An access control method, apparatus, device, and storage medium
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CHINA UNITED NETWORK COMM GRP CO LTD
- Filing Date
- 2023-06-28
- Publication Date
- 2026-06-23
AI Technical Summary
[0005]本申请提供了一种访问控制方法、装置、设备、存储介质,用以解决现有技术中用户不能从一个入口登陆多个系统、用户信息不互通、系统重复建设的问题
[0046] This application provides an access control method, apparatus, device, and storage medium. When a user switches applications, the system detects the client browser's cookie to determine if the user is already logged in. If the user is already logged in, the system uses the user's identity information in the cookie to exchange for an authorization token from a unified authorization and authentication center via the OAuth protocol. This allows the user to access the application they want to access without having to log in repeatedly, thus avoiding the need for repeated logins when switching between different applications. The unified authorization and authentication center also allows for unified configuration of user information and access control systems.
Smart Images

Figure CN116723029B_ABST
Abstract
Description
Technical Field
[0001] This application belongs to the field of Internet technology, specifically relating to an access control method, device, equipment, and storage medium. Background Technology
[0002] As the business grows, the number of projects within departments, between departments, and even between different companies increases. Each project's system is deployed independently, which means that users need to log in to other systems after logging into one system, resulting in a poor user experience. At the same time, it is unreasonable that users use different systems without a unified entry point for permission management and access control.
[0003] Furthermore, information such as users, departments, and roles is not shared between independently deployed systems. To ensure business consistency, this information needs to be synchronized, leading to an increasingly complex and unstable system collection. Moreover, each system must independently maintain its own access control system, such as modules, menus, and buttons, resulting in redundant system construction.
[0004] Therefore, it is necessary to solve the problems in existing technologies, such as users not being able to log in to multiple systems from a single entry point, lack of user information sharing, and redundant system construction. Summary of the Invention
[0005] This application provides an access control method, apparatus, device, and storage medium to solve the problems in the prior art where users cannot log in to multiple systems from a single entry point, user information is not shared, and systems are built redundantly.
[0006] Firstly, this application provides an access control method applied to a client, the method comprising:
[0007] Receive user switching instructions from the first application to the second application;
[0008] Determine if a cookie exists in the client's browser; if it does, then confirm that the user login verification is successful.
[0009] Send an authorization request for the second application to the authorization and certification center;
[0010] Receive the authorization code for the second application sent by the authorization and authentication center;
[0011] Send a token request for the second application to the gateway. The token request for the second application carries the authorization code and client ID of the second application.
[0012] Receive the second application authorization token returned by the gateway, and access the second application based on the second application authorization token.
[0013] In the preferred embodiment of the access control method described above, before the user switches from the first application to the second application, the method further includes:
[0014] In response to the user's access instruction to access the first application, the system receives the user's authentication information.
[0015] Send an authorization request for the first application to the authorization and authentication center. The authorization request for the first application carries: the user's authentication information and the client ID of the first application.
[0016] Receive the authentication information of the user and the verification result of the client ID of the first application from the authorization and authentication center;
[0017] If the verification passes, the cookie used to maintain the state between the client and the server is stored in the client's browser.
[0018] In the preferred embodiment of the access control method described above, sending the authorization request for the second application to the authorization and authentication center includes:
[0019] Based on the user's identity information in the cookie and the client ID of the second application, an authorization request for the second application is sent to the authorization and authentication center.
[0020] In a preferred embodiment of the access control method described above, after storing the cookie used to maintain the state between the client and the server in the client's browser, the method further includes:
[0021] Receive the authorization code for the first application sent by the authorization and authentication center;
[0022] Send a token request for the first application to the gateway. The token request for the first application carries the authorization code and client ID of the first application.
[0023] Receive the first application authorization token returned by the gateway, and access the first application based on the first application authorization token.
[0024] In the preferred embodiment of the access control method described above, the second application authorization token includes: a second application identity token and a second application access token; receiving the second application authorization token returned by the gateway and accessing the second application based on the second application authorization token includes:
[0025] The gateway receives the second application identity token returned by the gateway, and the gateway receives the second application identity token and the second application access token sent by the authorization and authentication center.
[0026] In response to the target menu of the second application pointed to by the switching instruction, an access request for the target menu is sent to the gateway through the second application identity token, so that the gateway can obtain the target menu resource from the authorization and authentication center through the second application access token;
[0027] Receive the resources of the target menu returned by the gateway.
[0028] In the preferred embodiment of the access control method described above, the method further includes:
[0029] Based on the second application identity token, obtain the menu resources of the second application corresponding to the user permissions.
[0030] In the preferred embodiment of the access control method described above, the step of sending an access request for the target menu to the gateway through the identity token, so that the gateway can obtain the target menu resource from the authorization and authentication center through the access token, includes:
[0031] The access request for the target menu carries the second application identity token, so that when the access request for the target menu reaches the gateway, the gateway replaces the second application identity token with the second application access token.
[0032] Secondly, this application provides an access control device, the device comprising:
[0033] The instruction receiving module is used to receive the user's switching instruction from the first application to the second application;
[0034] The login verification module is used to determine whether a cookie exists in the client browser. If it does, the user login verification is deemed successful.
[0035] The authorization code request module is used for:
[0036] Send an authorization request for the second application to the authorization and certification center;
[0037] Receive the authorization code for the second application sent by the authorization and authentication center;
[0038] The token request module is used for:
[0039] Send a token request for the second application to the gateway. The token request for the second application carries the authorization code and client ID of the second application.
[0040] Receive the second application authorization token returned by the gateway, and access the second application based on the second application authorization token.
[0041] Thirdly, this application provides an access control device, the device comprising:
[0042] Memory and processor;
[0043] The memory is used to store computer programs;
[0044] The processor is used to execute the computer program stored in the memory to implement the access control method described above.
[0045] Fourthly, this application provides a readable storage medium on which a computer program is stored; the computer program is used to implement the access control method described above.
[0046] This application provides an access control method, apparatus, device, and storage medium. When a user switches applications, the system detects the client browser's cookie to determine if the user is already logged in. If the user is already logged in, the system uses the user's identity information in the cookie to exchange for an authorization token from a unified authorization and authentication center via the OAuth protocol. This allows the user to access the application they want to access without having to log in repeatedly, thus avoiding the need for repeated logins when switching between different applications. The unified authorization and authentication center also allows for unified configuration of user information and access control systems. Attached Figure Description
[0047] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application.
[0048] Figure 1 This is a flowchart of an access control method provided in an embodiment of this application;
[0049] Figure 2 This is a flowchart of a method for verifying user login provided in an embodiment of this application;
[0050] Figure 3 This is a flowchart of a method for accessing a second application based on a second application authorization token, provided in an embodiment of this application.
[0051] Figure 4 This is a schematic diagram of another access control method provided in an embodiment of this application;
[0052] Figure 5 This is a schematic diagram of an access control device provided in an embodiment of this application;
[0053] Figure 6 This is a schematic diagram of an access control device provided in an embodiment of this application.
[0054] The accompanying drawings illustrate specific embodiments of this application, which will be described in more detail below. These drawings and descriptions are not intended to limit the scope of the concept in any way, but rather to illustrate the concept of this application to those skilled in the art through reference to particular embodiments. Detailed Implementation
[0055] To make the objectives, technical solutions, and advantages of this application clearer, the technical solutions of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0056] The terms "first," "second," "third," "fourth," etc. (if present) in the specification, claims, and accompanying drawings of this invention are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that embodiments of the invention described herein can be implemented, for example, in orders other than those illustrated or described herein.
[0057] In this application, the terms "exemplary" or "for example" are used to indicate examples, illustrations, or descriptions. Any embodiment or design described as "exemplary" or "for example" in this application should not be construed as being more preferred or advantageous than other embodiments or designs. Specifically, the use of terms such as "exemplary" or "for example" is intended to present the relevant concepts in a specific manner.
[0058] To meet business needs, it is common practice to build a system or application specifically for a particular business function. However, independently deployed applications have the following problems:
[0059] Information such as users, departments, and roles is not shared between independently deployed applications. To ensure business consistency, this information needs to be synchronized, which makes the system collection increasingly complex and unstable. Moreover, different systems need to maintain their own access control systems, such as modules, menus, and buttons, resulting in redundant system construction.
[0060] To address the above issues, the technical concept of this application is as follows: When a user switches applications, the system determines whether the user is already logged in based on the presence of cookies in the client's browser. If the user is already logged in, the system requests an authorization token from a unified authorization and authentication center according to the OAuth 2.0 protocol, and then uses the authorization token to access the application the user wants to access.
[0061] The technical solution of this application and how the technical solution of this application solves the above-mentioned technical problems are described in detail below with specific embodiments. These specific embodiments can be combined with each other, and the same or similar concepts or processes may not be described again in some embodiments. The embodiments of this application will now be described with reference to the accompanying drawings.
[0062] In Embodiment 1 of this application, an access control method is provided, which is applied to the client and is implemented based on the OAuth 2.0 protocol. Figure 1 This is a flowchart of an access control method provided in an embodiment of this application, such as... Figure 1 As shown, the method includes:
[0063] S101, Receive the user's switching instruction from the first application to the second application;
[0064] S102. Determine if a cookie exists in the client's browser. If it exists, confirm that the user's login verification is successful.
[0065] Specifically, the client can determine whether a user is logged in by calling the ` / oauth2 / authorize` interface and checking for the presence of a cookie. A cookie is a data fragment stored on the client side by the server and can be used to identify whether a user is logged in. If no cookie is detected, it means the user is not logged in, and the user will be redirected to the login page.
[0066] S103. Send an authorization request for the second application to the authorization and certification center;
[0067] In this embodiment, the functions of the authorization and authentication center can be implemented through an authorization server and an authentication server, or through a separate authorization and authentication server. The authorization and authentication center provides unified configuration for user permissions to access different applications and their sub-menus.
[0068] Optionally, send an authorization request for the second application to the authorization and certification authority, including:
[0069] Based on the user's identity information in the cookie and the client ID of the second application, an authorization request for the second application is sent to the authorization and authentication center.
[0070] After receiving the user's identity information and the client ID of the second application, the authorization and authentication center verifies whether the second application has been registered with the authorization and authentication center based on the client ID of the second application. If so, it verifies whether the user has permission to access the second application based on the user's identity information.
[0071] S104. Receive the authorization code for the second application sent by the authorization and authentication center;
[0072] If the user has permission to access the second application, then the authorization code for the second application is sent to the client. Specifically, the authorization code for the second application can be added to the redirect URL of the second application's homepage, and the user can be redirected to the second application's homepage, so that the second application obtains the authorization code.
[0073] S105. Send a token request for the second application to the gateway. The token request for the second application carries the authorization code and client ID of the second application.
[0074] In this step, the frontend uses the authorization code and client ID of the second application to call the ` / auth / token` interface to obtain the authorization token for the second application. After the token request reaches the gateway, the gateway forwards the token request to the authorization and authentication center. The authorization and authentication center issues an authorization token for the second application based on the authorization code and client ID of the second application, and then sends the authorization token to the gateway.
[0075] The purpose of using an authorization code to redeem an authorization token is to improve system security.
[0076] S106. Receive the second application authorization token returned by the gateway, and access the second application based on the second application authorization token.
[0077] The technical effect of this embodiment is that when a user switches applications, the system detects the client browser's cookie to determine whether the user is already logged in. If the user is already logged in, the system uses the user's identity information in the cookie to exchange for an authorization token from a unified authorization and authentication center via the OAuth 2.0 protocol. This allows the user to access the application they want to access without having to log in repeatedly, thus avoiding the need for repeated logins when switching between different applications. The unified authorization and authentication center also allows for the unified configuration of user information and access control systems.
[0078] Since in the previous embodiment, the user needs to log in before switching from the first application to the second application, this application embodiment 2 provides a method for verifying user login. Figure 2 This is a flowchart of a method for verifying user login provided in an embodiment of this application, such as... Figure 2 As shown, the method includes:
[0079] S201. In response to the user's access instruction to access the first application, receive the user's authentication information;
[0080] When a user accesses the first application, the client can call the / oauth2 / authorize interface to determine whether the user is already logged in based on the existence of a cookie. If no cookie exists, the client will redirect to the login page and receive the authentication information entered by the user on the login page. The user's authentication information may include the user's username, password, verification code, gesture information, etc.
[0081] It should be noted that the first application can also be a portal website, that is, the homepage of the first application is the login page in this application.
[0082] Optionally, after the user enters their identity verification information on the login page, they can be asked whether they agree to the authorization. If the user agrees to the authorization, the process proceeds to step S202.
[0083] S202. Send an authorization request for the first application to the authorization and authentication center. The authorization request for the first application carries: the user's authentication information and the client ID of the first application.
[0084] As in the previous embodiment, the authorization and authentication center stores the user's permissions to access different applications and their sub-menus. The user's authentication information and the client ID of the first application are sent to the authorization and authentication center. The client ID of the first application can be used to verify whether the first application that the user wants to access has been registered with the authorization and authentication center. If the first application has been registered with the authorization and authentication center, the authorization and authentication center will verify whether the user has the permission to access the first application based on the stored permissions of the user to access different applications and their sub-menus.
[0085] Specifically, S202 can be completed using the / auth / login method of the OAuth 2.0 protocol.
[0086] S203. Receive the verification results from the authorization and authentication center regarding the user's identity verification information and the client ID of the first application;
[0087] S204. If the verification passes, the cookie used to maintain the state between the client and the server will be stored in the client's browser.
[0088] In this step, the cookie can be set in the client browser's domain so that when the user switches to a second application or other sub-application, the sub-application can access the cookie.
[0089] Optionally, after storing cookies used to maintain state between the client and server in the client's browser, the method may further include:
[0090] Receive the authorization code for the first application sent by the authorization and certification center;
[0091] Send a token request for the first application to the gateway. The token request for the first application carries the authorization code and client ID of the first application.
[0092] Receive the first application authorization token returned by the gateway, and access the first application based on the first application authorization token.
[0093] After logging in, users may need to access the menus under the first application. At this time, they need to access the first application and its menus through the first application's authorization token.
[0094] In embodiment 3 of this application, a method for accessing a second application based on a second application authorization token is provided. Figure 3 This is a flowchart of a method for accessing a second application based on a second application authorization token, as provided in an embodiment of this application. Figure 3 As shown, the method includes:
[0095] S301, Receive the second application identity token returned by the gateway, and the gateway receives the second application identity token and the second application access token sent by the authorization and authentication center;
[0096] In this embodiment, the second application authorization token includes a second application identity token and a second application access token. Similarly, the first application authorization token in embodiment 2 may also include a first application identity token and a first application access token, and the method by which the user accesses the menu of the first application through the first application identity token and the first application access token in embodiment 2 is equivalent to S301 to S303 of this embodiment.
[0097] After receiving the second application identity token and the second application access token sent by the authorization and authentication center, the gateway sends the second application identity token to the client.
[0098] S302. In response to the target menu of the second application pointed to by the switching instruction, send an access request for the target menu to the gateway through the identity token of the second application, so that the gateway can obtain the target menu resources from the authorization and authentication center through the access token of the second application.
[0099] After logging into the second application, the user needs to be able to see the menu of the second application that they have permission to access. After sending the second application identity token to the client, the client can use the second application identity token to call / oauth2 / menus?moduleId=101 to obtain the menu resource of the second application corresponding to the user's permissions and display it on the second application's page, thus enabling this solution to be practically applied.
[0100] Similarly, in Example 2, if the first application is a portal website, the menu resources of the first application corresponding to the user's permissions are the sub-applications that the user has permission to access. The client calls / oauth2 / modules to parse the identity token of the first application, obtains the sub-applications that the user has permission to access, and displays them on the page of the first application.
[0101] Optionally, an access request for the target menu can be sent to the gateway using the second application identity token, enabling the gateway to obtain the target menu resource from the authorization and authentication center using the second application access token. This can be achieved through the following methods:
[0102] The access request for the target menu carries a second application identity token, so that when the access request for the target menu reaches the gateway, the gateway replaces the second application identity token with a second application access token.
[0103] Access requests to the target menu can be HTTP requests, with a second application identity token carried in the HTTP request header.
[0104] S302, Receive the resources of the target menu returned by the gateway.
[0105] In this step, the gateway's service interceptor can use the second application access token to interact with the authorization and authentication center via / oauth2 / userinfo to confirm that the user has permission to access the target menu. If the user has permission to access the target menu, the gateway uses the second application access token to request the target menu's data resources from the resource server and sends those data resources to the client.
[0106] In practice, some resources in the target menu may not be accessible using a second application access token. In such cases, the following method is required:
[0107] Authentication is performed using Java dynamic signature: an algorithm is used to generate a dynamic signature based on appId, timespace, and notice, and these four values are passed in through the header; the service interceptor generates a signature based on the first three parameters using the same algorithm and compares it with the passed-in signature.
[0108] Figure 4 This is a schematic diagram of another access control method provided in an embodiment of this application. Figure 4 In Chinese, the letter A represents the first application, and the letter B represents the second application, such as... Figure 4 As shown, each time a user switches applications, they need to request an authorization code from the authorization center again, and then use the authorization code to request an identity token and access token from the authorization center, and then obtain the target menu resources through steps S301 to S302.
[0109] In embodiment 4 of this application, an access control device is provided. Figure 5 This is a schematic diagram of an access control device provided in an embodiment of this application, such as... Figure 5 As shown, the device 50 includes: an instruction receiving module 501, a login verification module 502, an authorization code request module 503, and a token request module 504;
[0110] The instruction receiving module 501 is used to receive the user's switching instruction from the first application to the second application;
[0111] The login verification module 502 is used to determine whether a cookie exists in the client browser. If it exists, the user login verification is confirmed to be successful.
[0112] Authorization code request module 503 is used for:
[0113] Send an authorization request for the second application to the authorization and certification authority;
[0114] Receive the authorization code for the second application sent by the authorization and authentication center;
[0115] Token request module 504 is used for:
[0116] Send a token request for the second application to the gateway. The token request for the second application carries the authorization code and client ID of the second application.
[0117] Receive the second application authorization token returned by the gateway, and access the second application based on the second application authorization token.
[0118] In embodiment 5 of this application, an access control device is provided. Figure 6 This is a schematic diagram of an access control device provided in an embodiment of this application, such as... Figure 6 As shown, the device 60 includes a memory 601, a processor 602, and a communication component 603, which are connected via a bus 604.
[0119] Memory 601 is used to store computer programs;
[0120] The processor 602 is used to execute the computer program stored in the memory 601 to implement the access control method described above.
[0121] The specific implementation process of processor 602 can be found in the above method embodiments, and its implementation principle and technical effect are similar. It will not be repeated here.
[0122] In the above Figure 6In the illustrated embodiments, it should be understood that the processor can be a Central Processing Unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), etc. The general-purpose processor can be a microprocessor or any conventional processor. The steps of the method disclosed in this invention can be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules within the processor.
[0123] The memory may include random access memory (RAM) and may also include non-volatile memory (NVM), such as at least one disk storage device.
[0124] The bus can be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, or an Extended Industry Standard Architecture (EISA) bus, etc. Buses can be categorized as address buses, data buses, control buses, etc. For ease of illustration, the buses shown in the accompanying drawings are not limited to a single bus or a specific type of bus.
[0125] In Embodiment 6 of this application, a readable storage medium is provided, on which a computer program is stored; the computer program is used to implement the access control method described above.
[0126] The aforementioned computer-readable storage medium can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic storage, flash memory, magnetic disk, or optical disk. The readable storage medium can be any available medium accessible to a general-purpose or special-purpose computer.
