TW202447457A - Authorization verification access system - Google Patents
Authorization verification access system Download PDFInfo
- Publication number
- TW202447457A TW202447457A TW112118185A TW112118185A TW202447457A TW 202447457 A TW202447457 A TW 202447457A TW 112118185 A TW112118185 A TW 112118185A TW 112118185 A TW112118185 A TW 112118185A TW 202447457 A TW202447457 A TW 202447457A
- Authority
- TW
- Taiwan
- Prior art keywords
- service
- authorization
- module
- user
- verification
- Prior art date
Links
Landscapes
- Storage Device Security (AREA)
Abstract
Description
本發明是關於一種授權驗證存取系統,特別是關於一種整合多種服務的授權驗證機制之授權驗證存取系統。The present invention relates to an authorization verification access system, and more particularly to an authorization verification access system integrating multiple service authorization verification mechanisms.
隨著雲端技術的發展,多元化服務的雲端生態系統能更好地針對各地企業的不同需求提供在地化之服務,同時也讓資訊安全得到更高度的重視。然而,當使用者在使用不同的服務時,需要經歷各服務的繁瑣登入程序,其往往會造成授權管理上的困難與資訊安全的風險。由於服務越來越多元化,各服務對於帳號管理方式的標準不一,且現有服務授權系統的可擴展程度卻不如預期發展,因此難以統一雲端生態系中各服務對於授權的統一標準,整合需求與日俱增。With the development of cloud technology, the cloud ecosystem with diversified services can better provide localized services for the different needs of enterprises in various regions, and at the same time, information security has received higher attention. However, when users use different services, they need to go through the cumbersome login procedures of each service, which often causes difficulties in authorization management and information security risks. As services become more and more diversified, the standards for account management methods of each service are different, and the scalability of the existing service authorization system is not as good as expected. Therefore, it is difficult to unify the unified standards for authorization of each service in the cloud ecosystem, and the demand for integration is increasing day by day.
此外,在現有單一登入服務的授權驗證機制中,服務擁有者必須調整授權驗證機制才可以整合至相同的授權系統,因此會造成服務擁有者在加入雲端生態系時需花費較多的成本。由此可知,目前市場上缺乏一種能統一各服務的多種授權驗證機制的授權驗證存取系統,故相關業者均在尋求其解決之道。In addition, in the existing authorization verification mechanism of single sign-on services, service owners must adjust the authorization verification mechanism before integrating it into the same authorization system. This will cause service owners to spend more costs when joining the cloud ecosystem. It can be seen from this that there is currently a lack of an authorization verification access system on the market that can unify multiple authorization verification mechanisms for various services, so relevant industry players are looking for solutions.
因此,本發明之目的在於提供一種授權驗證存取系統,其透過邏輯伺服器整合對應於服務模組的使用者授權資料為統一的服務授權資料,然後利用授權驗證伺服器根據服務授權資料派發服務存取憑證予使用者模組,達到統一管理授權驗證機制,且保障驗證過程與資訊安全。Therefore, the purpose of the present invention is to provide an authorization verification access system, which integrates the user authorization data corresponding to the service module into a unified service authorization data through a logic server, and then uses the authorization verification server to distribute the service access certificate to the user module according to the service authorization data, so as to achieve a unified management of the authorization verification mechanism and ensure the verification process and information security.
依據本發明的一實施方式提供一種授權驗證存取系統,其包含複數服務模組、一邏輯資料庫、一邏輯伺服器、一授權驗證伺服器以及一使用者模組。邏輯資料庫儲存對應於此些服務模組的複數使用者授權資料。邏輯伺服器連接邏輯資料庫,其中邏輯伺服器整合此些使用者授權資料為一服務授權資料,並儲存服務授權資料至邏輯資料庫。授權驗證伺服器連接邏輯資料庫及此些服務模組,其中授權驗證伺服器對服務授權資料進行解析而產生複數服務存取憑證。使用者模組連接授權驗證伺服器,並傳輸對應於至少一服務模組的一服務存取請求至授權驗證伺服器。其中授權驗證伺服器根據服務存取請求驗證使用者模組的一身分鑑別碼,授權驗證伺服器根據身分鑑別碼選取且傳輸其中一服務存取憑證至使用者模組,藉以令使用者模組經由授權驗證伺服器連線至前述至少一服務模組,並透過此其中一服務存取憑證存取前述至少一服務模組。According to an embodiment of the present invention, an authorization verification access system is provided, which includes a plurality of service modules, a logic database, a logic server, an authorization verification server, and a user module. The logic database stores a plurality of user authorization data corresponding to these service modules. The logic server is connected to the logic database, wherein the logic server integrates these user authorization data into a service authorization data and stores the service authorization data in the logic database. The authorization verification server is connected to the logic database and these service modules, wherein the authorization verification server parses the service authorization data to generate a plurality of service access certificates. The user module is connected to the authorization and verification server and transmits a service access request corresponding to at least one service module to the authorization and verification server. The authorization and verification server verifies an identity code of the user module according to the service access request, and the authorization and verification server selects and transmits one of the service access certificates to the user module according to the identity code, so that the user module is connected to the at least one service module through the authorization and verification server and accesses the at least one service module through the one of the service access certificates.
藉此,本發明的授權驗證存取系統將對應於各服務模組的使用者授權資料串接到授權驗證伺服器,進而不受限於不同服務間的授權差異,如此可在不修改既有授權驗證機制下,達到跨平台授權且統一管理的目的。Thus, the authorization verification access system of the present invention connects the user authorization data corresponding to each service module to the authorization verification server, and is not limited by the authorization differences between different services. In this way, the purpose of cross-platform authorization and unified management can be achieved without modifying the existing authorization verification mechanism.
前述實施方式之其他實施例如下:前述授權驗證存取系統更包含複數管理模組。此些管理模組連接邏輯資料庫,並用以分別設定且更新儲存於邏輯資料庫的此些使用者授權資料。其中邏輯伺服器重新整合此些使用者授權資料以更新服務授權資料。Other embodiments of the aforementioned implementation method are as follows: The aforementioned authorization verification access system further includes a plurality of management modules. These management modules are connected to the logic database and are used to respectively set and update these user authorization data stored in the logic database. The logic server reintegrates these user authorization data to update the service authorization data.
前述實施方式之其他實施例如下:前述授權驗證伺服器包含一資料接收模組、一授權驗證解析模組及一授權驗證資料庫。資料接收模組從邏輯資料庫接收服務授權資料。授權驗證解析模組連接資料接收模組,並對服務授權資料進行解析而產生此些服務存取憑證。授權驗證資料庫連接授權驗證解析模組,並用以儲存此些服務存取憑證。Other embodiments of the aforementioned implementation method are as follows: The aforementioned authorization verification server includes a data receiving module, an authorization verification parsing module and an authorization verification database. The data receiving module receives service authorization data from the logic database. The authorization verification parsing module is connected to the data receiving module and parses the service authorization data to generate these service access certificates. The authorization verification database is connected to the authorization verification parsing module and is used to store these service access certificates.
前述實施方式之其他實施例如下:前述授權驗證伺服器根據服務存取請求驗證前述至少一服務模組而取得對應於前述至少一服務模組的至少一服務存取令牌。授權驗證伺服器根據前述至少一服務存取令牌確認使用者模組與前述至少一服務模組之間是否具有一授權關係。Other embodiments of the above-mentioned implementation method are as follows: the above-mentioned authorization verification server verifies the above-mentioned at least one service module according to the service access request and obtains at least one service access token corresponding to the above-mentioned at least one service module. The authorization verification server confirms whether there is an authorization relationship between the user module and the above-mentioned at least one service module according to the above-mentioned at least one service access token.
前述實施方式之其他實施例如下:前述其中一服務存取憑證包含一加密訊息,前述至少一服務模組根據加密訊息驗證使用者模組是否具有對應於前述至少一服務模組的一使用權限。當使用者模組具有使用權限時,前述至少一服務模組供使用者模組存取。Other embodiments of the aforementioned implementation are as follows: one of the aforementioned service access certificates includes an encrypted message, and the aforementioned at least one service module verifies whether the user module has a usage permission corresponding to the aforementioned at least one service module according to the encrypted message. When the user module has the usage permission, the aforementioned at least one service module is accessible to the user module.
前述實施方式之其他實施例如下:前述授權驗證伺服器對服務存取請求執行一雜湊演算法(Hash Algorithm)而產生使用者模組的身分鑑別碼。Other implementation examples of the aforementioned implementation method are as follows: the aforementioned authorization verification server executes a hash algorithm on the service access request to generate an identity identification code of the user module.
依據本發明的另一實施方式提供一種授權驗證存取系統,其包含複數服務模組、一邏輯資料庫、一邏輯伺服器、一授權驗證伺服器、一應用程式介面以及一使用者模組。邏輯資料庫儲存對應於此些服務模組的複數使用者授權資料。邏輯伺服器連接邏輯資料庫,其中邏輯伺服器整合此些使用者授權資料為一服務授權資料,並儲存服務授權資料至邏輯資料庫。授權驗證伺服器連接邏輯資料庫及此些服務模組,其中授權驗證伺服器對服務授權資料進行解析而產生複數服務存取憑證。應用程式介面連接授權驗證伺服器,並與授權驗證伺服器帳號連結。使用者模組連接且登入應用程式介面,並經由應用程式介面傳輸對應於至少一服務模組的一服務存取請求至授權驗證伺服器。其中授權驗證伺服器根據服務存取請求驗證使用者模組的一身分鑑別碼,授權驗證伺服器根據身分鑑別碼選取且傳輸其中一服務存取憑證至應用程式介面,藉以令使用者模組經由應用程式介面與授權驗證伺服器連線至前述至少一服務模組,並透過此其中一服務存取憑證存取前述至少一服務模組。According to another embodiment of the present invention, an authorization verification access system is provided, which includes a plurality of service modules, a logic database, a logic server, an authorization verification server, an application program interface, and a user module. The logic database stores a plurality of user authorization data corresponding to these service modules. The logic server is connected to the logic database, wherein the logic server integrates these user authorization data into a service authorization data and stores the service authorization data in the logic database. The authorization verification server is connected to the logic database and these service modules, wherein the authorization verification server parses the service authorization data to generate a plurality of service access certificates. The application program interface is connected to the authorization and verification server and is linked to the authorization and verification server account. The user module is connected to and logs into the application program interface, and transmits a service access request corresponding to at least one service module to the authorization and verification server through the application program interface. The authorization and verification server verifies an identity code of the user module according to the service access request, and the authorization and verification server selects and transmits one of the service access certificates to the application program interface according to the identity code, so that the user module is connected to the at least one service module through the application program interface and the authorization and verification server, and accesses the at least one service module through the one of the service access certificates.
藉此,本發明的授權驗證存取系統透過邏輯伺服器整合對應於服務模組的使用者授權資料為統一的服務授權資料,然後利用授權驗證伺服器根據服務授權資料派發服務存取憑證予使用者模組,達到多服務、多使用者的群體相異授權驗證,且能降低各服務加入授權驗證伺服器之時的成本。Thus, the authorization verification access system of the present invention integrates the user authorization data corresponding to the service module into a unified service authorization data through the logic server, and then uses the authorization verification server to distribute the service access certificate to the user module according to the service authorization data, thereby achieving group-different authorization verification for multiple services and multiple users, and reducing the cost of each service when joining the authorization verification server.
前述實施方式之其他實施例如下:前述授權驗證存取系統更包含複數管理模組。此些管理模組連接邏輯資料庫,並用以分別設定且更新儲存於邏輯資料庫的此些使用者授權資料。其中邏輯伺服器重新整合此些使用者授權資料以更新服務授權資料。Other embodiments of the aforementioned implementation method are as follows: The aforementioned authorization verification access system further includes a plurality of management modules. These management modules are connected to the logic database and are used to respectively set and update these user authorization data stored in the logic database. The logic server reintegrates these user authorization data to update the service authorization data.
前述實施方式之其他實施例如下:前述授權驗證伺服器根據服務存取請求驗證前述至少一服務模組而取得對應於前述至少一服務模組的至少一服務存取令牌。授權驗證伺服器根據前述至少一服務存取令牌確認使用者模組與前述至少一服務模組之間是否具有一授權關係。Other embodiments of the above-mentioned implementation method are as follows: the above-mentioned authorization verification server verifies the above-mentioned at least one service module according to the service access request and obtains at least one service access token corresponding to the above-mentioned at least one service module. The authorization verification server confirms whether there is an authorization relationship between the user module and the above-mentioned at least one service module according to the above-mentioned at least one service access token.
前述實施方式之其他實施例如下:前述其中一服務存取憑證包含一加密訊息,前述至少一服務模組根據加密訊息驗證使用者模組是否具有對應於前述至少一服務模組的一使用權限。當使用者模組具有使用權限時,前述至少一服務模組供使用者模組存取。Other embodiments of the aforementioned implementation are as follows: one of the aforementioned service access certificates includes an encrypted message, and the aforementioned at least one service module verifies whether the user module has a usage permission corresponding to the aforementioned at least one service module according to the encrypted message. When the user module has the usage permission, the aforementioned at least one service module is accessible to the user module.
以下將參照圖式說明本發明之複數個實施例。為明確說明起見,許多實務上的細節將在以下敘述中一併說明。然而,應瞭解到,這些實務上的細節不應用以限制本發明。也就是說,在本發明部分實施例中,這些實務上的細節是非必要的。此外,為簡化圖式起見,一些習知慣用的結構與元件在圖式中將以簡單示意的方式繪示之;並且重複之元件將可能使用相同的編號表示之。The following will describe several embodiments of the present invention with reference to the drawings. For the sake of clarity, many practical details will be described together in the following description. However, it should be understood that these practical details should not be used to limit the present invention. That is to say, in some embodiments of the present invention, these practical details are not necessary. In addition, in order to simplify the drawings, some commonly known structures and components will be depicted in the drawings in a simple schematic manner; and repeated components may be represented by the same number.
此外,本文中當某一元件(或單元或模組等)「連接/連結」於另一元件,可指所述元件是直接連接/連結於另一元件,亦可指某一元件是間接連接/連結於另一元件,意即,有其他元件介於所述元件及另一元件之間。而當有明示某一元件是「直接連接/連結」於另一元件時,才表示沒有其他元件介於所述元件及另一元件之間。而第一、第二、第三等用語只是用來描述不同元件,而對元件本身並無限制,因此,第一元件亦可改稱為第二元件。且本文中之元件/單元/電路之組合非此領域中之一般周知、常規或習知之組合,不能以元件/單元/電路本身是否為習知,來判定其組合關係是否容易被技術領域中之通常知識者輕易完成。In addition, in this article, when a certain component (or unit or module, etc.) is "connected/linked" to another component, it may refer to that the component is directly connected/linked to another component, or it may refer to that a certain component is indirectly connected/linked to another component, that is, there are other components between the component and the other component. When it is clearly stated that a certain component is "directly connected/linked" to another component, it means that there are no other components between the component and the other component. The terms first, second, third, etc. are only used to describe different components, and there is no restriction on the components themselves. Therefore, the first component can also be renamed as the second component. Moreover, the combination of components/units/circuits in this article is not a generally known, conventional or familiar combination in this field. Whether the components/units/circuits themselves are known cannot be used to determine whether their combination relationship is easy to be completed by ordinary knowledgeable people in the technical field.
請參閱第1圖,其係繪示依照本發明的第一實施方式的授權驗證存取系統100的方塊示意圖。如第1圖所示,授權驗證存取系統100包含服務群組200、邏輯資料庫300、邏輯伺服器400、授權驗證伺服器500以及使用者模組600。Please refer to FIG. 1, which is a block diagram of an authorization verification access system 100 according to a first embodiment of the present invention. As shown in FIG. 1, the authorization verification access system 100 includes a service group 200, a logic database 300, a logic server 400, an authorization verification server 500, and a user module 600.
服務群組200包含複數服務模組210、220、230。邏輯資料庫300儲存對應於服務模組210、220、230的複數使用者授權資料310、320、330。邏輯伺服器400訊號連接邏輯資料庫300,且每間隔一時間會從邏輯資料庫300擷取使用者授權資料310、320、330,並整合使用者授權資料310、320、330為服務授權資料340,然後儲存服務授權資料340至邏輯資料庫300。The service group 200 includes a plurality of service modules 210, 220, 230. The logic database 300 stores a plurality of user authorization data 310, 320, 330 corresponding to the service modules 210, 220, 230. The logic server 400 is signal-connected to the logic database 300, and retrieves the user authorization data 310, 320, 330 from the logic database 300 at intervals, integrates the user authorization data 310, 320, 330 into service authorization data 340, and then stores the service authorization data 340 in the logic database 300.
授權驗證伺服器500訊號連接邏輯資料庫300及服務群組200的服務模組210、220、230。授權驗證伺服器500從邏輯資料庫300擷取服務授權資料340,並對服務授權資料340進行一金鑰解析而產生複數服務存取憑證521。使用者模組600訊號連接授權驗證伺服器500,並傳輸對應於服務模組210、220、230之至少一者的服務存取請求610至授權驗證伺服器500。授權驗證伺服器500根據服務存取請求610驗證使用者模組600的一身分鑑別碼。接著,授權驗證伺服器500根據身分鑑別碼選取且傳輸其中一服務存取憑證521至使用者模組600,藉以令使用者模組600經由授權驗證伺服器500連線至服務模組210、220、230之至少一者,並透過前述的服務存取憑證521存取服務模組210、220、230之至少一者。The authorization verification server 500 is signal-connected to the logical database 300 and the service modules 210, 220, and 230 of the service group 200. The authorization verification server 500 retrieves the service authorization data 340 from the logical database 300, and performs a key analysis on the service authorization data 340 to generate a plurality of service access certificates 521. The user module 600 is signal-connected to the authorization verification server 500, and transmits a service access request 610 corresponding to at least one of the service modules 210, 220, and 230 to the authorization verification server 500. The authorization verification server 500 verifies an identity authentication code of the user module 600 according to the service access request 610. Then, the authorization and verification server 500 selects and transmits one of the service access certificates 521 to the user module 600 according to the identity code, so that the user module 600 connects to at least one of the service modules 210, 220, 230 through the authorization and verification server 500, and accesses at least one of the service modules 210, 220, 230 through the aforementioned service access certificate 521.
藉此,本發明的授權驗證存取系統100透過邏輯伺服器400整合對應於服務模組210、220、230的使用者授權資料310、320、330為統一授權設定的服務授權資料340,然後利用授權驗證伺服器500派發解析完後的服務存取憑證521予使用者模組600,達到統一管理所有服務模組210、220、230的授權驗證機制,且保障使用者模組600的驗證過程與資訊安全。因此,本發明可在不修改服務群組200中多種授權驗證機制下,達到跨平台授權且統一管理的目的。Thus, the authorization verification access system 100 of the present invention integrates the user authorization data 310, 320, 330 corresponding to the service modules 210, 220, 230 into the service authorization data 340 for unified authorization setting through the logic server 400, and then distributes the parsed service access certificate 521 to the user module 600 through the authorization verification server 500, so as to achieve unified management of the authorization verification mechanisms of all service modules 210, 220, 230 and protect the verification process and information security of the user module 600. Therefore, the present invention can achieve the purpose of cross-platform authorization and unified management without modifying the various authorization verification mechanisms in the service group 200.
詳細地說,邏輯伺服器400與授權驗證伺服器500可為相互獨立的一伺服主機,或是伺服主機中的功能模組。各服務模組210、220、230可為一資源伺服器中的資源項目的代理服務或功能服務模組,實際實施時本發明不以此為限。儲存於邏輯資料庫300的使用者授權資料310、320、330可分別為服務模組210、220、230針對各自使用者在雲端系統上的層級、基本資料、宣告資料、授權期限、服務授權方式及驗證身分階層的資訊,前述資訊即為各服務模組210、220、230的授權驗證機制。邏輯伺服器400將儲存於邏輯資料庫300的使用者授權資料310、320、330設定為統一的服務授權方式而產生服務授權資料340。Specifically, the logic server 400 and the authorization verification server 500 can be independent server hosts or functional modules in the server hosts. Each service module 210, 220, 230 can be a proxy service or a functional service module of a resource item in a resource server, but the present invention is not limited thereto in actual implementation. The user authorization data 310, 320, 330 stored in the logic database 300 can be information about the level, basic data, declaration data, authorization period, service authorization method and identity verification level of each user in the cloud system of the service modules 210, 220, 230, respectively. The aforementioned information is the authorization verification mechanism of each service module 210, 220, 230. The logic server 400 sets the user authorization data 310, 320, 330 stored in the logic database 300 to a unified service authorization method to generate service authorization data 340.
此外,授權驗證存取系統100可更包含管理群組700,其訊號連接邏輯資料庫300並包含複數管理模組710、720、730。管理模組710、720、730可用以分別設定且更新儲存於邏輯資料庫300的使用者授權資料310、320、330。舉例來說,當服務模組210的使用者有增減,或者是授權驗證機制有變動時,管理模組710將會即時地更新使用者授權資料310至邏輯資料庫300。隨後,邏輯伺服器400會重新整合更新後的使用者授權資料310及使用者授權資料320、330以更新服務授權資料340。換言之,邏輯伺服器400可動態地統一服務模組210、220、230的授權驗證機制,並儲存最新定義之服務授權資料340於邏輯資料庫300中,使得授權驗證伺服器500能按照最新定義之服務授權資料340來驗證發出服務存取請求610的使用者模組600。In addition, the authorization verification access system 100 may further include a management group 700, which is signal-connected to the logic database 300 and includes a plurality of management modules 710, 720, 730. The management modules 710, 720, 730 may be used to respectively set and update the user authorization data 310, 320, 330 stored in the logic database 300. For example, when the number of users of the service module 210 increases or decreases, or when the authorization verification mechanism changes, the management module 710 will update the user authorization data 310 to the logic database 300 in real time. Subsequently, the logic server 400 will reintegrate the updated user authorization data 310 and the user authorization data 320, 330 to update the service authorization data 340. In other words, the logic server 400 can dynamically unify the authorization verification mechanisms of the service modules 210, 220, and 230, and store the latest defined service authorization data 340 in the logic database 300, so that the authorization verification server 500 can verify the user module 600 that issues the service access request 610 according to the latest defined service authorization data 340.
授權驗證伺服器500可包含資料接收模組510、授權驗證解析模組520及授權驗證資料庫530。資料接收模組510從邏輯資料庫300接收服務授權資料340。授權驗證解析模組520訊號連接資料接收模組510,並對服務授權資料340進行金鑰解析及驗證其合法性而產生對應於不同使用者的多個服務存取憑證521。授權驗證資料庫530訊號連接授權驗證解析模組520,並用以儲存解析完後的此些服務存取憑證521,以供使用者模組600發出服務存取請求610時,授權驗證解析模組520可即時地從授權驗證資料庫530中派發專屬的服務存取憑證521予使用者模組600。The authorization verification server 500 may include a data receiving module 510, an authorization verification parsing module 520, and an authorization verification database 530. The data receiving module 510 receives the service authorization data 340 from the logic database 300. The authorization verification parsing module 520 is signal-connected to the data receiving module 510, and performs key parsing and verification of the service authorization data 340 to generate a plurality of service access certificates 521 corresponding to different users. The authorization verification database 530 is signal-connected to the authorization verification parsing module 520 and is used to store the parsed service access certificates 521 so that when the user module 600 issues a service access request 610, the authorization verification parsing module 520 can immediately distribute a dedicated service access certificate 521 from the authorization verification database 530 to the user module 600.
舉例來說,若使用者模組600欲要求存取且連線至具有授權關係的二服務模組210、220時,使用者模組600向授權驗證伺服器500發出服務存取請求610,並由資料接收模組510接收服務存取請求610。授權驗證解析模組520根據服務存取請求610驗證服務模組210、220而取得對應於服務模組210、220的二服務存取令牌。授權驗證解析模組520根據二服務存取令牌確認使用者模組600和二服務模組210、220之間是否具有授權關係。當使用者模組600和二服務模組210、220之間不具有任何的授權關係時,授權驗證解析模組520回傳一驗證失敗訊息至使用者模組600。當使用者模組600和二服務模組210、220之間具有授權關係時,授權驗證解析模組520對服務存取請求610執行一雜湊演算法(Hash Algorithm)而產生使用者模組600的身分鑑別碼。接著,授權驗證解析模組520驗證使用者模組600的身分鑑別碼,並根據身分鑑別碼選取且傳輸專屬於使用者模組600的服務存取憑證521至使用者模組600。For example, if the user module 600 wants to request access and connect to two service modules 210 and 220 that have an authorization relationship, the user module 600 sends a service access request 610 to the authorization verification server 500, and the data receiving module 510 receives the service access request 610. The authorization verification analysis module 520 verifies the service modules 210 and 220 according to the service access request 610 and obtains two service access tokens corresponding to the service modules 210 and 220. The authorization verification analysis module 520 confirms whether there is an authorization relationship between the user module 600 and the two service modules 210 and 220 according to the two service access tokens. When there is no authorization relationship between the user module 600 and the two service modules 210, 220, the authorization verification analysis module 520 returns a verification failure message to the user module 600. When there is an authorization relationship between the user module 600 and the two service modules 210, 220, the authorization verification analysis module 520 executes a hash algorithm on the service access request 610 to generate an identity code of the user module 600. Then, the authorization verification analysis module 520 verifies the identity code of the user module 600, and selects and transmits a service access certificate 521 exclusive to the user module 600 to the user module 600 according to the identity code.
詳細地說,專屬於使用者模組600的服務存取憑證521可包含使用者模組600的一身分資訊認證碼及其所具備使用權限的一存取金鑰。前述身分資訊認證碼可供授權驗證解析模組520驗證並識別使用者模組600的身分鑑別碼。在其他實施例中,授權驗證解析模組520亦可使用例如數位簽章(Digital Signature)或其他身分鑑別技術來對使用者模組600進行身分驗證。存取金鑰可為透過網際網路提供使用者模組600存取服務模組210、220的使用者認證與授權服務範圍。另外,存取金鑰可包含供服務模組210、220辨認持有者令牌(例如Token)的加密訊息。因此,服務模組210、220可根據加密訊息驗證使用者模組600是否具有對應於服務模組210、220的使用權限。當使用者模組600具有使用權限時,各服務模組210、220供使用者模組600存取。藉此,本發明的授權驗證存取系統100不僅能達成多服務、多使用者的群體相異授權驗證,還利用預先儲存於授權驗證資料庫530的服務存取憑證521,以供使用者快速存取服務。Specifically, the service access certificate 521 dedicated to the user module 600 may include an identity information authentication code of the user module 600 and an access key of the usage rights it has. The aforementioned identity information authentication code can be used by the authorization verification analysis module 520 to verify and identify the identity authentication code of the user module 600. In other embodiments, the authorization verification analysis module 520 may also use, for example, a digital signature (Digital Signature) or other identity authentication technologies to authenticate the user module 600. The access key can provide the user module 600 with user authentication and authorization service scope for accessing the service modules 210 and 220 through the Internet. In addition, the access key may include an encrypted message for the service modules 210 and 220 to identify the holder token (e.g., Token). Therefore, the service modules 210 and 220 can verify whether the user module 600 has the use authority corresponding to the service modules 210 and 220 according to the encrypted message. When the user module 600 has the use authority, each service module 210 and 220 is accessible to the user module 600. In this way, the authorization verification access system 100 of the present invention can not only achieve group-different authorization verification for multiple services and multiple users, but also use the service access certificate 521 pre-stored in the authorization verification database 530 to provide users with fast access to services.
