmware to provide a multiple-input multiple-output radio interface. For example, network interface 520 may be a network adapter, a wireless network adapter, a telephone modem, and/or a wireless modem.
In one embodiment, at least one of the processors 504 may be packaged together with logic for one or more controllers of the system control logic 508 to form a System In Package (SiP). In one embodiment, at least one of the processors 504 may be integrated on the same die with logic for one or more controllers of the system control logic 508 to form a system on a chip (SoC).
The server 200 may further include an input/output (I/O) device 532. The I/O devices 532 may include a user interface to enable a user to interact with the server 200, and a peripheral component interface designed to enable peripheral components to also interact with the server 200. In some embodiments, server 200 further includes a sensor for determining at least one of environmental conditions and location information associated with server 200.
In some embodiments, the user interface may include, but is not limited to, a display (e.g., a liquid crystal display, a touch screen display, etc.), a speaker, a microphone, one or more cameras (e.g., still image cameras and/or video cameras), a flashlight (e.g., light emitting diode flash), and a keyboard.
In some embodiments, the peripheral component interface may include, but is not limited to, a non-volatile memory port, an audio jack, and a power interface.
In some embodiments, the sensors may include, but are not limited to, gyroscopic sensors, accelerometers, proximity sensors, ambient light sensors, and positioning units. The positioning unit may also be part of the network interface 520 or interact with the network interface 520 to communicate with components of a positioning network, such as Global Positioning System (GPS) satellites.
Reference in the specification to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one example implementation or technique disclosed in accordance with embodiments of the application. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment.
The disclosure of the embodiments of the present application also relates to an operating device for executing the text. The apparatus may be specially constructed for the required purposes, or it may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer readable medium, such as, but is not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, magnetic-optical disks, read-only memories (ROMs), random Access Memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, application Specific Integrated Circuits (ASICs), or any type of media suitable for storing electronic instructions, and each may be coupled to a computer system bus. Furthermore, the computers referred to in the specification may include a single processor or may be architectures employing multiple processors for increased computing power.
Additionally, the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the disclosed subject matter. Accordingly, the present disclosure of embodiments is intended to be illustrative, but not limiting, of the scope of the concepts discussed herein.
Claims (10)
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310402940.2A CN116668065B (en) | 2023-04-14 | 2023-04-14 | Identity authentication method, platform, electronic device and computer readable medium |
| PCT/CN2024/079384 WO2024212724A1 (en) | 2023-04-14 | 2024-02-29 | Identity authentication method, platform, electronic device and computer-readable medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310402940.2A CN116668065B (en) | 2023-04-14 | 2023-04-14 | Identity authentication method, platform, electronic device and computer readable medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116668065A CN116668065A (en) | 2023-08-29 |
| CN116668065B true CN116668065B (en) | 2025-05-02 |
Family
ID=87719593
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310402940.2A Active CN116668065B (en) | 2023-04-14 | 2023-04-14 | Identity authentication method, platform, electronic device and computer readable medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN116668065B (en) |
| WO (1) | WO2024212724A1 (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116668065B (en) * | 2023-04-14 | 2025-05-02 | 易保网络技术(上海)有限公司 | Identity authentication method, platform, electronic device and computer readable medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104735087A (en) * | 2015-04-16 | 2015-06-24 | 国家电网公司 | Public key algorithm and SSL (security socket layer) protocol based method of optimizing security of multi-cluster Hadoop system |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8844013B2 (en) * | 2011-10-04 | 2014-09-23 | Salesforce.Com, Inc. | Providing third party authentication in an on-demand service environment |
| US10523708B1 (en) * | 2019-03-18 | 2019-12-31 | Capital One Services, Llc | System and method for second factor authentication of customer support calls |
| CN111917711B (en) * | 2020-06-15 | 2023-04-18 | 广州市设计院集团有限公司 | Data access method and device, computer equipment and storage medium |
| CN113225394B (en) * | 2021-04-30 | 2022-07-15 | 中核武汉核电运行技术股份有限公司 | API gateway management system based on container cluster |
| CN115277176B (en) * | 2022-07-25 | 2024-04-05 | 中国电信股份有限公司 | Communication method, communication device, storage medium, and electronic apparatus |
| CN115484045A (en) * | 2022-07-27 | 2022-12-16 | 国富瑞数据系统有限公司 | A unified identity authentication method and system based on API gateway |
| CN115396183B (en) * | 2022-08-23 | 2023-08-11 | 北京百度网讯科技有限公司 | User identity recognition method and device |
| CN116668065B (en) * | 2023-04-14 | 2025-05-02 | 易保网络技术(上海)有限公司 | Identity authentication method, platform, electronic device and computer readable medium |
-
2023
- 2023-04-14 CN CN202310402940.2A patent/CN116668065B/en active Active
-
2024
- 2024-02-29 WO PCT/CN2024/079384 patent/WO2024212724A1/en not_active Ceased
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104735087A (en) * | 2015-04-16 | 2015-06-24 | 国家电网公司 | Public key algorithm and SSL (security socket layer) protocol based method of optimizing security of multi-cluster Hadoop system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116668065A (en) | 2023-08-29 |
| WO2024212724A1 (en) | 2024-10-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11102196B2 (en) | Authenticating API service invocations | |
| CN110839087A (en) | Interface calling method and device, electronic equipment and computer readable storage medium | |
| US20250007889A1 (en) | Internet of things system, authentication and communication method therefor, and related device | |
| CN110636057B (en) | Application access method and device and computer readable storage medium | |
| CN102769631A (en) | Method, system and access equipment for accessing Cloud server | |
| CN103347020B (en) | A kind of system and method across application authorization access | |
| CN110247758B (en) | Password management method and device and password manager | |
| CN110691089B (en) | Authentication method applied to cloud service, computer equipment and storage medium | |
| US20240364681A1 (en) | Method for Processing Cloud Service in Cloud System and Related Apparatus | |
| CN116668065B (en) | Identity authentication method, platform, electronic device and computer readable medium | |
| CN116170234B (en) | Single sign-on method and system based on virtual account authentication | |
| CN117857585A (en) | Method for rapidly realizing user information synchronization, cloud platform and computer readable medium | |
| US9083697B2 (en) | Deriving a username based on a digital certificate | |
| CN115278671B (en) | Network element authentication method, device, storage medium and electronic equipment | |
| CN114338130B (en) | Information processing method, device, server and storage medium | |
| CN116055137A (en) | Internet of things system authentication and authorization adaptation system, method, device and storage medium | |
| CN115412294A (en) | Platform service-based access method and device, storage medium, and electronic device | |
| CN111221655B (en) | Method and device for managing resources of OpenStack platform | |
| US11445372B2 (en) | Scalable public key identification model | |
| US9723436B2 (en) | Mobile device location | |
| CN114297309B (en) | Automated operation and maintenance method and device, computer-readable storage medium, and electronic device | |
| CN107770203A (en) | A kind of service request retransmission method, apparatus and system | |
| CN105871851A (en) | SaaS-based identity authentication method | |
| CN116566730A (en) | Cross-domain user authentication method, device, electronic equipment and medium | |
| CN112583777B (en) | Method and device for realizing user login |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |