WO2024234192A1

WO2024234192A1 - Authorization revocation method and apparatus

Info

Publication number: WO2024234192A1
Application number: PCT/CN2023/094069
Authority: WO
Inventors: 梁浩然; 陆伟
Original assignee: 北京小米移动软件有限公司
Priority date: 2023-05-12
Filing date: 2023-05-12
Publication date: 2024-11-21
Also published as: CN117044259A

Abstract

Disclosed in embodiments of the present application are an authorization revocation method and an apparatus, which can be applied to a communication system. The method comprises: sending a first authorization revocation request to a first entity in a CAPIF, wherein the first authorization revocation request is used for indicating a refresh token related to a resource owner. In the technical solution, a second entity sends to a first entity an authorization revocation request for indicating a refresh token, to achieve the objective of revoking authorization, thereby deleting a large amount of security and authorization information stored in a CCF, reducing the burden of the CCF, improving the performance of the CAPIF, and thus improving the data processing speed and efficiency.

Description

A method and device for revoking authorization

Technical Field

本申请涉及通信技术领域，尤其涉及一种授权撤销方法及其装置。The present application relates to the field of communication technology, and in particular to an authorization revocation method and device thereof.

Background Art

在订阅用户感知的应用程序编程接口(Application Programming Interface，API)调用(subscriber-aware northbound API access，SNA)场景中，可以通过通用API框架的核心功能(CAPIF core function，CCF)从资源所有者获得授权，根据授权信息访问目标资源。在此过程中，CCF需要存储与API调用者和资源所有者相关的所有安全和授权信息，由于CCF无法清除大量的安全和授权信息，占用大量的内存，给CCF带来了负担，影响了通用API框架的性能。In the scenario of subscriber-aware northbound API access (SNA), authorization can be obtained from the resource owner through the core function of the common API framework (CAPIF core function, CCF), and the target resource can be accessed according to the authorization information. In this process, CCF needs to store all security and authorization information related to the API caller and the resource owner. Since CCF cannot clear a large amount of security and authorization information, it occupies a large amount of memory, which brings a burden to CCF and affects the performance of the common API framework.

发明内容Summary of the invention

本申请实施例提供一种授权撤销方法及其装置，可以应用通信领域，以解决CCF无法清除大量的安全和授权信息的问题，减轻CCF的负担，提升通用API框架的性能。The embodiment of the present application provides an authorization revocation method and device, which can be applied in the communication field to solve the problem that CCF cannot clear a large amount of security and authorization information, reduce the burden of CCF, and improve the performance of the general API framework.

第一方面，本申请实施例提供一种授权撤销方法，该方法包括：In a first aspect, an embodiment of the present application provides a method for revoking authorization, the method comprising:

向通用应用程序编程接口CAPIF框架中的第一实体发送第一授权撤销请求，其中所述第一授权撤销请求用于指示与资源所有者相关的刷新令牌。A first authorization revocation request is sent to a first entity in a common application programming interface CAPIF framework, wherein the first authorization revocation request is used to indicate a refresh token related to a resource owner.

在该技术方案中，第二实体向第一实体发送指示的刷新令牌授权撤销请求，以达到撤销授权的目的，从而删除存储在CCF中大量的安全和授权信息，减少了CCF的负担，提升了CAPIF框架的性能，进而提高了处理数据的速度和效率。In this technical solution, the second entity sends an indicated refresh token authorization revocation request to the first entity to achieve the purpose of revoking authorization, thereby deleting a large amount of security and authorization information stored in the CCF, reducing the burden on the CCF, improving the performance of the CAPIF framework, and thereby improving the speed and efficiency of processing data.

第二方面，本申请实施例提供另一种授权撤销方法，该方法包括：In a second aspect, an embodiment of the present application provides another authorization revocation method, the method comprising:

接收第一授权撤销请求或第三授权撤销请求，其中所述第一撤销授权请求或所述第二授权撤销请求用于指示与资源所有者相关的刷新令牌；基于所述第一撤销授权请求或第三授权撤销请求，对所述刷新令牌执行撤销操作。A first authorization revocation request or a third authorization revocation request is received, wherein the first authorization revocation request or the second authorization revocation request is used to indicate a refresh token associated with a resource owner; and a revocation operation is performed on the refresh token based on the first authorization revocation request or the third authorization revocation request.

第三方面，本申请实施例提供另一种授权撤销方法，该方法包括：In a third aspect, an embodiment of the present application provides another authorization revocation method, the method comprising:

向第二实体发送第二授权撤销请求，其中，所述第二撤销授权请求用于确定向所述第一实体发送的所述第一授权撤销请求；或者，向CAPIF框架中的第一实体发送第三授权撤销请求；其中，所述第一授权撤销请求或所述第二授权撤销或所述第三授权撤销请求用于指示与资源所有者相关的刷新令牌。Send a second authorization revocation request to a second entity, wherein the second authorization revocation request is used to determine the first authorization revocation request sent to the first entity; or, send a third authorization revocation request to the first entity in the CAPIF framework; wherein the first authorization revocation request or the second authorization revocation or the third authorization revocation request is used to indicate a refresh token associated with a resource owner.

第四方面，本申请实施例提供一种通信装置，该通信装置具有实现上述第一方面所述的方法中第二实体的部分或全部功能，比如通信装置的功能可具备本申请中的部分或全部实施例中的功能，也可以具备单独实施本申请中的任一个实施例的功能。所述功能可以通过硬件实现，也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的单元或模块。 In a fourth aspect, an embodiment of the present application provides a communication device, which has the function of implementing some or all of the functions of the second entity in the method described in the first aspect above. For example, the functions of the communication device may have the functions of some or all of the embodiments in the present application, or may have the functions of implementing any one of the embodiments in the present application separately. The functions may be implemented by hardware, or may be implemented by hardware executing corresponding software. The hardware or software includes one or more units or modules corresponding to the above functions.

在一种实现方式中，该通信装置的结构中可包括收发模块和处理模块，所述处理模块被配置为支持通信装置执行上述方法中相应的功能。所述收发模块用于支持通信装置与其他设备之间的通信。所述通信装置还可以包括存储模块，所述存储模块用于与收发模块和处理模块耦合，其保存通信装置必要的计算机程序和数据。In one implementation, the structure of the communication device may include a transceiver module and a processing module, and the processing module is configured to support the communication device to perform the corresponding functions in the above method. The transceiver module is used to support communication between the communication device and other devices. The communication device may also include a storage module, which is used to couple with the transceiver module and the processing module, and store the computer programs and data necessary for the communication device.

作为示例，处理模块可以为处理器，收发模块可以为收发器或通信接口，存储模块可以为存储器。As an example, the processing module may be a processor, the transceiver module may be a transceiver or a communication interface, and the storage module may be a memory.

第五方面，本申请实施例提供另一种通信装置，该通信装置具有实现上述第二方面所述的方法示例中CAPIF框架中的第一实体的部分或全部功能，比如通信装置的功能可具备本申请中的部分或全部实施例中的功能，也可以具备单独实施本申请中的任一个实施例的功能。所述功能可以通过硬件实现，也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的单元或模块。In a fifth aspect, an embodiment of the present application provides another communication device, which has some or all of the functions of the first entity in the CAPIF framework in the method example described in the second aspect above. For example, the functions of the communication device may have the functions of some or all of the embodiments in the present application, or may have the functions of implementing any one of the embodiments in the present application separately. The functions may be implemented by hardware, or by executing corresponding software implementations through hardware. The hardware or software includes one or more units or modules corresponding to the above functions.

在一种实现方式中，该通信装置的结构中可包括收发模块和处理模块，该处理模块被配置为支持通信装置执行上述方法中相应的功能。收发模块用于支持通信装置与其他设备之间的通信。所述通信装置还可以包括存储模块，所述存储模块用于与收发模块和处理模块耦合，其保存通信装置必要的计算机程序和数据。In one implementation, the structure of the communication device may include a transceiver module and a processing module, and the processing module is configured to support the communication device to perform the corresponding functions in the above method. The transceiver module is used to support communication between the communication device and other devices. The communication device may also include a storage module, which is used to couple with the transceiver module and the processing module, and store the computer programs and data necessary for the communication device.

第六方面，本申请实施例提供另一种通信装置，该通信装置具有实现上述第三方面所述的方法示例中资源所有者客户端或终端设备的部分或全部功能，比如通信装置的功能可具备本申请中的部分或全部实施例中的功能，也可以具备单独实施本申请中的任一个实施例的功能。所述功能可以通过硬件实现，也可以通过硬件执行相应的软件实现。所述硬件或软件包括一个或多个与上述功能相对应的单元或模块。In a sixth aspect, an embodiment of the present application provides another communication device, which has some or all of the functions of the resource owner client or terminal device in the method example described in the third aspect above. For example, the functions of the communication device may have some or all of the functions in the embodiments of the present application, or may have the functions of implementing any one of the embodiments of the present application alone. The functions may be implemented by hardware, or by hardware executing corresponding software. The hardware or software includes one or more units or modules corresponding to the above functions.

第七方面，本申请实施例提供一种通信装置，该通信装置包括处理器，当该处理器调用存储器中的计算机程序时，执行上述第一方面所述的方法。In a seventh aspect, an embodiment of the present application provides a communication device, which includes a processor. When the processor calls a computer program in a memory, the method described in the first aspect is executed.

第八方面，本申请实施例提供一种通信装置，该通信装置包括处理器，当该处理器调用存储器中的计算机程序时，执行上述第二方面所述的方法。In an eighth aspect, an embodiment of the present application provides a communication device, which includes a processor. When the processor calls a computer program in a memory, the method described in the second aspect is executed.

第九方面，本申请实施例提供一种通信装置，该通信装置包括处理器，当该处理器调用存储器中的计算机程序时，执行上述第三方面所述的方法。In a ninth aspect, an embodiment of the present application provides a communication device, which includes a processor. When the processor calls a computer program in a memory, the method described in the third aspect is executed.

第十方面，本申请实施例提供一种通信装置，该通信装置包括处理器和存储器，该存储器中存储有计算机程序；所述处理器执行该存储器所存储的计算机程序，以使该通信装置执行上述第一方面所述的方法。In a tenth aspect, an embodiment of the present application provides a communication device, the communication device comprising a processor and a memory, the memory storing a computer program; the processor executes the computer program stored in the memory to enable the communication device to The method described in the first aspect is executed.

第十一方面，本申请实施例提供一种通信装置，该通信装置包括处理器和存储器，该存储器中存储有计算机程序；所述处理器执行该存储器所存储的计算机程序，以使该通信装置执行上述第二方面所述的方法。In the eleventh aspect, an embodiment of the present application provides a communication device, which includes a processor and a memory, in which a computer program is stored; the processor executes the computer program stored in the memory so that the communication device executes the method described in the second aspect above.

第十二方面，本申请实施例提供一种通信装置，该通信装置包括处理器和存储器，该存储器中存储有计算机程序；所述处理器执行该存储器所存储的计算机程序，以使该通信装置执行上述第三方面所述的方法。In the twelfth aspect, an embodiment of the present application provides a communication device, which includes a processor and a memory, in which a computer program is stored; the processor executes the computer program stored in the memory so that the communication device executes the method described in the third aspect above.

第十三方面，本申请实施例提供一种通信装置，该装置包括处理器和接口电路，该接口电路用于接收代码指令并传输至该处理器，该处理器用于运行所述代码指令以使该装置执行上述第一方面所述的方法。In a thirteenth aspect, an embodiment of the present application provides a communication device, which includes a processor and an interface circuit, wherein the interface circuit is used to receive code instructions and transmit them to the processor, and the processor is used to run the code instructions to enable the device to execute the method described in the first aspect above.

第十四方面，本申请实施例提供一种通信装置，该装置包括处理器和接口电路，该接口电路用于接收代码指令并传输至该处理器，该处理器用于运行所述代码指令以使该装置执行上述第二方面所述的方法。In a fourteenth aspect, an embodiment of the present application provides a communication device, which includes a processor and an interface circuit, wherein the interface circuit is used to receive code instructions and transmit them to the processor, and the processor is used to run the code instructions to enable the device to execute the method described in the second aspect above.

第十五方面，本申请实施例提供一种通信装置，该装置包括处理器和接口电路，该接口电路用于接收代码指令并传输至该处理器，该处理器用于运行所述代码指令以使该装置执行上述第三方面所述的方法。In a fifteenth aspect, an embodiment of the present application provides a communication device, which includes a processor and an interface circuit, wherein the interface circuit is used to receive code instructions and transmit them to the processor, and the processor is used to run the code instructions to enable the device to execute the method described in the third aspect above.

第十六方面，本申请实施例提供一种授权撤销系统，该系统包括第四方面所述的通信装置、第五方面所述的通信装置以及第六方面所述的通信装置，或者，该系统包括第七方面所述的通信装置、第八方面所述的通信装置以及第九方面所述的通信装置，或者，该系统包括第十方面所述的通信装置、第十一方面所述的通信装置以及第十二方面所述的通信装置，或者，该系统包括第十三方面所述的通信装置、第十四方面所述的通信装置以及第十五方面所述的通信装置。In the sixteenth aspect, an embodiment of the present application provides an authorization revocation system, the system comprising the communication device described in the fourth aspect, the communication device described in the fifth aspect, and the communication device described in the sixth aspect, or the system comprising the communication device described in the seventh aspect, the communication device described in the eighth aspect, and the communication device described in the ninth aspect, or the system comprising the communication device described in the tenth aspect, the communication device described in the eleventh aspect, and the communication device described in the twelfth aspect, or the system comprising the communication device described in the thirteenth aspect, the communication device described in the fourteenth aspect, and the communication device described in the fifteenth aspect.

第十七方面，本发明实施例提供一种计算机可读存储介质，用于储存为上述第二实体所用的指令，当所述指令被执行时，使所述第二实体执行上述第一方面所述的方法。In a seventeenth aspect, an embodiment of the present invention provides a computer-readable storage medium for storing instructions for the second entity, and when the instructions are executed, the second entity executes the method described in the first aspect.

第十八方面，本发明实施例提供一种可读存储介质，用于储存为上述CAPIF框架中的第一实体所用的指令，当所述指令被执行时，使所述CAPIF框架中的第一实体执行上述第二方面所述的方法。In an eighteenth aspect, an embodiment of the present invention provides a readable storage medium for storing instructions used by a first entity in the above-mentioned CAPIF framework. When the instructions are executed, the first entity in the CAPIF framework executes the method described in the above-mentioned second aspect.

第十九方面，本发明实施例提供一种可读存储介质，用于储存为上述资源所有者客户端或终端设备所用的指令，当所述指令被执行时，使所述资源所有者客户端或终端设备执行上述第三方面所述的方法。In the nineteenth aspect, an embodiment of the present invention provides a readable storage medium for storing instructions used by the above-mentioned resource owner client or terminal device. When the instructions are executed, the resource owner client or terminal device executes the method described in the above-mentioned third aspect.

第二十方面，本申请还提供一种包括计算机程序的计算机程序产品，当其在计算机上运行时，使得计算机执行上述第一方面所述的方法。In the twentieth aspect, the present application also provides a computer program product comprising a computer program, which, when executed on a computer, enables the computer to execute the method described in the first aspect above.

第二十一方面，本申请还提供一种包括计算机程序的计算机程序产品，当其在计算机上运行时，使得计算机执行上述第二方面所述的方法。In the twenty-first aspect, the present application also provides a computer program product comprising a computer program, which, when executed on a computer, enables the computer to execute the method described in the second aspect above.

第二十二方面，本申请还提供一种包括计算机程序的计算机程序产品，当其在计算机上运行时，使得计算机执行上述第三方面所述的方法。 In the twenty-second aspect, the present application also provides a computer program product comprising a computer program, which, when executed on a computer, enables the computer to execute the method described in the third aspect above.

第二十三方面，本申请提供一种芯片系统，该芯片系统包括至少一个处理器和接口，用于支持第二实体实现第一方面所涉及的功能，例如，确定或处理上述方法中所涉及的数据和信息中的至少一种。在一种可能的设计中，所述芯片系统还包括存储器，所述存储器，用于保存第二实体必要的计算机程序和数据。该芯片系统，可以由芯片构成，也可以包括芯片和其他分立器件。In the twenty-third aspect, the present application provides a chip system, which includes at least one processor and an interface, for supporting the second entity to implement the functions involved in the first aspect, for example, determining or processing at least one of the data and information involved in the above method. In one possible design, the chip system also includes a memory, which is used to store computer programs and data necessary for the second entity. The chip system can be composed of chips, or it can include chips and other discrete devices.

第二十四方面，本申请提供一种芯片系统，该芯片系统包括至少一个处理器和接口，用于支持CAPIF框架中的第一实体实现第二方面所涉及的功能，例如，确定或处理上述方法中所涉及的数据和信息中的至少一种。在一种可能的设计中，所述芯片系统还包括存储器，所述存储器，用于保存CAPIF框架中的第一实体必要的计算机程序和数据。该芯片系统，可以由芯片构成，也可以包括芯片和其他分立器件。In the twenty-fourth aspect, the present application provides a chip system, which includes at least one processor and an interface, for supporting the first entity in the CAPIF framework to implement the functions involved in the second aspect, for example, determining or processing at least one of the data and information involved in the above method. In one possible design, the chip system also includes a memory, which is used to store the necessary computer programs and data for the first entity in the CAPIF framework. The chip system can be composed of chips, or it can include chips and other discrete devices.

第二十五方面，本申请提供一种芯片系统，该芯片系统包括至少一个处理器和接口，用于支持资源所有者客户端或终端设备实现第三方面所涉及的功能，例如，确定或处理上述方法中所涉及的数据和信息中的至少一种。在一种可能的设计中，所述芯片系统还包括存储器，所述存储器，用于保存资源所有者客户端或终端设备必要的计算机程序和数据。该芯片系统，可以由芯片构成，也可以包括芯片和其他分立器件。In the twenty-fifth aspect, the present application provides a chip system, which includes at least one processor and an interface, and is used to support the resource owner client or terminal device to implement the functions involved in the third aspect, for example, determining or processing at least one of the data and information involved in the above method. In one possible design, the chip system also includes a memory, which is used to store computer programs and data necessary for the resource owner client or terminal device. The chip system can be composed of a chip, or it can include a chip and other discrete devices.

第二十六方面，本申请提供一种计算机程序，当其在计算机上运行时，使得计算机执行上述第一方面所述的方法。In the twenty-sixth aspect, the present application provides a computer program which, when executed on a computer, enables the computer to execute the method described in the first aspect above.

第二十七方面，本申请提供一种计算机程序，当其在计算机上运行时，使得计算机执行上述第二方面所述的方法。In the twenty-seventh aspect, the present application provides a computer program which, when executed on a computer, enables the computer to execute the method described in the second aspect above.

第二十八方面，本申请提供一种计算机程序，当其在计算机上运行时，使得计算机执行上述第三方面所述的方法。In the twenty-eighth aspect, the present application provides a computer program which, when executed on a computer, enables the computer to execute the method described in the third aspect above.

BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本申请实施例或背景技术中的技术方案，下面将对本申请实施例或背景技术中所需要使用的附图进行说明。In order to more clearly illustrate the technical solutions in the embodiments of the present application or the background technology, the drawings required for use in the embodiments of the present application or the background technology will be described below.

图1是本申请实施例提供的一种通信系统的架构示意图；FIG1 is a schematic diagram of the architecture of a communication system provided in an embodiment of the present application;

图2是本申请实施例提供的一种授权撤销方法的流程示意图；FIG2 is a flow chart of an authorization revocation method provided in an embodiment of the present application;

图3是本申请实施例提供的另一种授权撤销方法的流程示意图；FIG3 is a flow chart of another authorization revocation method provided in an embodiment of the present application;

图4是本申请实施例提供的另一种授权撤销方法的流程示意图；FIG4 is a flow chart of another authorization revocation method provided in an embodiment of the present application;

图5是本申请实施例提供的另一种授权撤销方法的流程示意图；FIG5 is a flow chart of another authorization revocation method provided in an embodiment of the present application;

图6是本申请实施例提供的另一种授权撤销方法的流程示意图；FIG6 is a flow chart of another authorization revocation method provided in an embodiment of the present application;

图7是本申请实施例提供的另一种授权撤销方法的流程示意图；FIG7 is a flow chart of another authorization revocation method provided in an embodiment of the present application;

图8是本申请实施例提供的另一种授权撤销方法的流程示意图；FIG8 is a flow chart of another authorization revocation method provided in an embodiment of the present application;

图9是本申请实施例提供的另一种授权撤销方法的流程示意图；FIG9 is a flow chart of another authorization revocation method provided in an embodiment of the present application;

图10是本申请实施例提供的另一种授权撤销方法的流程示意图； FIG10 is a flow chart of another authorization revocation method provided in an embodiment of the present application;

图11是本申请实施例提供的另一种授权撤销方法的流程示意图；FIG11 is a flow chart of another authorization revocation method provided in an embodiment of the present application;

图12是本申请实施例提供的一种授权撤销方法的交互示意图；FIG12 is an interactive schematic diagram of an authorization revocation method provided in an embodiment of the present application;

图13是本申请实施例提供的另一种授权撤销方法的交互示意图；FIG13 is an interactive schematic diagram of another authorization revocation method provided in an embodiment of the present application;

图14是本申请实施例提供的一种通信装置的结构示意图；FIG14 is a schematic diagram of the structure of a communication device provided in an embodiment of the present application;

图15是本申请实施例提供的另一种通信装置的结构示意图；FIG15 is a schematic diagram of the structure of another communication device provided in an embodiment of the present application;

图16是本申请实施例提供的一种芯片的结构示意图；FIG16 is a schematic diagram of the structure of a chip provided in an embodiment of the present application;

图17是本申请实施例提供的一种用于授权撤销的通信系统；FIG17 is a communication system for authorization revocation provided in an embodiment of the present application;

图18是本申请实施例提供的另一种用于授权撤销的通信系统。FIG. 18 is another communication system for authorization revocation provided in an embodiment of the present application.

DETAILED DESCRIPTION

这里将详细地对示例性实施例进行说明，其示例表示在附图中。下面的描述涉及附图时，除非另有表示，不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本公开相一致的所有实施方式。相反，它们仅是与如所附权利要求书中所详述的、本公开的一些方面相一致的装置和方法的例子。Exemplary embodiments will be described in detail herein, examples of which are shown in the accompanying drawings. When the following description refers to the drawings, the same numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present disclosure. Instead, they are merely examples of devices and methods consistent with some aspects of the present disclosure as detailed in the appended claims.

在本公开实施例使用的术语是仅仅出于描述特定实施例的目的，而非旨在限制本公开实施例。在本公开实施例和所附权利要求书中所使用的单数形式的“一种”和“该”也旨在包括多数形式，除非上下文清楚地表示其他含义。还应当理解，本文中使用的术语“和/或”是指并包含一个或多个相关联的列出项目的任何或所有可能组合。The terms used in the disclosed embodiments are only for the purpose of describing specific embodiments and are not intended to limit the disclosed embodiments. The singular forms of "a", "an" and "the" used in the disclosed embodiments and the appended claims are also intended to include plural forms unless the context clearly indicates other meanings. It should also be understood that the term "and/or" used herein refers to and includes any or all possible combinations of one or more associated listed items.

应当理解，尽管在本公开实施例可能采用术语第一、第二、第三等来描述各种信息，但这些信息不应限于这些术语。这些术语仅用来将同一类型的信息彼此区分开。例如，在不脱离本公开实施例范围的情况下，第一信息也可以被称为第二信息，类似地，第二信息也可以被称为第一信息。取决于语境，如在此所使用的词语“如果”可以被解释成为“在……时”或“当……时”或“响应于确定”出于简洁和便于理解的目的，本文在表征大小关系时，所使用的术语为“大于”或“小于”、“高于”或“低于”。但对于本领域技术人员来说，可以理解：术语“大于”也涵盖了“大于等于”的含义，“小于”也涵盖了“小于等于”的含义；术语“高于”涵盖了“高于等于”的含义，“低于”也涵盖了“低于等于”的含义。It should be understood that, although the terms first, second, third, etc. may be used to describe various information in the embodiments of the present disclosure, these information should not be limited to these terms. These terms are only used to distinguish the same type of information from each other. For example, without departing from the scope of the embodiments of the present disclosure, the first information may also be referred to as the second information, and similarly, the second information may also be referred to as the first information. Depending on the context, the word "if" as used herein may be interpreted as "at the time of" or "when" or "in response to determining" for the purpose of brevity and ease of understanding, the terms used herein when characterizing the size relationship are "greater than" or "less than", "higher than" or "lower than". However, for those skilled in the art, it can be understood that the term "greater than" also covers the meaning of "greater than or equal to", and "less than" also covers the meaning of "less than or equal to"; the term "higher than" covers the meaning of "higher than or equal to", and "lower than" also covers the meaning of "lower than or equal to".

为了更好的理解本申请实施例公开的一种授权撤销方法，下面首先对本申请实施例适用的通信系统进行描述。In order to better understand the authorization revocation method disclosed in the embodiment of the present application, the communication system to which the embodiment of the present application is applicable is first described below.

请参见图1，图1为本申请实施例提供的一种通信系统的架构示意图。该通信系统可包括但不限于一个网络设备和一个终端设备，图1所示的设备数量和形态仅用于举例并不构成对本申请实施例的限定，实际应用中可以包括两个或两个以上的网络设备，两个或两个以上的终端设备。图1所示的通信系统以包括一个网络设备101和一个终端设备102为例。Please refer to Figure 1, which is a schematic diagram of the architecture of a communication system provided in an embodiment of the present application. The communication system may include, but is not limited to, a network device and a terminal device. The number and form of devices shown in Figure 1 are only used for example and do not constitute a limitation on the embodiment of the present application. In actual applications, two or more network devices and two or more terminal devices may be included. The communication system shown in Figure 1 includes a network device 101 and a terminal device 102 as an example.

需要说明的是，本申请实施例的技术方案可以应用于各种通信系统。例如：第三代(3th Generation，3G)通用移动通信系统(Universal Mobile Telecommunications System，UMTS)长期演进(Long Term Evolution，LTE)系统、第五代(5th Generation，5G)移动通信系统、5G新空口(New Radio，NR)系统，第六代(5th Generation，6G)移动通信系统或者其他未来的新型移动通信系统等。It should be noted that the technical solutions of the embodiments of the present application can be applied to various communication systems. For example: the third generation (3G) universal mobile telecommunications system (UMTS) long term evolution (LTE) system, the fifth generation (5G) mobile communication system, the 5G new radio (NR) system, the sixth generation (6G) mobile communication system or other New mobile communication systems in the future, etc.

本申请实施例中的网络设备101是网络侧的一种用于发射或接收信号的实体。例如，网络设备101可以为演进型基站(evolved NodeB，eNB)、传输点(transmission reception point，TRP)、NR系统中的下一代基站(next generation NodeB，gNB)、其他未来移动通信系统中的基站或无线保真(wireless fidelity，WiFi)系统中的接入节点等。本申请的实施例对网络设备所采用的具体技术和具体设备形态不做限定。本申请实施例提供的网络设备可以是由集中单元(central unit，CU)与分布式单元(distributed unit，DU)组成的，其中，CU也可以称为控制单元(control unit)，采用CU-DU的结构可以将网络设备，例如基站的协议层拆分开，部分协议层的功能放在CU集中控制，剩下部分或全部协议层的功能分布在DU中，由CU集中控制DU。The network device 101 in the embodiment of the present application is an entity on the network side for transmitting or receiving signals. For example, the network device 101 may be an evolved NodeB (eNB), a transmission point (TRP), a next generation NodeB (gNB) in an NR system, a base station in other future mobile communication systems, or an access node in a wireless fidelity (WiFi) system. The embodiment of the present application does not limit the specific technology and specific device form adopted by the network device. The network device provided in the embodiment of the present application may be composed of a central unit (CU) and a distributed unit (DU), wherein the CU may also be referred to as a control unit. The CU-DU structure may be used to split the protocol layer of the network device, such as a base station, and the functions of some protocol layers are placed in the CU for centralized control, and the functions of the remaining part or all of the protocol layers are distributed in the DU, and the DU is centrally controlled by the CU.

本申请实施例中的终端设备102是用户侧的一种用于接收或发射信号的实体，如手机。终端设备也可以称为终端设备(terminal)、用户设备(user equipment，UE)、移动台(mobile station，MS)、移动终端设备(mobile terminal，MT)等。终端设备可以是具备通信功能的汽车、智能汽车、手机(mobile phone)、穿戴式设备、平板电脑(Pad)、带无线收发功能的电脑、虚拟现实(virtual reality，VR)终端设备、增强现实(augmented reality，AR)终端设备、工业控制(industrial control)中的无线终端设备、无人驾驶(self-driving)中的无线终端设备、远程手术(remote medical surgery)中的无线终端设备、智能电网(smart grid)中的无线终端设备、运输安全(transportation safety)中的无线终端设备、智慧城市(smart city)中的无线终端设备、智慧家庭(smart home)中的无线终端设备等等。本申请的实施例对终端设备所采用的具体技术和具体设备形态不做限定。The terminal device 102 in the embodiment of the present application is an entity for receiving or transmitting signals on the user side, such as a mobile phone. The terminal device may also be referred to as a terminal device (terminal), a user equipment (UE), a mobile station (MS), a mobile terminal device (MT), etc. The terminal device may be a car with communication function, a smart car, a mobile phone (mobile phone), a wearable device, a tablet computer (Pad), a computer with wireless transceiver function, a virtual reality (VR) terminal device, an augmented reality (AR) terminal device, a wireless terminal device in industrial control (industrial control), a wireless terminal device in self-driving, a wireless terminal device in remote medical surgery, a wireless terminal device in smart grid (smart grid), a wireless terminal device in transportation safety (transportation safety), a wireless terminal device in a smart city (smart city), a wireless terminal device in a smart home (smart home), etc. The embodiments of the present application do not limit the specific technology and specific device form adopted by the terminal device.

可以理解的是，本申请实施例描述的通信系统是为了更加清楚的说明本申请实施例的技术方案，并不构成对于本申请实施例提供的技术方案的限定，本领域普通技术人员可知，随着系统架构的演变和新业务场景的出现，本申请实施例提供的技术方案对于类似的技术问题，同样适用。It can be understood that the communication system described in the embodiment of the present application is for more clearly illustrating the technical solution of the embodiment of the present application, and does not constitute a limitation on the technical solution provided in the embodiment of the present application. Ordinary technicians in this field can know that with the evolution of the system architecture and the emergence of new business scenarios, the technical solution provided in the embodiment of the present application is also applicable to similar technical problems.

需要说明的是，本申请中任一个实施例提供的授权撤销方法可以单独执行，或是结合其他实施例中的可能的实现方法一起被执行，还可以结合相关技术中的任一种技术方案一起被执行。It should be noted that the authorization revocation method provided in any embodiment of the present application can be executed alone, or in combination with possible implementation methods in other embodiments, or in combination with any technical solution in the relevant technology.

下面结合附图对本申请所提供的授权撤销方法及其装置进行详细地介绍。The authorization revocation method and device provided by the present application are described in detail below in conjunction with the accompanying drawings.

请参见图2，图2是本申请实施例提供的一种授权撤销方法的流程示意图。该授权撤销方法可以由第二实体执行。如图2所示，该方法可以包括但不限于如下步骤：Please refer to Figure 2, which is a flow chart of a method for revoking authorization provided in an embodiment of the present application. The method for revoking authorization may be performed by a second entity. As shown in Figure 2, the method may include but is not limited to the following steps:

S201，向CAPIF框架中的第一实体发送第一授权撤销请求，其中第一授权撤销请求用于指示与资源所有者相关的刷新令牌。S201: Send a first authorization revocation request to a first entity in a CAPIF framework, where the first authorization revocation request is used to indicate a refresh token related to a resource owner.

在一些实现中，第二实体可以为API调用者，可选地，API调用者为应用程序功能(application function)或者运行在终端上的客户端(client)。In some implementations, the second entity may be an API caller, and optionally, the API caller may be an application function or a client running on a terminal.

在一些实现中，CAPIF框架中的第一实体可以包括通用API框架(Common API Framework，CAPIF)中的核心功能(CAPIF core function，CCF)或授权功能(Authorization Function)。需要说明的是，第一实体为CCF网元或授权功能中的一个。CCF网元或授权功能在一定条件下会进行集成设计，即CCF网元也可以同时承担授权功能的职责。In some implementations, the first entity in the CAPIF framework may include a CAPIF core function (CCF) or an authorization function (Authorization It should be noted that the first entity is one of the CCF network element and the authorization function. The CCF network element or the authorization function will be integrated under certain conditions, that is, the CCF network element can also assume the responsibility of the authorization function at the same time.

在一些实现中，API调用者(APIinvoker)可以从CAPIF中的CCF或授权功能，得到与资源所有者相关的刷新令牌(Refresh Token)。在一些实现中，API调用者可以基于网络协议，与CCF或授权功能进行授权交互，得到与资源所有者相关的刷新令牌。In some implementations, the API caller can obtain a refresh token associated with the resource owner from the CCF or authorization function in CAPIF. In some implementations, the API caller can perform authorization interaction with the CCF or authorization function based on a network protocol to obtain a refresh token associated with the resource owner.

在一些实现中，与资源所有者相关的刷新令牌为包含资源所有者的标识信息的刷新令牌，可选地，资源所有者标识可以为通用公共订阅标识符(generic public subscription identifier，GPSI)。In some implementations, the refresh token associated with the resource owner is a refresh token that includes identification information of the resource owner. Optionally, the resource owner identifier can be a generic public subscription identifier (GPSI).

在一些实现中，与资源所有者相关的刷新令牌可以用于生成资源的访问令牌，以使得API调用者可以基于该访问令牌访问对应的资源。In some implementations, a refresh token associated with a resource owner can be used to generate an access token for a resource, so that an API caller can access the corresponding resource based on the access token.

在一些实现中，API调用者可以向第一实体发送第一授权撤销请求。其中，第一授权撤销请求用于指示与资源所有者相关的刷新令牌。In some implementations, the API caller may send a first authorization revocation request to the first entity, wherein the first authorization revocation request is used to indicate a refresh token associated with the resource owner.

在一些实现中，若第一授权撤销请求中包含了刷新令牌，则刷新令牌中包含资源所有者标识符。In some implementations, if the first authorization revocation request includes a refresh token, the refresh token includes the resource owner identifier.

可选地，第一授权撤销请求可以显示地指示与资源所有者相关的刷新令牌。API调用者可以直接将与资源所有者相关的刷新令牌，携带在第一授权撤销请求中发给第一实体。Optionally, the first authorization revocation request may explicitly indicate a refresh token associated with the resource owner. The API caller may directly send the refresh token associated with the resource owner to the first entity by carrying it in the first authorization revocation request.

可选地，第一授权撤销请求可以隐示地指示与资源所有者相关的刷新令牌。API调用者发送的第一授权撤销请求可以通过携带有关刷新令牌的参数信息，第一实体可以根据参数信息指示刷新令牌。例如，第一授权撤销请求包括以下信息中的至少一个：被授权资源的资源标识；对被授权资源可执行的语义操作的操作标识；第二实体的标识信息；资源所有者的标识信息。Optionally, the first authorization revocation request may implicitly indicate a refresh token associated with the resource owner. The first authorization revocation request sent by the API caller may carry parameter information about the refresh token, and the first entity may indicate the refresh token according to the parameter information. For example, the first authorization revocation request includes at least one of the following information: a resource identifier of the authorized resource; an operation identifier of a semantic operation executable on the authorized resource; identification information of the second entity; and identification information of the resource owner.

在一些实现中，第一授权撤销请求可以包括资源所有者的标识信息，第一实体可以根据第一撤销请求中的资源所有者的标识信息，确定需要撤销的刷新令牌，并对该刷新令牌进行撤销。In some implementations, the first authorization revocation request may include identification information of the resource owner. The first entity may determine the refresh token that needs to be revoked based on the identification information of the resource owner in the first revocation request, and revoke the refresh token.

在一些实现中，资源所有者是终端用户(enduser)或与终端相关的订阅用户(subscriber)或者人类。In some implementations, the resource owner is an end user or a subscriber associated with an end user or a human being.

在一些实现中，API调用者(API invoker)在获取到刷新令牌后，可以向第一实体发送访问令牌申请请求，相应地，第一实体在接收到该访问令牌申请请求后，可以基于刷新令牌生成访问令牌。API调用者可以接收到第一实体发送的访问令牌，并向资源所有者发送该访问令牌。进一步地，API调用者可以基于该访问令牌访问对应的资源。In some implementations, after obtaining the refresh token, the API caller (API invoker) can send an access token application request to the first entity. Accordingly, after receiving the access token application request, the first entity can generate an access token based on the refresh token. The API caller can receive the access token sent by the first entity and send the access token to the resource owner. Further, the API caller can access the corresponding resource based on the access token.

在一些实现中，API调用者可以通过第一授权撤销请求，向第一实体发送刷新令牌和/或刷新令牌的令牌类型。In some implementations, the API caller can send a refresh token and/or a token type of the refresh token to the first entity via the first authorization revocation request.

本申请实施例中，API调用者向第一实体发送指示刷新令牌的授权撤销请求，以达到撤销授权的目的，从而删除存储在CCF中大量的安全和授权信息，减少了CCF的负担，提升了CAPIF框架的性能，进而提高了处理数据的速度和效率。In an embodiment of the present application, the API caller sends an authorization revocation request indicating a refresh token to the first entity to achieve the purpose of revoking authorization, thereby deleting a large amount of security and authorization information stored in the CCF, reducing the burden on the CCF, improving the performance of the CAPIF framework, and thereby improving the speed and efficiency of processing data.

请参见图3，图3是本申请实施例提供的一种授权撤销方法的流程示意图。该授权撤销方法可以由第二实体执行。如图3所示，该方法可以包括但不限于如下步骤：Please refer to Figure 3, which is a flowchart of a method for revoking authorization provided by an embodiment of the present application. The method may be performed by the second entity. As shown in FIG3 , the method may include but is not limited to the following steps:

S301，向CAPIF框架中的第一实体发送第一授权撤销请求。S301, sending a first authorization revocation request to a first entity in the CAPIF framework.

在本申请实施例中，步骤S301的实现方式可以分别采用本申请各实施例中的任一种方式实现，在此并不对此作出限定，也不再赘述。In the embodiment of the present application, the implementation method of step S301 can be implemented by any method in the embodiments of the present application, which is not limited here and will not be repeated.

S302，接收第一实体发送的第一授权撤销请求对应的撤销响应消息。S302: Receive a revocation response message corresponding to a first authorization revocation request sent by a first entity.

在一些实现中，第一实体接收到第一授权撤销请求后，可以基于第一授权撤销请求指示的刷新令牌进行撤销操作，在完成撤销操作后，第一实体可以生成第一授权撤销请求对应撤销响应消息，并反馈给API调用者，API调用者可以基于撤销响应消息，确定刷新令牌是否成功撤销，若未成功撤销可以再次发送对刷新令牌进行授权撤销。In some implementations, after receiving the first authorization revocation request, the first entity can perform a revocation operation based on the refresh token indicated by the first authorization revocation request. After completing the revocation operation, the first entity can generate a revocation response message corresponding to the first authorization revocation request and feedback it to the API caller. The API caller can determine whether the refresh token is successfully revoked based on the revocation response message. If it is not successfully revoked, the refresh token can be sent again to revoke authorization.

在上述实施例的基础之上，该授权撤销方法还可以包括以下步骤：Based on the above embodiment, the authorization revocation method may further include the following steps:

S303，向终端设备或资源所有者客户端或资源所有者发送撤销响应消息。S303: Send a revocation response message to the terminal device or the resource owner client or the resource owner.

在一些实现中，API调用者在接收第一实体发送的第一授权撤销请求对应的撤销响应消息后，还应向终端设备或资源所有者客户端或资源所有者发送撤销响应消息。终端设备或资源所有者客户端或资源所有者可以基于撤销响应消息，确定刷新令牌是否成功撤销，若未成功撤销可以再次对刷新令牌进行授权撤销。In some implementations, after receiving the revocation response message corresponding to the first authorization revocation request sent by the first entity, the API caller should also send a revocation response message to the terminal device or the resource owner client or the resource owner. The terminal device or the resource owner client or the resource owner can determine whether the refresh token is successfully revoked based on the revocation response message. If it is not successfully revoked, the refresh token can be revoked again.

本申请实施例中，API调用者向第一实体发送指示刷新令牌的授权撤销请求，API调用者还需接受第一实体发送的撤销响应消息，并向终端设备或资源所有者客户端或资源所有者发送撤销响应消息，以达到撤销授权的目的。从而删除存储在CCF中大量的安全和授权信息，减少CCF的负担，提升CAPIF框架的性能，提高处理数据的速度和效率。API调用者和终端设备或资源所有者客户端或资源所有者接收第一实体发送的撤销响应消息，可以及时了解撤销授权是否成功，进而及时终止该授权。In an embodiment of the present application, the API caller sends an authorization revocation request indicating a refresh token to the first entity. The API caller also needs to accept the revocation response message sent by the first entity and send a revocation response message to the terminal device or resource owner client or resource owner to achieve the purpose of revoking authorization. This deletes a large amount of security and authorization information stored in the CCF, reduces the burden on the CCF, improves the performance of the CAPIF framework, and improves the speed and efficiency of processing data. The API caller and the terminal device or resource owner client or resource owner receive the revocation response message sent by the first entity, and can promptly understand whether the revocation of authorization is successful, and then terminate the authorization in a timely manner.

请参见图4，图4是本申请实施例提供的一种授权撤销方法的流程示意图。该授权撤销方法可以由第二实体执行。如图4所示，该方法可以包括但不限于如下步骤：Please refer to Figure 4, which is a flow chart of a method for revoking authorization provided in an embodiment of the present application. The method for revoking authorization may be performed by a second entity. As shown in Figure 4, the method may include but is not limited to the following steps:

S401，接收第二授权撤销请求。S401: Receive a second authorization revocation request.

需要说明的是，API调用者(API invoker)为了获得与资源所有者相关的刷新令牌，可以通过网络协议与第一实体进行授权交互，获取与资源所有者相关的刷新令牌。进一步地，API调用者可以基于刷新令牌从第一实体获得访问令牌，以使得API调用者可以通过访问令牌访问对应的资源。It should be noted that, in order to obtain a refresh token associated with a resource owner, the API caller (API invoker) can perform authorization interaction with the first entity through a network protocol to obtain a refresh token associated with the resource owner. Furthermore, the API caller can obtain an access token from the first entity based on the refresh token, so that the API caller can access the corresponding resource through the access token.

在一些实现中，API调用者可以接收由终端设备发送的第二授权撤销请求。In some implementations, the API caller may receive a second authorization revocation request sent by the terminal device.

在一些实现中，API调用者可以接收终端设备上运行的资源所有者客户端发送的第二授权撤销请求。在一些实现中，资源所有者可以通过操控终端或者资源所有者客户端向API调用者(APIinvoker)发送发送第二授权撤销请求。示例性说明资源所有者客户端运行在终端设备上，资源所有者通过终端设备上的客户端与服务器进行交互，例如，资源所有者客户端(resource owner client)是浏览器，API调用者是浏览器访问的服务器，资源所有者通过浏览器与服务器进行交互。In some implementations, the API caller can receive a second authorization revocation request sent by a resource owner client running on a terminal device. In some implementations, the resource owner can send the second authorization revocation request to the API caller (APIinvoker) by controlling the terminal or the resource owner client. On the terminal device, the resource owner interacts with the server through the client on the terminal device. For example, the resource owner client is a browser, the API caller is the server accessed by the browser, and the resource owner interacts with the server through the browser.

在一些实现中，API调用者可以接收由终端设备或终端设备上运行的资源所有者客户端或资源所有者发送的第二授权撤销请求。In some implementations, the API caller may receive a second authorization revocation request sent by the end device or a resource owner client running on the end device or the resource owner.

可选地，第二授权撤销请求包括以下信息中的至少一个：被授权资源的资源标识；对被授权资源可执行的语义操作的操作标识；第二实体的标识信息；资源所有者的标识信息。例如，资源所有者的标识信息可以为GPSI。Optionally, the second authorization revocation request includes at least one of the following information: a resource identifier of the authorized resource; an operation identifier of a semantic operation executable on the authorized resource; identification information of the second entity; and identification information of the resource owner. For example, the identification information of the resource owner may be GPSI.

S402，基于第二授权撤销请求生成第一授权撤销请求，并向第一实体发送第一授权撤销请求。S402: Generate a first authorization revocation request based on the second authorization revocation request, and send the first authorization revocation request to the first entity.

在一些实现中，第一授权撤销请求，用于向第一实体指示与资源所有者相关的的刷新令牌。In some implementations, the first authorization revocation request is configured to indicate to the first entity a refresh token associated with the resource owner.

在一些实现中，API调用者可以接收第二授权撤销请求，并根据第二授权撤销请求，确定与资源所有者相关的的刷新令牌，并基于刷新令牌生成第一授权撤销请求。API调用者在生成第一授权撤销请求后，向第一实体发送该第一授权撤销请求。In some implementations, the API caller may receive the second authorization revocation request, and based on the second authorization revocation request, determine a refresh token associated with the resource owner, and generate a first authorization revocation request based on the refresh token. After generating the first authorization revocation request, the API caller sends the first authorization revocation request to the first entity.

在一些实现中，第二授权撤销请求可以包括资源所有者的标识信息，API invoker可以根据第二撤销请求中的资源所有者的标识信息，确定需要撤销的刷新令牌，并通过第一授权撤销请求发送该刷新令牌给第一实体，第一实体对该刷新令牌进行撤销。In some implementations, the second authorization revocation request may include identification information of the resource owner. The API invoker may determine the refresh token that needs to be revoked based on the identification information of the resource owner in the second revocation request, and send the refresh token to the first entity through the first authorization revocation request, and the first entity revokes the refresh token.

在一些实现中，API调用者接收终端设备或终端设备上运行的资源所有者客户端或资源所有者发送的第二授权撤销请求，并将第二授权撤销请求中的资源标识信息和语义操作转换为3GPP领域的信息，从而根据3GPP领域的信息确定刷新令牌，并基于刷新令牌向第一实体发送第一授权撤销请求。在一些实现中，3GPP领域的信息可以为特定数据类型结构(specific data type)，例如，可以为监控事件报告(Monitoring Event Report)，以及这一数据结构类型中的属性信息(attribute information)，所述属性信息包括但不限于：API名称(API name)，监控类型(monitoringType)。In some implementations, the API caller receives a second authorization revocation request sent by a terminal device or a resource owner client or a resource owner running on the terminal device, and converts the resource identification information and semantic operation in the second authorization revocation request into information in the 3GPP field, thereby determining a refresh token based on the information in the 3GPP field, and sending the first authorization revocation request to the first entity based on the refresh token. In some implementations, the information in the 3GPP field can be a specific data type structure (specific data type), for example, it can be a monitoring event report (Monitoring Event Report), and attribute information (attribute information) in this data structure type, and the attribute information includes but is not limited to: API name (API name), monitoring type (monitoringType).

在一些实现中，第一授权撤销请求可以与第二授权撤销请求相同，在第一授权撤销请求与第二授权撤销请求相同的情况下，第一实体可以基于第一授权撤销请求中的资源标识信息和语义操作转换为3GPP领域的信息，从而根据3GPP领域的信息确定刷新令牌，进一步地对刷新令牌执行撤销操作。In some implementations, the first authorization revocation request may be the same as the second authorization revocation request. In the case where the first authorization revocation request is the same as the second authorization revocation request, the first entity may convert the resource identification information and semantic operation in the first authorization revocation request into information in the 3GPP domain, thereby determining the refresh token based on the information in the 3GPP domain, and further performing a revocation operation on the refresh token.

S403，接收第一实体发送的第一授权撤销请求对应的撤销响应消息。S403: Receive a revocation response message corresponding to the first authorization revocation request sent by the first entity.

S404，向终端设备或资源所有者客户端或资源所有者发送撤销响应消息。S404: Send a revocation response message to the terminal device or the resource owner client or the resource owner.

在本申请实施例中，步骤S403～S404的实现方式可以分别采用本申请各实施例中的任一种方式实现，在此并不对此作出限定，也不再赘述。In the embodiment of the present application, the implementation method of steps S403 to S404 can be implemented by any method in the embodiments of the present application, which is not limited here and will not be repeated.

本申请实施例中，API调用者与第一实体进行授权交互，以获得刷新令牌。进一步地，API调用者接受资源所有者客户端或终端发送的第二授权撤销请求，根据第二授权撤销请求确定刷新令牌，从而生成第一授权撤销请求，并向第一实体发送第一授权撤销请求，以达到撤销授权的目的。从而删除存储在CCF中大量的安全和授权信息，减少CCF的负担，提升CAPIF框架的性能，进而提高处理数据的速度和效率。In the embodiment of the present application, the API caller performs authorization interaction with the first entity to obtain a refresh token. Further, the API caller accepts a second authorization revocation request sent by the resource owner's client or terminal, and according to the second authorization revocation request The refresh token is determined, thereby generating a first authorization revocation request, and sending the first authorization revocation request to the first entity to achieve the purpose of revoking authorization. In this way, a large amount of security and authorization information stored in the CCF is deleted, the burden of the CCF is reduced, the performance of the CAPIF framework is improved, and the speed and efficiency of processing data are improved.

请参见图5，图5是本申请实施例提供的一种授权撤销方法的流程示意图。该授权撤销方法可以由第二实体执行。如图5所示，该方法可以包括但不限于如下步骤：Please refer to Figure 5, which is a flow chart of a method for revoking authorization provided in an embodiment of the present application. The method for revoking authorization may be performed by a second entity. As shown in Figure 5, the method may include but is not limited to the following steps:

S501，接收第二授权撤销请求。S501: Receive a second authorization revocation request.

在本申请实施例中，步骤S501的实现方式可以分别采用本申请各实施例中的任一种方式实现，在此并不对此作出限定，也不再赘述。In the embodiment of the present application, the implementation method of step S501 can be implemented by any method in the embodiments of the present application, which is not limited here and will not be repeated.

S502，基于第二授权撤销请求确定刷新令牌。S502: Determine a refresh token based on the second authorization revocation request.

在一些实现中，API调用者可以基于第二授权撤销请求包括与刷新令牌相关的参数信息，确定刷新令牌。可选地，第二授权请求中包括资源标识和/或语义操作标识，API调用者可以根据资源标识和/或语义操作标识，确定刷新令牌。在一些实现中，对资源标识和/或操作标识进行转换，生成3GPP领域的信息，并基于3GPP领域的信息确定刷新令牌。In some implementations, the API caller can determine the refresh token based on the second authorization revocation request including parameter information related to the refresh token. Optionally, the second authorization request includes a resource identifier and/or a semantic operation identifier, and the API caller can determine the refresh token based on the resource identifier and/or the semantic operation identifier. In some implementations, the resource identifier and/or the operation identifier are converted to generate information in the 3GPP field, and the refresh token is determined based on the information in the 3GPP field.

在一些实现中，3GPP领域的信息可以为特定数据类型结构(specific data type)，例如，可以为监控事件报告(Monitoring Event Report)，以及这一数据结构类型中的属性信息(attribute information)，所述属性信息包括但不限于：API名称(API name)，监控类型(monitoringType)。In some implementations, the information in the 3GPP field can be a specific data type structure (specific data type), for example, it can be a monitoring event report (Monitoring Event Report), and attribute information (attribute information) in this data structure type, and the attribute information includes but is not limited to: API name (API name), monitoring type (monitoringType).

在一些实现中，第二授权撤销请求可以包括资源所有者的标识信息，API invoker可以根据第二撤销请求中的资源所有者的标识信息，确定需要撤销的刷新令牌，并通过第一授权撤销请求发送该刷新令牌给第一实体，第一实体对该刷新令牌进行撤销。S503，基于刷新令牌向第一实体发送第一授权撤销请求。In some implementations, the second authorization revocation request may include identification information of the resource owner. The API invoker may determine the refresh token that needs to be revoked based on the identification information of the resource owner in the second revocation request, and send the refresh token to the first entity through the first authorization revocation request, and the first entity revokes the refresh token. S503: Send a first authorization revocation request to the first entity based on the refresh token.

在一些实现中，API调用者可以基于第二授权撤销请求确定的刷新令牌，生成第一授权撤销请求，并向第一实体发送第一授权撤销请求。In some implementations, the API caller may generate a first authorization revocation request based on a refresh token determined by the second authorization revocation request, and send the first authorization revocation request to the first entity.

在一些实现中，API调用者可以将刷新令牌和/或刷新令牌的令牌类型发送给第一实体。In some implementations, the API caller may send the refresh token and/or the token type of the refresh token to the first entity.

S504，接收第一实体发送的第一授权撤销请求对应的撤销响应消息。S504: Receive a revocation response message corresponding to the first authorization revocation request sent by the first entity.

S505，向终端设备或资源所有者客户端或资源所有者发送撤销响应消息。S505: Send a revocation response message to the terminal device or the resource owner client or the resource owner.

在本申请实施例中，步骤S504～S505的实现方式可以分别采用本申请各实施例中的任一种方式实现，在此并不对此作出限定，也不再赘述。In the embodiment of the present application, the implementation method of steps S504 to S505 can be implemented by any method in the embodiments of the present application, which is not limited here and will not be repeated.

本申请实施例中，API调用者与第一实体进行授权交互，以获得刷新令牌。进一步地，API调用者接受资源所有者客户端或终端发送的第二授权撤销请求，并根据第二授权撤销请求确定刷新令牌，从而根据刷新令牌生成第一授权撤销请求，并向第一实体发送第一授权撤销请求，以达到撤销授权的目的，从而删除存储在第一实体中大量的安全和授权信息，减少CCF的负担，提升CAPIF框架的性能，提高处理数据的速度和效率。 In the embodiment of the present application, the API caller performs authorization interaction with the first entity to obtain a refresh token. Further, the API caller accepts the second authorization revocation request sent by the resource owner client or terminal, and determines the refresh token according to the second authorization revocation request, thereby generating a first authorization revocation request according to the refresh token, and sending the first authorization revocation request to the first entity to achieve the purpose of revoking authorization, thereby deleting a large amount of security and authorization information stored in the first entity, reducing the burden on CCF, improving the performance of the CAPIF framework, and improving the speed and efficiency of processing data.

请参见图6，图6是本申请实施例提供的一种授权撤销方法的流程示意图。该授权撤销方法可以由CAPIF框架中的第一实体执行。如图6所示，该方法可以包括但不限于如下步骤：Please refer to Figure 6, which is a flow chart of a method for revoking authorization provided by an embodiment of the present application. The method for revoking authorization can be executed by the first entity in the CAPIF framework. As shown in Figure 6, the method can include but is not limited to the following steps:

S601，接收第一授权撤销请求或第三授权撤销请求，其中第一撤销授权请求或第三授权撤销请求用于指示与资源所有者相关的刷新令牌。S601: Receive a first authorization revocation request or a third authorization revocation request, wherein the first authorization revocation request or the third authorization revocation request is used to indicate a refresh token related to a resource owner.

S602，基于第一授权撤销请求或第三授权撤销请求，对刷新令牌执行撤销操作。S602: Perform a revocation operation on the refresh token based on the first authorization revocation request or the third authorization revocation request.

需要说明的是，第一授权撤销请求或第三授权撤销请求用于指示与资源所有者相关的刷新令牌，第一实体需要通过网络协议与API调用者进行授权交互，向API调用者发送与资源所有者相关的刷新令牌。其中，第一实体为CCF网元或授权功能中的一个。且CCF网元和授权功能在一定条件下，会进行集成设计，即CCF也同时承担授权功能的职责。It should be noted that the first authorization revocation request or the third authorization revocation request is used to indicate the refresh token related to the resource owner. The first entity needs to perform authorization interaction with the API caller through the network protocol and send the refresh token related to the resource owner to the API caller. Among them, the first entity is one of the CCF network element or the authorization function. And under certain conditions, the CCF network element and the authorization function will be integrated, that is, the CCF also assumes the responsibility of the authorization function.

在一些实现中，与资源所有者相关的刷新令牌可以用于生成资源的访问令牌，以使得资源所有者可以基于该访问令牌访问对应的资源。In some implementations, a refresh token associated with a resource owner can be used to generate an access token for a resource, so that the resource owner can access the corresponding resource based on the access token.

在一些实现中，第一实体可以接收API调用者发送的第一授权撤销请求，可选地，第一授权撤销请求可以直接指示与资源所有相关的刷新令牌，或者通过参数信息间接指示与资源所有者相关的刷新令牌。In some implementations, the first entity may receive a first authorization revocation request sent by an API caller. Optionally, the first authorization revocation request may directly indicate a refresh token associated with the resource owner, or indirectly indicate a refresh token associated with the resource owner through parameter information.

在一些实现中，第一实体可以接收终端设备或终端设备上运行的资源所有者客户端或资源所有者发送的第三授权撤销请求。在一些实现中，资源所有者可以通过操控终端或者资源所有者客户端向CAPIF框架中的第一实体发送第三授权撤销请求。In some implementations, the first entity may receive a third authorization revocation request sent by a terminal device or a resource owner client running on the terminal device or a resource owner. In some implementations, the resource owner may send the third authorization revocation request to the first entity in the CAPIF framework by manipulating the terminal or the resource owner client.

可选地，第三授权撤销请求可以直接包含与资源所有者相关的刷新令牌，或者通过与刷新令牌相关的参数信息间接指示与资源所有者相关的刷新令牌。Optionally, the third authorization revocation request may directly include a refresh token related to the resource owner, or indirectly indicate the refresh token related to the resource owner through parameter information related to the refresh token.

在一些实现中，若第一授权撤销请求或第三授权撤销请求中包含了刷新令牌，则刷新令牌中包含资源所有者标识符。In some implementations, if the first authorization revocation request or the third authorization revocation request includes a refresh token, the refresh token includes the resource owner identifier.

可选地，第一授权撤销请求或第三授权撤销请求可以向第一实体隐示指示刷新令牌。Optionally, the first authorization revocation request or the third authorization revocation request may implicitly indicate a refresh token to the first entity.

在一些实现中，第一授权撤销请求或第三授权撤销请求包括以下信息中的至少一个：被授权资源的资源标识；对被授权资源可执行的语义操作的操作标识；第二实体的标识信息；资源所有者的标识信息。In some implementations, the first authorization revocation request or the third authorization revocation request includes at least one of the following information: a resource identifier of the authorized resource; an operation identifier of a semantic operation executable on the authorized resource; identification information of the second entity; and identification information of the resource owner.

在一些实现中，第一实体可以基于第一授权撤销请求或第三授权撤销请求中的至少一个信息，确定刷新令牌，并对刷新令牌进行撤销操作。In some implementations, the first entity may determine a refresh token based on at least one information in the first authorization revocation request or the third authorization revocation request, and perform a revocation operation on the refresh token.

可选地，第一实体可以通过第一授权撤销请求或第三授权撤销请求中资源所有者的标识信息，确定需要撤销的刷新令牌，并对该刷新令牌执行撤销操作。Optionally, the first entity may determine the refresh token that needs to be revoked through the identification information of the resource owner in the first authorization revocation request or the third authorization revocation request, and perform a revocation operation on the refresh token.

可选地，第一实体可以根据第一授权撤销请求或第三授权撤销请求中的资源所有者的标识信息和语义操作的操作标识，转换为3GPP领域的信息，并基于3GPP领域的信息，确定刷新令牌。进一步地，第一实体在需要被撤销的刷新令牌后，可以对该刷新令牌执行撤销操作。Optionally, the first entity may convert the resource owner's identification information and the operation identifier of the semantic operation in the first authorization revocation request or the third authorization revocation request into information in the 3GPP field, and determine the refresh token based on the information in the 3GPP field. Further, after the refresh token needs to be revoked, the first entity may perform a revocation operation on the refresh token.

在一些实现中，3GPP领域的信息可以为特定数据类型结构(specific data type)，例如，可以为监控事件报告(Monitoring Event Report)，以及这一数据结构类型中的属性信息 (attribute information)，所述属性信息包括但不限于：API名称(API name)，监控类型(monitoringType)。In some implementations, the 3GPP domain information may be a specific data type structure, for example, a Monitoring Event Report, and attribute information in this data structure type. (attribute information), the attribute information includes but is not limited to: API name (API name), monitoring type (monitoringType).

在一些实现中，第一授权撤销请求的内容可以与第三授权撤销请求内容相同，在第一授权撤销请求的内容与第三授权撤销请求内容相同的情况下，可选地，第一授权撤销请求与第三授权撤销请求都包含需要撤销的刷新令牌。可选地，第一授权撤销请求与第三授权撤销请求都包括与需撤销的刷新令牌相关的参数信息。在携带刷新令牌相关的参数信息的场景下，第一实体可以基于接收到的授权撤销请求中的至少一个信息，确定刷新令牌，并对刷新令牌进行撤销操作。In some implementations, the content of the first authorization revocation request may be the same as the content of the third authorization revocation request. In the case where the content of the first authorization revocation request is the same as the content of the third authorization revocation request, optionally, both the first authorization revocation request and the third authorization revocation request include a refresh token to be revoked. Optionally, both the first authorization revocation request and the third authorization revocation request include parameter information related to the refresh token to be revoked. In the scenario of carrying parameter information related to the refresh token, the first entity can determine the refresh token based on at least one information in the received authorization revocation request, and revoke the refresh token.

可选地，撤销操作可以包括但不限于：删除刷新令牌、删除刷新令牌相关的信息、删除刷新令牌关联的访问令牌等操作。可选地，刷新令牌相关信息可以是资源所有者的标识，被授权资源的资源的标识等信息。Optionally, the revocation operation may include but is not limited to: deleting the refresh token, deleting information related to the refresh token, deleting an access token associated with the refresh token, etc. Optionally, the refresh token related information may be information such as the identifier of the resource owner, the identifier of the authorized resource, etc.

在一些实现中，可以基于刷新令牌确定访问令牌，第一实体接收API调用者发送的访问令牌申请请求，并基于刷新令牌生成相应的访问令牌。本申请中，第一实体根据第一授权撤销请求或第三授权撤销请求，对刷新令牌执行撤销操作后，若第一实体接收到API调用者发送的访问令牌申请请求，第一实体停止基于刷新令牌继续生成访问令牌，从而使得该刷新令牌无法再用于获取新的访问令牌，相应地资源所有者无法获取新的访问令牌，进而无法对资源进行访问，可以有效的停止与该刷新令牌相关的授权访问权限。In some implementations, the access token can be determined based on the refresh token, and the first entity receives the access token application request sent by the API caller and generates a corresponding access token based on the refresh token. In the present application, after the first entity performs a revocation operation on the refresh token according to the first authorization revocation request or the third authorization revocation request, if the first entity receives the access token application request sent by the API caller, the first entity stops generating access tokens based on the refresh token, so that the refresh token can no longer be used to obtain a new access token, and accordingly the resource owner cannot obtain a new access token, and thus cannot access the resource, which can effectively stop the authorized access rights associated with the refresh token.

本申请实施例中，第一实体可以接收API调用者发送的第一授权撤销请求，也可以接收终端设备或终端设备上运行的资源所有者客户端或资源所有者发送的第三授权撤销请求，第一实体根据第一授权撤销请求或第三授权撤销请求确定刷新令牌，以对刷新令牌执行撤销操作，达到撤销授权的目的。从而可以删除存储在CCF中大量的安全和授权信息，减少CCF的负担，提升CAPIF框架的性能，进而提高处理数据的速度和效率。In the embodiment of the present application, the first entity can receive a first authorization revocation request sent by an API caller, or a third authorization revocation request sent by a terminal device or a resource owner client running on the terminal device or a resource owner, and the first entity determines the refresh token according to the first authorization revocation request or the third authorization revocation request to perform a revocation operation on the refresh token to achieve the purpose of revoking authorization. Thus, a large amount of security and authorization information stored in the CCF can be deleted, the burden of the CCF can be reduced, the performance of the CAPIF framework can be improved, and the speed and efficiency of processing data can be improved.

请参见图7，图7是本申请实施例提供的一种授权撤销方法的流程示意图。该授权撤销方法可以由CAPIF框架中的第一实体执行。如图7所示，该方法可以包括但不限于如下步骤：Please refer to Figure 7, which is a flow chart of a method for revoking authorization provided by an embodiment of the present application. The method for revoking authorization can be executed by the first entity in the CAPIF framework. As shown in Figure 7, the method can include but is not limited to the following steps:

S701，接收第一授权撤销请求。S701, receiving a first authorization revocation request.

在一些实现中，第一实体可以接第二实体发送的第一授权撤销请求。可选地，第二实体可以为API调用者(API invoker)，可选地，API调用者为应用程序功能(application function)或者运行在终端上的客户端(client)。In some implementations, the first entity may receive a first authorization revocation request sent by the second entity. Optionally, the second entity may be an API caller (API invoker), and optionally, the API caller is an application function (application function) or a client (client) running on a terminal.

S702，基于第一授权撤销请求，确定刷新令牌。S702: Determine a refresh token based on the first authorization revocation request.

在一些实现中第一授权撤销请求可以直接指示或者包含与资源所有者相关的刷新令牌。可选地，若第三授权撤销请求中包含了刷新令牌，则刷新令牌中包含资源所有者标识信息(例如，GPSI)。In some implementations, the first authorization revocation request may directly indicate or include a refresh token associated with the resource owner. Optionally, if the third authorization revocation request includes a refresh token, the refresh token includes resource owner identification information (eg, GPSI).

在一些实现中，第一授权撤销请求可以通过与刷新令牌相关的参数信息间接指示与资源所有者相关的刷新令牌。例如，第一授权撤销请求包括以下信息中的至少一种：被授权资源的资源标识；对被授权资源可执行的语义操作的操作标识；第二实体的标识信息；资源所有者的标识信息。第一实体可以基于第一授权撤销请求包括上述信息，确定刷新令牌。基于第一授权撤销请求包括上述信息，确定刷新令牌的具体过程可参见上述实施例中相关的记载，此处不再赘述。In some implementations, the first authorization revocation request may indirectly indicate the refresh token associated with the resource owner through parameter information associated with the refresh token. For example, the first authorization revocation request includes at least one of the following information: a resource identifier of the authorized resource; an operation identifier of the semantic operation that can be performed on the authorized resource; identification information of the second entity; The identification information of the source owner. The first entity may determine the refresh token based on the first authorization revocation request including the above information. The specific process of determining the refresh token based on the first authorization revocation request including the above information can refer to the relevant records in the above embodiment, which will not be repeated here.

S703，对刷新令牌执行撤销操作。S703: Perform a revocation operation on the refresh token.

在本申请实施例中，步骤S703的实现方式可以分别采用本申请各实施例中的任一种方式实现，在此并不对此作出限定，也不再赘述。In the embodiment of the present application, the implementation method of step S703 can be implemented by any method in the embodiments of the present application, which is not limited here and will not be repeated.

S704，向第二实体发送第一授权撤销请求对应的撤销响应消息。S704: Send a revocation response message corresponding to the first authorization revocation request to the second entity.

在一些实现中，第一实体通过接收API调用者发送的第一撤销授权请求，确定刷新令牌，并对刷新令牌执行撤销操作，生成对应的的撤销响应消息。在第一实体在执行撤销操作后，还应向API调用者发送对应的撤销响应消息，API调用者可以基于撤销响应消息，确定刷新令牌是否成功撤销，若未成功撤销可以再次对刷新令牌进行授权撤销。In some implementations, the first entity receives a first deauthorization request sent by an API caller, determines the refresh token, performs a deauthorization operation on the refresh token, and generates a corresponding deauthorization response message. After performing the deauthorization operation, the first entity should also send a corresponding deauthorization response message to the API caller. The API caller can determine whether the refresh token is successfully deauthorized based on the deauthorization response message. If the deauthorization is not successfully deauthorized, the refresh token can be deauthorized again.

本申请实施例中，第一实体可以接收API调用者发送的第一授权撤销请求，根据第一授权撤销请求对刷新令牌执行撤销操作，达到撤销授权的目的。从而可以删除存储在CCF中大量的安全和授权信息，减少CCF的负担，提升CAPIF框架的性能，进而提高处理数据的速度和效率。进一步地，将授权撤销请求对应的响应消息，发送给API调用者，使得API调用者可以及时了解撤销授权是否成功，进而在未成功及时再次进行授权撤销，以达到授权撤销的目的。In an embodiment of the present application, the first entity can receive a first authorization revocation request sent by an API caller, and perform a revocation operation on the refresh token according to the first authorization revocation request to achieve the purpose of revoking authorization. Thus, a large amount of security and authorization information stored in the CCF can be deleted, reducing the burden on the CCF, improving the performance of the CAPIF framework, and thus improving the speed and efficiency of processing data. Furthermore, the response message corresponding to the authorization revocation request is sent to the API caller, so that the API caller can promptly understand whether the authorization revocation is successful, and then promptly revoke the authorization again if it is unsuccessful, so as to achieve the purpose of revoking authorization.

请参见图8，图8是本申请实施例提供的一种授权撤销方法的流程示意图。该授权撤销方法可以由CAPIF框架中的第一实体执行。如图8所示，该方法可以包括但不限于如下步骤：Please refer to Figure 8, which is a flowchart of a method for revoking authorization provided by an embodiment of the present application. The method for revoking authorization can be executed by the first entity in the CAPIF framework. As shown in Figure 8, the method can include but is not limited to the following steps:

S801，接收第三授权撤销请求。S801, receiving a third authorization revocation request.

在一些实现中，第一实体可以接收终端设备或终端设备上运行的资源所有者客户端或资源所有者发送的第三授权撤销请求。In some implementations, the first entity may receive a third authorization revocation request sent by the terminal device or a resource owner client running on the terminal device or a resource owner.

S802，基于第三授权撤销请求，确定刷新令牌。S802: Determine a refresh token based on the third authorization revocation request.

在一些实现中，第三授权撤销请求可以直接指示或包含与资源所有者相关的刷新令牌。可选地，若第三授权撤销请求中包含了刷新令牌，则刷新令牌中包含资源所有者标识信息(GPSI)。In some implementations, the third authorization revocation request may directly indicate or include a refresh token associated with the resource owner. Optionally, if the third authorization revocation request includes a refresh token, the refresh token includes resource owner identification information (GPSI).

在一些实现中，第三授权撤销请求可以通过刷新令牌相关的参数信息间接指示与资源所有者相关的刷新令牌。例如，第三授权撤销请求包括以下信息中的至少一种：被授权资源的资源标识；对被授权资源可执行的语义操作的操作标识；第二实体的标识信息；资源所有者的标识信息。第一实体可以基于第三授权撤销请求包括上述信息，确定刷新令牌。基于第三授权撤销请求包括上述信息，确定刷新令牌的具体过程可参见上述实施例中相关的记载，此处不再赘述。In some implementations, the third authorization revocation request may indirectly indicate the refresh token associated with the resource owner through parameter information related to the refresh token. For example, the third authorization revocation request includes at least one of the following information: a resource identifier of the authorized resource; an operation identifier of the semantic operation that can be performed on the authorized resource; identification information of the second entity; identification information of the resource owner. The first entity may determine the refresh token based on the third authorization revocation request including the above information. The specific process of determining the refresh token based on the third authorization revocation request including the above information can refer to the relevant records in the above embodiments, which will not be repeated here.

S803，对刷新令牌执行撤销操作。S803: Perform a revocation operation on the refresh token.

在本申请实施例中，步骤S803的实现方式可以分别采用本申请各实施例中的任一种方式实现，在此并不对此作出限定，也不再赘述。In the embodiment of the present application, the implementation method of step S803 can adopt any one of the methods in the embodiments of the present application. The method is implemented in this way, and no limitation is made here and no further description is given.

S804，向终端设备或资源所有者客户端或资源所有者发送第三授权撤销请求对应的撤销响应消息。S804: Send a revocation response message corresponding to the third authorization revocation request to the terminal device or the resource owner client or the resource owner.

在一些实现中，第一实体通过接收终端设备或资源所有者客户端或资源所有者发送的第三授权撤销请求，确定刷新令牌，并对刷新令牌执行撤销操作，生成对应的的撤销响应消息。在第一实体在执行撤销操作后，还应向终端设备或资源所有者客户端或资源所有者发送对应的撤销响应消息，终端设备或资源所有者客户端或资源所有者可以基于撤销响应消息，确定刷新令牌是否成功撤销，若未成功撤销可以再次对刷新令牌进行授权撤销。In some implementations, the first entity determines the refresh token by receiving the third authorization revocation request sent by the terminal device or the resource owner client or the resource owner, and performs a revocation operation on the refresh token to generate a corresponding revocation response message. After the first entity performs the revocation operation, it should also send a corresponding revocation response message to the terminal device or the resource owner client or the resource owner. The terminal device or the resource owner client or the resource owner can determine whether the refresh token is successfully revoked based on the revocation response message. If it is not successfully revoked, the refresh token can be revoked again.

本申请实施例中，第一实体可以接收终端设备或终端设备上运行的资源所有者客户端或资源所有者发送的第三授权撤销请求，第一实体根据第三授权撤销请求对资源所有者相关的刷新令牌执行撤销操作，从而可以删除存储在CCF中大量的安全和授权信息，减少CCF的负担，提升CAPIF框架的性能，进而提高处理数据的速度和效率。进一步地，将授权撤销请求对应的响应消息消息，发送给终端设备或资源所有者客户端或资源所有者，使得终端设备或资源所有者客户端或资源所有者响应消息可以及时了解撤销授权是否成功，进而在未成功及时再次进行授权撤销，以达到授权撤销的目的。In an embodiment of the present application, the first entity can receive a third authorization revocation request sent by a terminal device or a resource owner client or resource owner running on the terminal device. The first entity performs a revocation operation on the refresh token related to the resource owner according to the third authorization revocation request, thereby deleting a large amount of security and authorization information stored in the CCF, reducing the burden on the CCF, improving the performance of the CAPIF framework, and thus improving the speed and efficiency of processing data. Furthermore, the response message corresponding to the authorization revocation request is sent to the terminal device or the resource owner client or the resource owner, so that the terminal device or the resource owner client or the resource owner can timely understand whether the authorization revocation is successful, and then revoke the authorization again in time if it is unsuccessful, so as to achieve the purpose of authorization revocation.

请参见图9，图9是本申请实施例提供的一种授权撤销方法的流程示意图。该授权撤销方法可以由资源所有者客户端或终端设备执行。如图9所示，该方法可以包括但不限于如下步骤：Please refer to Figure 9, which is a flowchart of an authorization revocation method provided by an embodiment of the present application. The authorization revocation method can be executed by a resource owner client or a terminal device. As shown in Figure 9, the method may include but is not limited to the following steps:

S901，向第二实体发送第二授权撤销请求；或者，向CAPIF框架中的第一实体发送第三授权撤销请求。S901, sending a second authorization revocation request to the second entity; or, sending a third authorization revocation request to the first entity in the CAPIF framework.

在一些实现中，第一实体为CCF网元或授权功能中的一个。In some implementations, the first entity is one of a CCF network element or an authorization function.

在一些实现中，资源所有者可以通过操控终端或者资源所有者客户端向API调用者(APIinvoker)发送发送第二授权撤销请求，或者向CAPIF框架中的第一实体发送第三授权撤销请求。In some implementations, the resource owner may send a second authorization revocation request to an API caller (APIinvoker) through a control terminal or a resource owner client, or send a third authorization revocation request to the first entity in the CAPIF framework.

在一些实现中，资源所有者客户端或终端设备可以向API调用者发送第二授权撤销请求，其中，第二撤销授权请求用于确定向第一实体发送的第一授权撤销请求。In some implementations, the resource owner client or terminal device may send a second authorization revocation request to the API caller, wherein the second authorization revocation request is used to determine the first authorization revocation request sent to the first entity.

在一些实现中，资源所有者客户端或终端设备可以向CAPIF框架中的第一实体发送第三授权撤销请求。其中，第一授权撤销请求或第二授权撤销或第三授权撤销请求用于指示与资源所有者相关的刷新令牌。可选地，第一授权撤销请求或第二授权撤销或第三授权撤销请求可以直接指示与资源所有者相关的刷新令牌，或者通过刷新令牌相关的参数信息间接指示与资源所有者相关的刷新令牌。In some implementations, the resource owner client or terminal device may send a third authorization revocation request to the first entity in the CAPIF framework. The first authorization revocation request or the second authorization revocation request or the third authorization revocation request is used to indicate a refresh token associated with the resource owner. Optionally, the first authorization revocation request or the second authorization revocation request or the third authorization revocation request may directly indicate a refresh token associated with the resource owner, or indirectly indicate a refresh token associated with the resource owner through parameter information associated with the refresh token.

可以理解的是，资源所有者是终端用户或与终端相关的订阅用户或者人类。资源所有者客户端运行在终端设备上，资源所有者通过终端设备上的客户端与服务器进行交互，例如，资源所有者客户端是浏览器，API调用者是浏览器访问的服务器，资源所有者通过浏览器与服务器进行交互。It is understandable that the resource owner is a terminal user or a subscriber or a human being associated with the terminal. The resource owner client runs on the terminal device, and the resource owner interacts with the server through the client on the terminal device. For example, the resource owner client is a browser, the API caller is the server accessed by the browser, and the resource owner interacts with the server through the browser.

可选地，第二授权撤销请求或第三授权撤销请求包括以下信息中的至少一个：被授权资源的资源标识；对被授权资源可执行的语义操作标识的操作标识；第二实体的标识信息；资源所有者的标识信息。Optionally, the second authorization revocation request or the third authorization revocation request includes at least one of the following information: a resource identifier of an authorized resource; an operation identifier of a semantic operation identifier executable on the authorized resource; identification information of the second entity; and identification information of the resource owner.

第一实体可以基于授权撤销请求中所包括的上述信息，确定刷新令牌，并对刷新令牌执行撤销操作。The first entity may determine the refresh token based on the above information included in the authorization revocation request, and perform a revocation operation on the refresh token.

本申请实施例中，资源所有者客户端或终端可以通过向API调用者发送第二授权撤销请求，以生成向第一实体发送的第一授权撤销请求。还可以直接向第一实体发送第三授权撤销请求，以达到撤销授权的目的。从而可以删除存储在CCF中大量的安全和授权信息，减少CCF的负担，提升CAPIF框架的性能，进而提高处理数据的速度和效率。In the embodiment of the present application, the resource owner client or terminal can generate a first authorization revocation request sent to the first entity by sending a second authorization revocation request to the API caller. A third authorization revocation request can also be sent directly to the first entity to achieve the purpose of revoking authorization. In this way, a large amount of security and authorization information stored in the CCF can be deleted, reducing the burden on the CCF, improving the performance of the CAPIF framework, and thus improving the speed and efficiency of processing data.

请参见图10，图10是本申请实施例提供的一种授权撤销方法的流程示意图。该授权撤销方法可以由资源所有者客户端或终端设备执行。如图10所示，该方法可以包括但不限于如下步骤：Please refer to Figure 10, which is a flowchart of an authorization revocation method provided in an embodiment of the present application. The authorization revocation method can be executed by a resource owner client or a terminal device. As shown in Figure 10, the method may include but is not limited to the following steps:

S1001，向第二实体发送第二授权撤销请求。S1001: Send a second authorization revocation request to a second entity.

在一些实现中，资源所有者可以通过操控终端或者资源所有者客户端向API调用者发送发送第二授权撤销请求。In some implementations, the resource owner may send a second authorization revocation request to the API caller by controlling a terminal or a resource owner client.

S1002，接收API调用者发送第一授权撤销请求对应的撤销响应消息。S1002: Receive a revocation response message corresponding to the first authorization revocation request sent by the API caller.

在一些实现中，资源所有者客户端或终端可以向API调用者发送第二撤销授权请求，API调用者根据第二授权撤销请求生成第一授权撤销请求，第一实体接收到第一授权撤销请求后，可以基于第一授权撤销请求指示的刷新令牌，对刷新令牌执行撤销操作。在完成撤销操作后，第一实体可以生成第一授权撤销请求对应的撤销响应消息，并反馈给API调用者，API调用者将第一授权撤销请求对应撤销响应消息反馈给资源所有者客户端或终端设备。资源所有者客户端或终端设备可以基于撤销响应消息，确定刷新令牌是否成功撤销，若未成功撤销可以再次发送对刷新令牌进行授权撤销。可选地，第一实体为CCF网元或授权功能中的一个。In some implementations, the resource owner client or terminal may send a second authorization revocation request to the API caller, and the API caller generates a first authorization revocation request based on the second authorization revocation request. After receiving the first authorization revocation request, the first entity may perform a revocation operation on the refresh token based on the refresh token indicated by the first authorization revocation request. After completing the revocation operation, the first entity may generate a revocation response message corresponding to the first authorization revocation request and feedback it to the API caller, and the API caller feedbacks the revocation response message corresponding to the first authorization revocation request to the resource owner client or terminal device. The resource owner client or terminal device may determine whether the refresh token is successfully revoked based on the revocation response message, and if it is not successfully revoked, it may send the authorization revocation for the refresh token again. Optionally, the first entity is one of the CCF network elements or the authorization function.

可选地，第二授权撤销请求包括以下信息中的至少一个：被授权资源的资源标识；对被授权资源可执行的语义操作标识的操作标识；第二实体的标识信息和资源所有者的标识信息。Optionally, the second authorization revocation request includes at least one of the following information: a resource identifier of the authorized resource; an operation identifier of a semantic operation identifier executable on the authorized resource; identification information of the second entity and identification information of the resource owner.

本申请实施例中，可以使得第一实体删除存储在CCF或授权功能中大量的安全和授权信息，减少CCF的负担，提升CAPIF框架的性能，提高处理数据的速度和效率。进一步地，生成对应的撤销响应消息，反馈给资源所有者客户端或终端设备或资源所有者，使得终端设备或资源所有者客户端或资源所有者可以及时了解撤销授权是否成功，进而在未成功及时再次进行授权撤销，以达到授权撤销的目的响应消息。In the embodiment of the present application, the first entity can delete a large amount of security and authorization information stored in the CCF or authorization function, reduce the burden on the CCF, improve the performance of the CAPIF framework, and improve the speed and efficiency of processing data. Further, a corresponding revocation response message is generated and fed back to the resource owner client or terminal device or resource owner, so that The terminal device or resource owner client or resource owner can promptly learn whether the revocation of authorization is successful, and then promptly revoke the authorization again if it is unsuccessful, so as to achieve the purpose of the authorization revocation response message.

请参见图11，图11是本申请实施例提供的一种授权撤销方法的流程示意图。该授权撤销方法可以由资源所有者客户端或终端设备执行。如图11所示，该方法可以包括但不限于如下步骤：Please refer to Figure 11, which is a flowchart of an authorization revocation method provided by an embodiment of the present application. The authorization revocation method can be executed by a resource owner client or a terminal device. As shown in Figure 11, the method may include but is not limited to the following steps:

S1101，向第一实体发送第三授权撤销请求。S1101, sending a third authorization revocation request to the first entity.

在一些实现中，资源所有者可以通过操控终端或者资源所有者客户端向第一实体发送发送第三授权撤销请求。In some implementations, the resource owner may send the third authorization revocation request to the first entity by controlling the terminal or the resource owner client.

S1102，接收第一实体发送的第三授权撤销请求对应的撤销响应消息。S1102: Receive a revocation response message corresponding to the third authorization revocation request sent by the first entity.

在一些实现中，资源所有者客户端或终端设备可以向CAPIF框架中的第一实体发送第三授权撤销请求。其中，第三授权撤销请求用于指示与资源所有者相关的刷新令牌。可选地，第三授权撤销请求可以直接指示或包含与资源所有者相关的刷新令牌，或者通过刷新令牌相关的参数信息间接指示与资源所有者相关的刷新令牌。例如，第三授权撤销请求包括以下信息中的至少一个：被授权资源的资源标识；对被授权资源可执行的语义操作标识的操作标识；第二实体的标识信息和资源所有者的标识信息。In some implementations, the resource owner client or terminal device may send a third authorization revocation request to the first entity in the CAPIF framework. The third authorization revocation request is used to indicate a refresh token associated with the resource owner. Optionally, the third authorization revocation request may directly indicate or include a refresh token associated with the resource owner, or indirectly indicate a refresh token associated with the resource owner through parameter information associated with the refresh token. For example, the third authorization revocation request includes at least one of the following information: a resource identifier of an authorized resource; an operation identifier of a semantic operation identifier that can be executed on the authorized resource; identification information of the second entity and identification information of the resource owner.

在一些实现中，资源所有者客户端或终端设备或资源所有者可以向第一实体发送第三授权撤销请求，第一实体接收到第三授权撤销请求后，可以基于第三授权撤销请求指示的刷新令牌，对刷新令牌执行撤销操作。In some implementations, the resource owner client or terminal device or resource owner may send a third authorization revocation request to the first entity. After receiving the third authorization revocation request, the first entity may perform a revocation operation on the refresh token based on the refresh token indicated by the third authorization revocation request.

在完成撤销操作后，第一实体可以生成第三授权撤销请求对应的撤销响应消息，并反馈给资源所有者客户端或终端设备或资源所有者。资源所有者客户端或终端设备或资源所有者可以基于撤销响应消息，确定刷新令牌是否成功撤销，若未成功撤销可以再次发送对刷新令牌进行授权撤销。After completing the revocation operation, the first entity may generate a revocation response message corresponding to the third authorization revocation request and feedback it to the resource owner client or terminal device or resource owner. The resource owner client or terminal device or resource owner may determine whether the refresh token is successfully revoked based on the revocation response message. If not, the refresh token may be resent again to revoke authorization.

本申请实施例中，可以使得第一实体删除存储在CCF或授权功能中大量的安全和授权信息，减少CCF的负担，提升CAPIF框架的性能，提高处理数据的速度和效率。进一步地，生成对应的撤销响应消息，反馈给资源所有者客户端或终端设备或资源所有者，使得终端设备或资源所有者客户端或资源所有者可以及时了解撤销授权是否成功，进而在未成功及时再次进行授权撤销，以达到授权撤销的目的。In the embodiment of the present application, the first entity can delete a large amount of security and authorization information stored in the CCF or authorization function, reduce the burden on the CCF, improve the performance of the CAPIF framework, and improve the speed and efficiency of processing data. Further, a corresponding revocation response message is generated and fed back to the resource owner client or terminal device or resource owner, so that the terminal device or resource owner client or resource owner can promptly understand whether the revocation of authorization is successful, and then revoke the authorization again in time if it is unsuccessful, so as to achieve the purpose of revoking the authorization.

请参见图12，图12是本申请实施例提供的一种授权撤销方法的交互示意图。如图12所示，该方法可以包括但不限于如下步骤：Please refer to Figure 12, which is an interactive schematic diagram of an authorization revocation method provided in an embodiment of the present application. As shown in Figure 12, the method may include but is not limited to the following steps:

S1201，资源所有者客户端或终端设备或资源所有者向第二实体发送第二授权撤销请求。S1201, the resource owner client or terminal device or resource owner sends a second authorization revocation request to a second entity.

S1202，第二实体向第一实体发送第一授权撤销请求，第一授权撤销请求可以直接指示或包含与资源所有者相关的刷新令牌。S1202: The second entity sends a first authorization revocation request to the first entity. The first authorization revocation request may directly indicate or include a refresh token related to the resource owner.

S1203，第一实体对资源所有者相关的刷新令牌进行撤销操作。S1203: The first entity revokes the refresh token related to the resource owner.

S1204，第一实体向第二实体发送第一授权撤销请求对应的撤销响应消息。 S1204: The first entity sends a revocation response message corresponding to the first authorization revocation request to the second entity.

S1205，第二实体向资源所有者客户端或终端设备或资源所有者发送撤销响应消息。S1205: The second entity sends a revocation response message to the resource owner client or terminal device or the resource owner.

请参见图13，图13是本申请实施例提供的一种授权撤销方法的交互示意图。如图13所示，该方法可以包括但不限于如下步骤：Please refer to Figure 13, which is an interactive schematic diagram of an authorization revocation method provided in an embodiment of the present application. As shown in Figure 13, the method may include but is not limited to the following steps:

S1301，第二实体向第一实体发送第一授权撤销请求。S1301: The second entity sends a first authorization revocation request to the first entity.

S1302，第一实体对资源所有者相关的刷新令牌进行撤销操作。S1302: The first entity revokes a refresh token related to the resource owner.

S1303，第一实体向第二实体发送第一授权撤销请求对应的撤销响应消息。S1303: The first entity sends a revocation response message corresponding to the first authorization revocation request to the second entity.

上述本申请提供的实施例中，分别从网络设备、终端设备的角度对本申请实施例提供的方法进行了介绍。为了实现上述本申请实施例提供的方法中的各功能，网络设备和终端设备可以包括硬件结构、软件模块，以硬件结构、软件模块、或硬件结构加软件模块的形式来实现上述各功能。上述各功能中的某个功能可以以硬件结构、软件模块、或者硬件结构加软件模块的方式来执行。In the embodiments provided by the present application, the methods provided by the embodiments of the present application are introduced from the perspectives of network equipment and terminal equipment, respectively. In order to implement the functions in the methods provided by the embodiments of the present application, the network equipment and the terminal equipment may include hardware structures and software modules, and the functions are implemented in the form of hardware structures, software modules, or hardware structures plus software modules. A certain function in the functions may be executed in the form of hardware structures, software modules, or hardware structures plus software modules.

请参见图14，为本申请实施例提供的一种通信装置1400的结构示意图。图14所示的通信装置1400可包括收发模块1401和处理模块1402。收发模块1401可包括发送模块和/或接收模块，发送模块用于实现发送功能，接收模块用于实现接收功能，收发模块1401可以实现发送功能和/或接收功能。Please refer to Figure 14, which is a schematic diagram of the structure of a communication device 1400 provided in an embodiment of the present application. The communication device 1400 shown in Figure 14 may include a transceiver module 1401 and a processing module 1402. The transceiver module 1401 may include a sending module and/or a receiving module, the sending module is used to implement a sending function, the receiving module is used to implement a receiving function, and the transceiver module 1401 may implement a sending function and/or a receiving function.

通信装置1400可以是第二实体，也可以是第二实体中的装置，还可以是能够与第二实体匹配使用的装置。或者，通信装置1400可以是CAPIF框架中的第一实体，也可以是CAPIF框架中的第一实体中的装置，还可以是能够与CAPIF框架中的第一实体匹配使用的装置。或者，通信装置1400可以是资源所有者客户端或终端设备，也可以是资源所有者客户端或终端设备中的装置，还可以是能够与资源所有者客户端或终端设备匹配使用的装置。The communication device 1400 may be a second entity, or a device in the second entity, or a device that can be used in combination with the second entity. Alternatively, the communication device 1400 may be a first entity in the CAPIF framework, or a device in the first entity in the CAPIF framework, or a device that can be used in combination with the first entity in the CAPIF framework. Alternatively, the communication device 1400 may be a resource owner client or terminal device, or a device in the resource owner client or terminal device, or a device that can be used in combination with the resource owner client or terminal device.

通信装置1400为第二实体：The communication device 1400 is a second entity:

收发模块1401，用于向CAPIF框架中的第一实体发送第一授权撤销请求，其中所述第一授权撤销请求用于指示与资源所有者相关的刷新令牌。The transceiver module 1401 is used to send a first authorization revocation request to a first entity in the CAPIF framework, wherein the first authorization revocation request is used to indicate a refresh token related to a resource owner.

在一些实现中，收发模块1401，还用于接收第二授权撤销请求；基于所述第二授权撤销请求生成所述第一授权撤销请求，并向所述第一实体发送所述第一授权撤销请求。In some implementations, the transceiver module 1401 is further configured to receive a second authorization revocation request; generate the first authorization revocation request based on the second authorization revocation request, and send the first authorization revocation request to the first entity.

在一些实现中，收发模块1401，还用于接收所述第一实体发送的所述第一授权撤销请求对应的撤销响应消息。In some implementations, the transceiver module 1401 is further configured to receive the first authorization revocation request sent by the first entity. Request the corresponding revocation response message.

在一些实现中，所述第二授权撤销请求由终端设备或所述终端设备上运行的资源所有者客户端或资源所有者发送。In some implementations, the second authorization revocation request is sent by a terminal device or a resource owner client running on the terminal device or a resource owner.

在一些实现中，收发模块1401，还用于向所述终端设备或所述资源所有者客户端或资源所有者发送所述撤销响应消息。In some implementations, the transceiver module 1401 is further configured to send the revocation response message to the terminal device or the resource owner client or the resource owner.

在一些实现中，所述第二授权撤销请求包括以下信息中的至少一个：被授权资源的资源标识；对所述被授权资源可执行的语义操作的操作标识；所述第二实体的标识信息；所述资源所有者的标识信息。In some implementations, the second authorization revocation request includes at least one of the following information: a resource identifier of an authorized resource; an operation identifier of a semantic operation executable on the authorized resource; identification information of the second entity; and identification information of the resource owner.

在一些实现中，收发模块1401，还用于基于所述第二授权撤销请求确定所述刷新令牌；基于所述刷新令牌向所述第一实体发送所述第一授权撤销请求。In some implementations, the transceiver module 1401 is further configured to determine the refresh token based on the second authorization revocation request; and send the first authorization revocation request to the first entity based on the refresh token.

在一些实现中，处理模块1402，还用于对所述资源标识和/或所述操作标识进行转换，生成3GPP领域的信息；基于所述3GPP领域的信息确定所述刷新令牌。In some implementations, the processing module 1402 is further configured to convert the resource identifier and/or the operation identifier to generate information in the 3GPP domain; and determine the refresh token based on the information in the 3GPP domain.

在一些实现中，收发模块1401，还用于通过所述第一授权撤销请求，向所述第一实体发送所述刷新令牌和/或所述刷新令牌的令牌类型。In some implementations, the transceiver module 1401 is further configured to send the refresh token and/or the token type of the refresh token to the first entity via the first authorization revocation request.

在一些实现中，发送所述第一授权撤销请求之前，收发模块1401，还用于：与所述第一实体进行授权交互，获取与所述资源所有者相关的所述刷新令牌。In some implementations, before sending the first authorization revocation request, the transceiver module 1401 is further used to: perform authorization interaction with the first entity to obtain the refresh token related to the resource owner.

在一些实现中，所述第一实体为所述CAPIF框架中的核心功能CCF或授权功能。In some implementations, the first entity is a core function CCF or an authorization function in the CAPIF framework.

通信装置1400为CAPIF框架中的第一实体：The communication device 1400 is the first entity in the CAPIF framework:

收发模块1401，用于接收第一授权撤销请求或第三授权撤销请求，其中所述第一撤销授权请求或所述第三授权撤销请求可以指示与资源所有者相关的刷新令牌；The transceiver module 1401 is configured to receive a first authorization revocation request or a third authorization revocation request, wherein the first authorization revocation request or the third authorization revocation request may indicate a refresh token associated with a resource owner;

处理模块1402，用于基于所述第一撤销授权请求或第三授权撤销请求，对所述刷新令牌执行撤销操作。The processing module 1402 is used to perform a revocation operation on the refresh token based on the first revocation authorization request or the third revocation authorization request.

在一些实现中，收发模块1401，还用于接收第二实体发送的第一授权撤销请求。In some implementations, the transceiver module 1401 is further configured to receive a first authorization revocation request sent by the second entity.

在一些实现中，收发模块1401，还用于接收终端设备或终端设备上运行的资源所有者客户端或资源所有者发送的所述第三授权撤销请求。In some implementations, the transceiver module 1401 is further configured to receive the third authorization revocation request sent by a terminal device or a resource owner client running on the terminal device or a resource owner.

在一些实现中，收发模块1401，还用于向第二实体发送所述第一授权撤销请求对应的撤销响应消息；或者，向终端设备或资源所有者客户端或资源所有者发送所述第三授权撤销请求对应的撤销响应消息。In some implementations, the transceiver module 1401 is further used to send a revocation response message corresponding to the first authorization revocation request to the second entity; or send a revocation response message corresponding to the third authorization revocation request to the terminal device or the resource owner client or the resource owner.

在一些实现中，所述第三授权撤销请求包括以下信息中的至少一个：被授权资源的资源标识；对所述被授权资源可执行的语义操作的操作标识；所述第二实体的标识信息；所述资源所有者的标识信息。In some implementations, the third authorization revocation request includes at least one of the following information: a resource identifier of an authorized resource; an operation identifier of a semantic operation executable on the authorized resource; identification information of the second entity; and identification information of the resource owner.

在一些实现中，收发模块1401，还用于与所述第二实体进行授权交互，向所述第二实体发送与所述资源所有者相关的所述刷新令牌。In some implementations, the transceiver module 1401 is further configured to perform authorization interaction with the second entity and send the refresh token associated with the resource owner to the second entity.

在一些实现中，处理模块1402，还用于基于所述第一授权撤销请求或第三授权撤销请求，确定所述刷新令牌和/或所述刷新令牌的令牌类型。In some implementations, the processing module 1402 is further configured to: Request, determine the refresh token and/or the token type of the refresh token.

在一些实现中，所述第一实体为所述CAPIF框架中的核心功能CCF网元或授权功能中的一个。In some implementations, the first entity is one of the core function CCF network elements or the authorization functions in the CAPIF framework.

在一些实现中，收发模块1401，还用于在接收到所述第二实体发送的访问令牌申请请求的情况下，停止基于所述刷新令牌继续生成访问令牌。In some implementations, the transceiver module 1401 is further configured to stop generating an access token based on the refresh token upon receiving an access token application request sent by the second entity.

通信装置1400为资源所有者客户端或终端设备：The communication device 1400 is a resource owner client or terminal device:

收发模块1401，用于向第二实体发送第二授权撤销请求，其中，所述第二撤销授权请求用于确定向所述第一实体发送的所述第一授权撤销请求；或者，向CAPIF框架中的第一实体发送第三授权撤销请求；其中，所述第二授权撤销或所述第三授权撤销请求可以指示与资源所有者相关的刷新令牌。The transceiver module 1401 is used to send a second authorization revocation request to a second entity, wherein the second authorization revocation request is used to determine the first authorization revocation request sent to the first entity; or, to send a third authorization revocation request to the first entity in the CAPIF framework; wherein the second authorization revocation or the third authorization revocation request can indicate a refresh token associated with the resource owner.

在一些实现中，收发模块1401，还用于接收所述第二实体发送所述第一授权撤销请求对应的撤销响应消息；或者，接收所述第一实体发送的所述第三授权撤销请求对应的撤销响应消息。In some implementations, the transceiver module 1401 is further configured to receive a revocation response message corresponding to the first authorization revocation request sent by the second entity; or receive a revocation response message corresponding to the third authorization revocation request sent by the first entity.

在一些实现中，所述第二授权撤销请求或所述第三授权撤销请求包括以下信息中的至少一个：被授权资源的资源标识；对所述被授权资源可执行的语义操作标识的操作标识；所述第二实体的标识信息；所述资源所有者的标识信息。In some implementations, the second authorization revocation request or the third authorization revocation request includes at least one of the following information: a resource identifier of an authorized resource; an operation identifier of a semantic operation executable on the authorized resource; identification information of the second entity; and identification information of the resource owner.

在一些实现中，所述资源所有者客户端运行在终端设备上。In some implementations, the resource owner client runs on a terminal device.

本申请实施例中，第二实体向第一实体发送指示刷新令牌的授权撤销请求，以达到撤销授权的目的，从而删除存储在CCF中大量的安全和授权信息，减少了CCF的负担，提升了CAPIF框架的性能，进而提高了处理数据的速度和效率。In an embodiment of the present application, the second entity sends an authorization revocation request indicating a refresh token to the first entity to achieve the purpose of revoking authorization, thereby deleting a large amount of security and authorization information stored in the CCF, reducing the burden on the CCF, improving the performance of the CAPIF framework, and thereby improving the speed and efficiency of processing data.

请参见图15，图15是本申请实施例提供的另一种通信装置1500的结构示意图。通信装置1500可以是第二实体，也可以是CAPIF框架中的第一实体，也可以是资源所有者客户端或终端设备，也可以是支持第二实体实现上述方法的芯片、芯片系统、或处理器等，还可以是支持CAPIF框架中的第一实体实现上述方法的芯片、芯片系统、或处理器等，还可以是支持资源所有者客户端或终端设备实现上述方法的芯片、芯片系统、或处理器等。该装置可用于实现上述方法实施例中描述的方法，具体可以参见上述方法实施例中的说明。Please refer to Figure 15, which is a schematic diagram of the structure of another communication device 1500 provided in an embodiment of the present application. The communication device 1500 can be a second entity, or a first entity in the CAPIF framework, or a resource owner client or terminal device, or a chip, chip system, or processor that supports the second entity to implement the above method, or a chip, chip system, or processor that supports the first entity in the CAPIF framework to implement the above method, or a chip, chip system, or processor that supports the resource owner client or terminal device to implement the above method. The device can be used to implement the method described in the above method embodiment, and the details can be referred to the description in the above method embodiment.

通信装置1500可以包括一个或多个处理器1501。处理器1501可以是通用处理器或者专用处理器等。例如可以是基带处理器或中央处理器。基带处理器可以用于对通信协议以及通信数据进行处理，中央处理器可以用于对通信装置(如，基站、基带芯片，终端设备、终端设备芯片，DU或CU等)进行控制，执行计算机程序，处理计算机程序的数据。The communication device 1500 may include one or more processors 1501. The processor 1501 may be a general-purpose processor or a dedicated processor, etc. For example, it may be a baseband processor or a central processing unit. The baseband processor may be used to process the communication protocol and communication data, and the central processing unit may be used to control the communication device (such as a base station, a baseband chip, a terminal device, a terminal device chip, a DU or a CU, etc.), execute a computer program, and process the data of the computer program.

可选的，通信装置1500中还可以包括一个或多个存储器1502，其上可以存有计算机程序1504，处理器1501执行所述计算机程序1504，以使得通信装置1500执行上述方法实施例中描述的方法。可选的，所述存储器1502中还可以存储有数据。通信装置1500和存储器1502可以单独设置，也可以集成在一起。Optionally, the communication device 1500 may further include one or more memories 1502, on which a computer program 1504 may be stored, and the processor 1501 executes the computer program 1504 so that the communication device 1500 performs the method described in the above method embodiment. Optionally, data may also be stored in the memory 1502. The communication device 1500 and the memory 1502 may be provided separately or integrated together.

可选的，通信装置1500还可以包括收发器1505、天线1506。收发器1505可以称为收发单元、收发机、或收发电路等，用于实现收发功能。收发器1505可以包括接收器和发送器，接收器可以称为接收机或接收电路等，用于实现接收功能；发送器可以称为发送机或发送电路等，用于实现发送功能。Optionally, the communication device 1500 may further include a transceiver 1505 and an antenna 1506. The transceiver 1505 may be referred to as a transceiver unit, a transceiver, or a transceiver circuit, etc., and is used to implement transceiver functions. The transceiver 1505 may include a receiver and a transmitter. A receiver can be called a receiver or a receiving circuit, etc., which is used to implement a receiving function; a transmitter can be called a transmitter or a transmitting circuit, etc., which is used to implement a transmitting function.

可选的，通信装置1500中还可以包括一个或多个接口电路1507。接口电路1507用于接收代码指令并传输至处理器1501。处理器1501运行所述代码指令以使通信装置150执行上述方法实施例中描述的方法。Optionally, the communication device 1500 may further include one or more interface circuits 1507. The interface circuit 1507 is used to receive code instructions and transmit them to the processor 1501. The processor 1501 runs the code instructions to enable the communication device 1500 to perform the method described in the above method embodiment.

在一种实现方式中，处理器1501中可以包括用于实现接收和发送功能的收发器。例如该收发器可以是收发电路，或者是接口，或者是接口电路。用于实现接收和发送功能的收发电路、接口或接口电路可以是分开的，也可以集成在一起。上述收发电路、接口或接口电路可以用于代码/数据的读写，或者，上述收发电路、接口或接口电路可以用于信号的传输或传递。In one implementation, the processor 1501 may include a transceiver for implementing the receiving and sending functions. For example, the transceiver may be a transceiver circuit, an interface, or an interface circuit. The transceiver circuit, interface, or interface circuit for implementing the receiving and sending functions may be separate or integrated. The above-mentioned transceiver circuit, interface, or interface circuit may be used for reading and writing code/data, or the above-mentioned transceiver circuit, interface, or interface circuit may be used for transmitting or delivering signals.

在一种实现方式中，处理器1501可以存有计算机程序1503，计算机程序1503在处理器1501上运行，可使得通信装置1500执行上述方法实施例中描述的方法。计算机程序1503可能固化在处理器1501中，该种情况下，处理器1501可能由硬件实现。In one implementation, the processor 1501 may store a computer program 1503, which runs on the processor 1501 and enables the communication device 1500 to perform the method described in the above method embodiment. The computer program 1503 may be fixed in the processor 1501, in which case the processor 1501 may be implemented by hardware.

在一种实现方式中，通信装置1500可以包括电路，所述电路可以实现前述方法实施例中发送或接收或者通信的功能。本申请中描述的处理器和收发器可实现在集成电路(integrated circuit，IC)、模拟IC、射频集成电路RFIC、混合信号IC、专用集成电路(application specific integrated circuit，ASIC)、印刷电路板(printed circuit board，PCB)、电子设备等上。该处理器和收发器也可以用各种IC工艺技术来制造，例如互补金属氧化物半导体(complementary metal oxide semiconductor，CMOS)、N型金属氧化物半导体(nMetal-oxide-semiconductor，NMOS)、P型金属氧化物半导体(positive channel metal oxide semiconductor，PMOS)、双极结型晶体管(bipolar junction transistor，BJT)、双极CMOS(BiCMOS)、硅锗(SiGe)、砷化镓(GaAs)等。In one implementation, the communication device 1500 may include a circuit that can implement the functions of sending or receiving or communicating in the aforementioned method embodiments. The processor and transceiver described in the present application can be implemented in an integrated circuit (IC), an analog IC, a radio frequency integrated circuit RFIC, a mixed signal IC, an application specific integrated circuit (ASIC), a printed circuit board (PCB), an electronic device, etc. The processor and transceiver can also be manufactured using various IC process technologies, such as complementary metal oxide semiconductor (CMOS), N-type metal oxide semiconductor (NMOS), P-type metal oxide semiconductor (positive channel metal oxide semiconductor, PMOS), bipolar junction transistor (BJT), bipolar CMOS (BiCMOS), silicon germanium (SiGe), gallium arsenide (GaAs), etc.

以上实施例描述中的通信装置可以是第二实体或者CAPIF框架中的第一实体或者资源所有者客户端或终端设备，但本申请中描述的通信装置的范围并不限于此，而且通信装置的结构可以不受图14的限制。通信装置可以是独立的设备或者可以是较大设备的一部分。例如所述通信装置可以是：The communication device described in the above embodiments may be the second entity or the first entity in the CAPIF framework or the resource owner client or terminal device, but the scope of the communication device described in this application is not limited thereto, and the structure of the communication device may not be limited by FIG. 14. The communication device may be an independent device or may be part of a larger device. For example, the communication device may be:

(1)独立的集成电路IC，或芯片，或，芯片系统或子系统；(1) Independent integrated circuit IC, or chip, or chip system or subsystem;

(2)具有一个或多个IC的集合，可选的，该IC集合也可以包括用于存储数据，计算机程序的存储部件；(2) having a set of one or more ICs, and optionally, the IC set may also include a storage component for storing data and computer programs;

(3)ASIC，例如调制解调器(Modem)；(3) ASIC, such as modem;

(4)可嵌入在其他设备内的模块；(4) Modules that can be embedded in other devices;

(5)接收机、终端设备、智能终端设备、蜂窝电话、无线设备、手持机、移动单元、车载设备、网络设备、云设备、人工智能设备等等；(5) Receivers, terminal devices, intelligent terminal devices, cellular phones, wireless devices, handheld devices, mobile units, vehicle-mounted devices, network devices, cloud devices, artificial intelligence devices, etc.;

(6)其他等等。(6)Others

对于通信装置可以是芯片或芯片系统的情况，可参见图16所示的芯片的结构示意图。图16所示的芯片包括处理器1601和接口1602。其中，处理器1601的数量可以是一个或多个，接口1602的数量可以是多个。For the case where the communication device can be a chip or a chip system, please refer to the schematic diagram of the chip structure shown in Figure 16. The chip shown in Figure 16 includes a processor 1601 and an interface 1602. The number of processors 1601 can be one or more. Multiple, the number of interfaces 1602 can be multiple.

可选的，芯片还包括存储器1603，存储器1603用于存储必要的计算机程序和数据。Optionally, the chip further includes a memory 1603, and the memory 1603 is used to store necessary computer programs and data.

在一些实现中，该芯片可以用于实现上述本申请实施例中第二实体的功能。In some implementations, the chip can be used to implement the functions of the second entity in the above-mentioned embodiments of the present application.

在一些实现中，该芯片可以用于实现上述本申请实施例中CAPIF框架中的第一实体的功能。In some implementations, the chip can be used to implement the functions of the first entity in the CAPIF framework in the above-mentioned embodiments of the present application.

在一些实现中，该芯片可以用于实现上述本申请实施例中资源所有者客户端或终端设备的功能。In some implementations, the chip can be used to implement the functions of the resource owner client or terminal device in the above-mentioned embodiments of the present application.

本申请实施例中，第二实体先与第一实体进行授权交互，以获得刷新令牌。进一步地，第二实体接受资源所有者客户端或终端发送的第二授权撤销请求，从而生成第一授权撤销请求，并向第一实体发送第一授权撤销请求，以达到撤销授权的目的，从而减少CCF的负担，提升CAPIF框架的性能，提高处理数据的速度和效率。In the embodiment of the present application, the second entity first performs authorization interaction with the first entity to obtain a refresh token. Further, the second entity accepts the second authorization revocation request sent by the resource owner client or terminal, thereby generating a first authorization revocation request, and sends the first authorization revocation request to the first entity to achieve the purpose of revoking authorization, thereby reducing the burden of CCF, improving the performance of the CAPIF framework, and improving the speed and efficiency of processing data.

本领域技术人员还可以了解到本申请实施例列出的各种说明性逻辑块(illustrative logical block)和步骤(step)可以通过电子硬件、电脑软件，或两者的结合进行实现。这样的功能是通过硬件还是软件来实现取决于特定的应用和整个系统的设计要求。本领域技术人员可以对于每种特定的应用，可以使用各种方法实现所述的功能，但这种实现不应被理解为超出本申请实施例保护的范围。Those skilled in the art may also understand that the various illustrative logical blocks and steps listed in the embodiments of the present application may be implemented by electronic hardware, computer software, or a combination of the two. Whether such functions are implemented by hardware or software depends on the specific application and the design requirements of the entire system. Those skilled in the art may use various methods to implement the described functions for each specific application, but such implementation should not be understood as exceeding the scope of protection of the embodiments of the present application.

本申请实施例还提供一种用于授权撤销的通信系统1700，该系统包括CAPIF框架中的第一实体1701和第二实体1702。The embodiment of the present application also provides a communication system 1700 for authorization revocation, which includes a first entity 1701 and a second entity 1702 in a CAPIF framework.

第二实体1702，用于向所述第一实体发送第一授权撤销请求，其中所述第一授权撤销请求用于指示与资源所有者相关的刷新令牌；The second entity 1702 is configured to send a first authorization revocation request to the first entity, wherein the first authorization revocation request is used to indicate a refresh token associated with a resource owner;

第一实体1701，用于基于所述第一撤销授权请求，对所述刷新令牌执行撤销操作。The first entity 1701 is configured to perform a revocation operation on the refresh token based on the first revocation authorization request.

在一些实现中，通信系统，还包括：资源所有者客户端或终端设备1703，资源所有者客户端或终端设备，用于向所述第二实体发送第二授权撤销请求；In some implementations, the communication system further includes: a resource owner client or terminal device 1703, the resource owner client or terminal device, configured to send a second authorization revocation request to the second entity;

第二实体1702，用于基于所述第二授权撤销请求生成所述第一授权撤销请求，并向所述第一实体发送所述第一授权撤销请求。The second entity 1702 is configured to generate the first authorization revocation request based on the second authorization revocation request, and send the first authorization revocation request to the first entity.

本申请实施例还提供一种用于授权撤销的通信系统1800，该系统包括CAPIF框架中的第一实体1801和资源所有者客户端或终端设备1802。The embodiment of the present application also provides a communication system 1800 for authorization revocation, which includes a first entity 1801 in a CAPIF framework and a resource owner client or terminal device 1802.

资源所有者客户端或终端设备1802，用于向CAPIF框架中的第一实体发送第三授权撤销请求，其中所述第三授权撤销请求用于指示与资源所有者相关的刷新令牌；The resource owner client or terminal device 1802 is used to send a third authorization revocation request to the first entity in the CAPIF framework, wherein the third authorization revocation request is used to indicate a refresh token related to the resource owner;

第一实体1801，用于基于所述第一撤销授权请求，对所述刷新令牌执行撤销操作。The first entity 1801 is configured to perform a revocation operation on the refresh token based on the first revocation authorization request.

可选地，前述图14实施例中的通信装置可以作为第二实体的通信装置、作为CAPIF框架中的第一实体的通信装置以及作为资源所有者客户端或终端设备的通信装置，或者，前述图15实施例中的通信装置可以作为作为第二实体的通信装置、作为CAPIF框架中的第一实体的通信装置以及作为资源所有者客户端或终端设备的通信装置。 Optionally, the communication device in the aforementioned embodiment of Figure 14 can be used as a communication device of the second entity, as a communication device of the first entity in the CAPIF framework, and as a communication device of the resource owner client or terminal device, or the communication device in the aforementioned embodiment of Figure 15 can be used as a communication device of the second entity, as a communication device of the first entity in the CAPIF framework, and as a communication device of the resource owner client or terminal device.

本申请还提供一种可读存储介质，其上存储有指令，该指令被计算机执行时实现上述任一方法实施例的功能。The present application also provides a readable storage medium having instructions stored thereon, which implement the functions of any of the above method embodiments when executed by a computer.

本申请还提供一种计算机程序产品，该计算机程序产品被计算机执行时实现上述任一方法实施例的功能。The present application also provides a computer program product, which implements the functions of any of the above method embodiments when executed by a computer.

在上述实施例中，可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时，可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机程序。在计算机上加载和执行所述计算机程序时，全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机程序可以存储在计算机可读存储介质中，或者从一个计算机可读存储介质向另一个计算机可读存储介质传输，例如，所述计算机程序可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(digital subscriber line，DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质(例如，软盘、硬盘、磁带)、光介质(例如，高密度数字视频光盘(digital video disc，DVD))、或者半导体介质(例如，固态硬盘(solid state disk，SSD))等。In the above embodiments, it can be implemented in whole or in part by software, hardware, firmware or any combination thereof. When implemented by software, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer programs. When the computer program is loaded and executed on a computer, the process or function described in the embodiment of the present application is generated in whole or in part. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer program can be stored in a computer-readable storage medium, or transmitted from one computer-readable storage medium to another computer-readable storage medium. For example, the computer program can be transmitted from a website site, computer, server or data center by wired (e.g., coaxial cable, optical fiber, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) mode to another website site, computer, server or data center. The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server or data center that contains one or more available media integrated. The available medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a high-density digital video disc (DVD)), or a semiconductor medium (e.g., a solid state disk (SSD)), etc.

本领域普通技术人员可以理解：本申请中涉及的第一、第二等各种数字编号仅为描述方便进行的区分，并不用来限制本申请实施例的范围，也表示先后顺序。A person skilled in the art may understand that the various numerical numbers such as first and second involved in the present application are only used for the convenience of description and are not used to limit the scope of the embodiments of the present application, and also indicate the order of precedence.

本申请中的至少一个还可以描述为一个或多个，多个可以是两个、三个、四个或者更多个，本申请不做限制。在本申请实施例中，对于一种技术特征，通过“第一”、“第二”、“第三”、“A”、“B”、“C”和“D”等区分该种技术特征中的技术特征，该“第一”、“第二”、“第三”、“A”、“B”、“C”和“D”描述的技术特征间无先后顺序或者大小顺序。At least one in the present application can also be described as one or more, and a plurality can be two, three, four or more, which is not limited in the present application. In the embodiments of the present application, for a technical feature, the technical features in the technical feature are distinguished by "first", "second", "third", "A", "B", "C" and "D", etc., and there is no order of precedence or size between the technical features described by the "first", "second", "third", "A", "B", "C" and "D".

本申请中各表所示的对应关系可以被配置，也可以是预定义的。各表中的信息的取值仅仅是举例，可以配置为其他值，本申请并不限定。在配置信息与各参数的对应关系时，并不一定要求必须配置各表中示意出的所有对应关系。例如，本申请中的表格中，某些行示出的对应关系也可以不配置。又例如，可以基于上述表格做适当的变形调整，例如，拆分，合并等等。上述各表中标题示出参数的名称也可以采用通信装置可理解的其他名称，其参数的取值或表示方式也可以通信装置可理解的其他取值或表示方式。上述各表在实现时，也可以采用其他的数据结构，例如可以采用数组、队列、容器、栈、线性表、指针、链表、树、图、结构体、类、堆、散列表或哈希表等。The corresponding relationships shown in each table in the present application can be configured or predefined. The values of the information in each table are only examples and can be configured as other values, which are not limited by the present application. When configuring the corresponding relationship between the information and each parameter, it is not necessarily required to configure all the corresponding relationships illustrated in each table. For example, in the table in the present application, the corresponding relationships shown in some rows may not be configured. For another example, appropriate deformation adjustments can be made based on the above table, such as splitting, merging, etc. The names of the parameters shown in the titles of the above tables can also use other names that can be understood by the communication device, and the values or representations of the parameters can also be other values or representations that can be understood by the communication device. When implementing the above tables, other data structures can also be used, such as arrays, queues, containers, stacks, linear lists, pointers, linked lists, trees, graphs, structures, classes, heaps, hash tables or hash tables.

本申请中的预定义可以理解为定义、预先定义、存储、预存储、预协商、预配置、固化、或预烧制。The predefined in the present application may be understood as defined, predefined, stored, pre-stored, pre-negotiated, pre-configured, solidified, or pre-burned.

本领域普通技术人员可以意识到，结合本文中所公开的实施例描述的各示例的单元及算法步骤，能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行，取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能，但是这种实现不应认为超出本申请的范围。Those skilled in the art will appreciate that the units and algorithm steps of each example described in the embodiments disclosed herein can be implemented in electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Different methods may be used to implement the described functionality for each specific application, but such implementation should not be considered beyond the scope of the present application.

所属领域的技术人员可以清楚地了解到，为描述的方便和简洁，上述描述的系统、装置和单元的具体工作过程，可以参考前述方法实施例中的对应过程，在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working processes of the systems, devices and units described above can refer to the corresponding processes in the aforementioned method embodiments and will not be repeated here.

以上所述，仅为本申请的具体实施方式，但本申请的保护范围并不局限于此，任何熟悉本技术领域的技术人员在本申请揭露的技术范围内，可轻易想到变化或替换，都应涵盖在本申请的保护范围之内。因此，本申请的保护范围应以所述权利要求的保护范围为准。 The above is only a specific implementation of the present application, but the protection scope of the present application is not limited thereto. Any person skilled in the art who is familiar with the present technical field can easily think of changes or substitutions within the technical scope disclosed in the present application, which should be included in the protection scope of the present application. Therefore, the protection scope of the present application should be based on the protection scope of the claims.

Claims

A method for revoking authorization, characterized in that it is performed by a second entity, and the method comprises:

A first authorization revocation request is sent to a first entity in a common application programming interface CAPIF framework, wherein the first authorization revocation request is used to indicate a refresh token related to a resource owner.

The method according to claim 1, characterized in that the sending of the first authorization revocation request to the first entity in the common application programming interface CAPIF framework comprises:

receiving a second authorization revocation request;

The first authorization revocation request is generated based on the second authorization revocation request, and the first authorization revocation request is sent to the first entity.

The method according to claim 1 or 2, characterized in that after sending the first authorization revocation request to the first entity, it also includes:

Receive a revocation response message corresponding to the first authorization revocation request sent by the first entity.

The method according to claim 2 or 3 is characterized in that the second authorization revocation request is sent by a terminal device or a resource owner client or a resource owner running on the terminal device.

The method according to claim 4, characterized in that after receiving the revocation response message corresponding to the first authorization revocation request sent by the first entity, it also includes:

The revocation response message is sent to the terminal device or the resource owner client or the resource owner.

The method according to any one of claims 2 to 5, characterized in that the second authorization revocation request includes at least one of the following information:

The resource identifier of the authorized resource;

An operation identifier of a semantic operation executable on the authorized resource;

identification information of the second entity;

The identification information of the resource owner.

The method according to any one of claims 2 to 6, characterized in that the sending a first authorization revocation request to the first entity in the CAPIF framework based on the second authorization revocation request comprises:

determining the refresh token based on the second authorization revocation request;

The first authorization revocation request is sent to the first entity based on the refresh token.

The method according to claim 7, characterized in that the determining the refresh token based on the second authorization revocation request comprises:

Convert the resource identifier and/or the operation identifier to generate 3GPP domain information;

The refresh token is determined based on the information of the 3GPP domain.

The method according to any one of claims 1 to 8, characterized in that the method further comprises:

The refresh token and/or the token type of the refresh token is sent to the first entity through the first authorization revocation request.

The method according to any one of claims 1 to 8, characterized in that before sending the first authorization revocation request, it also includes:

Perform an authorization interaction with the first entity to obtain the refresh token associated with the resource owner.

The method according to any one of claims 1 to 10 is characterized in that the first entity is a core function CCF or an authorization function in the CAPIF framework.

A method for revoking authorization, characterized in that it is performed by a first entity in a CAPIF framework, and the method comprises:

receiving a first authorization revocation request or a third authorization revocation request, wherein the first authorization revocation request or the third authorization revocation request may indicate a refresh token associated with a resource owner;

Based on the first revocation authorization request or the third revocation authorization request, a revocation operation is performed on the refresh token.

The method according to claim 12, wherein receiving the first authorization revocation request comprises:

A first authorization revocation request sent by a second entity is received.

The method according to claim 12, wherein receiving the third authorization revocation request comprises:

The third authorization revocation request sent by the terminal device or the resource owner client running on the terminal device or the resource owner is received.

The method according to any one of claims 12 to 14, characterized in that after performing a revocation operation on the refresh token based on the first revocation authorization request or the third revocation authorization request, the method further comprises:

Sending a revocation response message corresponding to the first authorization revocation request to the second entity; or,

Send a revocation response message corresponding to the third authorization revocation request to the terminal device or the resource owner client or the resource owner.

The method according to any one of claims 12 to 15, characterized in that the third authorization revocation request includes at least one of the following information:

The resource identifier of the authorized resource;

identification information of the second entity;

The identification information of the resource owner.

The method according to claim 16, before performing a revocation operation on the refresh token based on the third revocation authorization request, further comprises:

The refresh token is determined based on the information of the 3GPP domain.

The method according to any one of claims 12 to 16, characterized in that before receiving the first authorization revocation request or the third authorization revocation request, it also includes:

An authorization interaction is performed with the second entity, and the refresh token associated with the resource owner is sent to the second entity.

The method according to any one of claims 12 to 18, characterized in that the method further comprises:

Based on the first authorization revocation request or the third authorization revocation request, the refresh token and/or a token type of the refresh token is determined.

The method according to any one of claims 12-19 is characterized in that the first entity is one of the core function CCF network elements or authorization functions in the CAPIF framework.

The method according to any one of claims 12 to 20, characterized in that after the revoking operation is performed on the refresh token based on the first authorization revocation request or the third authorization revocation request, the method comprises:

When receiving the access token application request sent by the second entity, stop generating the access token based on the refresh token.

A method for revoking authorization in a CAPIF framework, characterized in that it is executed by a resource owner client or a terminal device, and the method comprises:

Sending a second authorization revocation request to a second entity, wherein the second authorization revocation request is used to determine the first authorization revocation request sent to the first entity in the CAPIF framework; or,

A third authorization revocation request is sent to the first entity in the CAPIF framework; wherein the second authorization revocation or the third authorization revocation request is used to indicate a refresh token associated with a resource owner.

The method according to claim 22, characterized in that the method further comprises:

receiving a revocation response message corresponding to the first authorization revocation request sent by the second entity; or,

Receive a revocation response message corresponding to the third authorization revocation request sent by the first entity.

The method according to claim 22 or 23, characterized in that the second authorization revocation request or the third authorization revocation request includes at least one of the following information:

The resource identifier of the authorized resource;

An operation identifier of a semantic operation identifier executable on the authorized resource;

identification information of the second entity;

The identification information of the resource owner.

The method according to any one of claims 22-24 is characterized in that the resource owner client runs on a terminal device.

A communication system, characterized by comprising: a first entity and a second entity in a CAPIF framework;

The second entity is configured to send a first authorization revocation request to the first entity, wherein the first authorization revocation request is used to indicate a refresh token associated with a resource owner;

The first entity is configured to perform a revocation operation on the refresh token based on the first revocation authorization request.

The communication system according to claim 26, characterized in that it further comprises: a resource owner client or terminal device, wherein the resource owner client or terminal device is used to send a second authorization revocation request to the second entity;

The second entity is configured to generate the first authorization revocation request based on the second authorization revocation request, and send the first authorization revocation request to the first entity.

A communication system, characterized in that it comprises: a first entity in a CAPIF framework and a resource owner client or terminal device;

The resource owner client or terminal device is used to send a third authorization revocation request to the first entity in the CAPIF framework, wherein the third authorization revocation request is used to indicate a refresh token related to the resource owner;

A communication device, comprising:

The processing module is used to send a first authorization revocation request to a first entity in a common application programming interface CAPIF framework, wherein the first authorization revocation request is used to indicate a refresh token related to a resource owner.

A communication device, comprising:

a transceiver module, configured to receive a first authorization revocation request or a third authorization revocation request, wherein the first authorization revocation request or the second authorization revocation request may indicate a refresh token associated with a resource owner;

A processing module is used to perform a revocation operation on the refresh token based on the first revocation authorization request or the third revocation authorization request.

A communication device, comprising:

A transceiver module is used to send a second authorization revocation request to a second entity, wherein the second authorization revocation request is used to determine the first authorization revocation request sent to the first entity; or, to send a third authorization revocation request to the first entity in the CAPIF framework; wherein the second authorization revocation or the third authorization revocation request is used to indicate a refresh token associated with a resource owner.

A communication device, characterized in that the device comprises a processor and a memory, the memory stores a computer program, and the processor executes the computer program stored in the memory so that the device performs the method according to any one of claims 1 to 11.

A communication device, characterized in that the device comprises a processor and a memory, the memory stores a computer program, and the processor executes the computer program stored in the memory so that the device performs the method as claimed in any one of claims 12 to 21.

A communication device, characterized in that the device comprises a processor and a memory, the memory stores a computer program, and the processor executes the computer program stored in the memory so that the device performs the method as described in any one of claims 22 to 25.

A communication device, characterized in that it comprises: a processor and an interface circuit;

The interface circuit is used to receive code instructions and transmit them to the processor;

The processor is configured to run the code instructions to execute the method according to any one of claims 1 to 11.

The processor is configured to run the code instructions to execute the method according to any one of claims 12 to 21.

The processor is configured to run the code instructions to execute the method according to any one of claims 22 to 25.

A computer-readable storage medium is used to store instructions, and when the instructions are executed, the method according to any one of claims 1 to 11 is implemented.

A computer-readable storage medium is used to store instructions, and when the instructions are executed, the method according to any one of claims 12 to 21 is implemented.

A computer-readable storage medium is used to store instructions, and when the instructions are executed, the method according to any one of claims 22 to 25 is implemented.