請參閱第2圖,其係繪示依照本發明的第二實施方式的授權驗證存取系統100a的方塊示意圖。如第2圖所示,授權驗證存取系統100a包含第1圖的服務群組200、邏輯資料庫300、邏輯伺服器400、授權驗證伺服器500、使用者模組600及管理群組700。Please refer to FIG. 2, which is a block diagram of an authorization verification access system 100a according to a second embodiment of the present invention. As shown in FIG. 2, the authorization verification access system 100a includes the service group 200, the logic database 300, the logic server 400, the authorization verification server 500, the user module 600 and the management group 700 of FIG. 1.
與第一實施方式不同的是,第2圖的授權驗證存取系統100a可更包含應用程式介面800。應用程式介面800訊號連接於授權驗證伺服器500與使用者模組600之間,並與授權驗證伺服器500帳號連結(Account Link)。若使用者模組600欲要求存取且連線至具有授權關係的二服務模組210、220時,使用者模組600登入應用程式介面800,並由應用程式介面800對使用者模組600進行第三方帳號驗證。Different from the first embodiment, the authorization verification access system 100a of FIG. 2 may further include an application programming interface 800. The application programming interface 800 is signal-connected between the authorization verification server 500 and the user module 600, and is linked to the account of the authorization verification server 500. If the user module 600 requests access and connects to the two service modules 210 and 220 with an authorization relationship, the user module 600 logs into the application programming interface 800, and the application programming interface 800 performs a third-party account verification on the user module 600.
當使用者模組600的帳號驗證成功後,使用者模組600可經由應用程式介面800傳輸對應於二服務模組210、220的服務存取請求610至授權驗證伺服器500。授權驗證伺服器500根據服務存取請求610驗證使用者模組600的身分鑑別碼。接著,授權驗證伺服器500根據身分鑑別碼選取且傳輸專屬於使用者模組600的服務存取憑證521至應用程式介面800,藉以令使用者模組600經由應用程式介面800與授權驗證伺服器500連線至二服務模組210、220,並透過服務存取憑證521存取二服務模組210、220。藉此,本發明的授權驗證存取系統100a利用應用程式介面800作為第三方帳號驗證,並接續從授權驗證伺服器500接收所派發的服務存取憑證521予使用者模組600,達到多服務、多使用者的群體相異授權驗證,且能降低各服務加入授權驗證伺服器500之時的成本。When the user module 600's account is successfully authenticated, the user module 600 can transmit a service access request 610 corresponding to the two service modules 210 and 220 to the authorization and verification server 500 via the application programming interface 800. The authorization and verification server 500 verifies the identity code of the user module 600 according to the service access request 610. Then, the authorization and verification server 500 selects and transmits a service access certificate 521 specific to the user module 600 to the application programming interface 800, so that the user module 600 can connect to the two service modules 210 and 220 via the application programming interface 800 and the authorization and verification server 500, and access the two service modules 210 and 220 through the service access certificate 521. Thus, the authorization verification access system 100a of the present invention utilizes the application programming interface 800 as a third-party account verification, and continues to receive the service access certificate 521 distributed from the authorization verification server 500 to the user module 600, thereby achieving group-different authorization verification for multiple services and multiple users, and can reduce the cost of each service when joining the authorization verification server 500.
綜上所述,本發明具有下列優點:其一,能整合多種服務的授權驗證機制,且供使用者快速存取服務。其二,可以提供使用者跨平台存取服務,且在不改變各服務的授權驗證機制的情況下提供單一登入整合方案,進而降低服務整合至授權驗證伺服器的門檻。其三,透過授權驗證伺服器統一管理授權能提高資訊安全,無論是有高度安全需求的機敏資料存取或是服務使用身分的授權,在授權驗證存取系統的管理下可以讓第三方在安全無虞的狀況下進行授權,且不受限於不同服務間的授權差異。In summary, the present invention has the following advantages: First, it can integrate the authorization and verification mechanisms of multiple services and provide users with quick access to services. Second, it can provide users with cross-platform access to services and provide a single sign-on integration solution without changing the authorization and verification mechanisms of each service, thereby lowering the threshold for integrating services into the authorization and verification server. Third, unified management of authorization through the authorization and verification server can improve information security. Whether it is the access to sensitive data with high security requirements or the authorization of service user identities, under the management of the authorization and verification access system, third parties can perform authorization in a safe and secure manner without being restricted by the differences in authorization between different services.
雖然本發明已以實施例揭露如上,然其並非用以限定本發明,任何熟習此技藝者,在不脫離本發明之精神和範圍內,當可作各種之更動與潤飾,因此本發明之保護範圍當視後附之申請專利範圍所界定者為準。Although the present invention has been disclosed as above by way of embodiments, it is not intended to limit the present invention. Anyone skilled in the art may make various changes and modifications without departing from the spirit and scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the scope defined in the attached patent application.
100,100a:授權驗證存取系統 200:服務群組 210,220,230:服務模組 300:邏輯資料庫 310,320,330:使用者授權資料 340:服務授權資料 400:邏輯伺服器 500:授權驗證伺服器 510:資料接收模組 520:授權驗證解析模組 521:服務存取憑證 530:授權驗證資料庫 600:使用者模組 610:服務存取請求 700:管理群組 710,720,730:管理模組 800:應用程式介面100,100a: Authorization and verification access system 200: Service group 210,220,230: Service module 300: Logical database 310,320,330: User authorization data 340: Service authorization data 400: Logical server 500: Authorization and verification server 510: Data receiving module 520: Authorization and verification parsing module 521: Service access certificate 530: Authorization and verification database 600: User module 610: Service access request 700: Management group 710,720,730: Management module 800: Application programming interface
為讓本發明之上述和其他目的、特徵、優點與實施例能更明顯易懂,所附圖式之說明如下: 第1圖係繪示依照本發明的第一實施方式的授權驗證存取系統的方塊示意圖;以及 第2圖係繪示依照本發明的第二實施方式的授權驗證存取系統的方塊示意圖。In order to make the above and other purposes, features, advantages and embodiments of the present invention more obvious and easy to understand, the attached drawings are described as follows: Figure 1 is a block diagram of an authorization verification access system according to the first embodiment of the present invention; and Figure 2 is a block diagram of an authorization verification access system according to the second embodiment of the present invention.
100:授權驗證存取系統 100: Authorization and verification access system
200:服務群組 200: Service Group
210,220,230:服務模組 210,220,230: Service module
300:邏輯資料庫 300:Logical database
310,320,330:使用者授權資料 310,320,330: User authorization information
340:服務授權資料 340: Service authorization information
400:邏輯伺服器 400:Logical Server
500:授權驗證伺服器 500: Authorization verification server
510:資料接收模組 510: Data receiving module
520:授權驗證解析模組 520: Authorization verification analysis module
521:服務存取憑證 521: Service Access Token
530:授權驗證資料庫 530: Authorization verification database
600:使用者模組 600: User module
610:服務存取請求 610: Service access request
700:管理群組 700: Management Group
710,720,730:管理模組 710,720,730: Management module
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW112118185A TW202447457A (en) | 2023-05-16 | 2023-05-16 | Authorization verification access system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW112118185A TW202447457A (en) | 2023-05-16 | 2023-05-16 | Authorization verification access system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| TW202447457A true TW202447457A (en) | 2024-12-01 |
Family
ID=94735527
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW112118185A TW202447457A (en) | 2023-05-16 | 2023-05-16 | Authorization verification access system |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TW202447457A (en) |
-
2023
- 2023-05-16 TW TW112118185A patent/TW202447457A/en unknown
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7678168B2 (en) | Cloud-Based Key Management | |
| US9166966B2 (en) | Apparatus and method for handling transaction tokens | |
| US9332008B2 (en) | Time-based one time password (TOTP) for network authentication | |
| US8572686B2 (en) | Method and apparatus for object transaction session validation | |
| US8572689B2 (en) | Apparatus and method for making access decision using exceptions | |
| US8726339B2 (en) | Method and apparatus for emergency session validation | |
| US8752123B2 (en) | Apparatus and method for performing data tokenization | |
| CN112422532A (en) | Business communication method, system, device and electronic equipment | |
| CN102752319B (en) | Cloud computing secure access method, device and system | |
| US8806602B2 (en) | Apparatus and method for performing end-to-end encryption | |
| US8752157B2 (en) | Method and apparatus for third party session validation | |
| US20130047242A1 (en) | Apparatus and Method for Performing Real-Time Authentication Using Subject Token Combinations | |
| JP2013152757A (en) | Intersystem single sign-on | |
| US9064126B2 (en) | Delegating authority of licenses to use computer products in a disconnected network | |
| US8726341B2 (en) | Apparatus and method for determining resource trust levels | |
| CN108616504A (en) | A kind of sensor node identity authorization system and method based on Internet of Things | |
| US8572690B2 (en) | Apparatus and method for performing session validation to access confidential resources | |
| US8572724B2 (en) | Method and apparatus for network session validation | |
| JP2025094191A (en) | Scalable Certificate Management System Architecture | |
| US8850515B2 (en) | Method and apparatus for subject recognition session validation | |
| US9159065B2 (en) | Method and apparatus for object security session validation | |
| TW202447457A (en) | Authorization verification access system | |
| US8726340B2 (en) | Apparatus and method for expert decisioning | |
| US8572688B2 (en) | Method and apparatus for session validation to access third party resources | |
| US8584201B2 (en) | Method and apparatus for session validation to access from uncontrolled devices |