[0127] An exemplary readable storage medium is coupled to a processor, enabling the processor to read information from and write information to the readable storage medium. Of course, the readable storage medium can also be a component of the processor. The processor and the readable storage medium can reside in an Application Specific Integrated Circuit (ASIC). Alternatively, the processor and the readable storage medium can exist as discrete components in the device.
[0128] The division of units described herein is merely a logical functional division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be indirect coupling or communication connection through some interfaces, devices, or units, and may be electrical, mechanical, or other forms.
[0129] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.
[0130] In addition, the functional units in the various embodiments of the present invention can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit.
[0131] If the aforementioned functions are implemented as software functional units and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this invention, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this invention. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0132] Those skilled in the art will understand that all or part of the steps of the above-described method embodiments can be implemented by hardware related to program instructions. The aforementioned program can be stored in a computer-readable storage medium. When executed, the program performs the steps of the above-described method embodiments; and the aforementioned storage medium includes various media capable of storing program code, such as ROM, RAM, magnetic disks, or optical disks.
[0133] The technical solutions of this application have been described above with reference to the preferred embodiments shown in the accompanying drawings. However, it is readily understood by those skilled in the art that the scope of protection of this application is obviously not limited to these specific embodiments. The above embodiments are only used to illustrate the technical solutions of this application and are not intended to limit them. Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some or all of the technical features therein. These modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the scope of the technical solutions of the embodiments of this application.
Claims
1. An access control method, characterized in that, Applied to a client, the method includes: Receive user switching instructions from the first application to the second application; Determine if a cookie exists in the client's browser; if it does, then confirm that the user login verification is successful. Send an authorization request for the second application to the authorization and certification center; Receive the authorization code for the second application sent by the authorization and authentication center; Send a token request for the second application to the gateway. The token request for the second application carries the authorization code and client ID of the second application, so that the gateway forwards the token request to the authorization and authentication center and receives the authorization token for the second application issued by the authorization and authentication center. Receive the second application authorization token returned by the gateway, and access the second application based on the second application authorization token; The second application authorization token includes: a second application identity token and a second application access token; receiving the second application authorization token returned by the gateway and accessing the second application based on the second application authorization token includes: The gateway receives the second application identity token returned by the gateway, and the gateway receives the second application identity token and the second application access token sent by the authorization and authentication center. In response to the target menu of the second application pointed to by the switching instruction, an access request for the target menu is sent to the gateway through the second application identity token, so that the gateway can obtain the target menu resource from the authorization and authentication center through the second application access token; Receive the resources of the target menu returned by the gateway.
2. The method according to claim 1, characterized in that, Before the user switches from the first application to the second application, the process also includes: In response to the user's access instruction to access the first application, the system receives the user's authentication information. Send an authorization request for the first application to the authorization and authentication center. The authorization request for the first application carries: the user's authentication information and the client ID of the first application. Receive the authentication information of the user and the verification result of the client ID of the first application from the authorization and authentication center; If the verification passes, the cookie used to maintain the state between the client and the server is stored in the client's browser.
3. The method according to claim 1, characterized in that, Sending the authorization request for the second application to the authorization and authentication center includes: Based on the user's identity information in the cookie and the client ID of the second application, an authorization request for the second application is sent to the authorization and authentication center.
4. The method according to claim 2, characterized in that, After storing the cookie used to maintain the state between the client and the server in the client's browser, the method further includes: Receive the authorization code for the first application sent by the authorization and authentication center; Send a token request for the first application to the gateway. The token request for the first application carries the authorization code and client ID of the first application. Receive the first application authorization token returned by the gateway, and access the first application based on the first application authorization token.
5. The method according to claim 1, characterized in that, The method further includes: Based on the second application identity token, obtain the menu resources of the second application corresponding to the user permissions.
6. The method according to claim 1, characterized in that, The step of sending an access request for the target menu to the gateway through the second application identity token, so that the gateway can obtain the target menu resource from the authorization and authentication center through the second application access token, includes: The access request for the target menu carries the second application identity token, so that when the access request for the target menu reaches the gateway, the gateway replaces the second application identity token with the second application access token.
7. An access control device, characterized in that, The device includes: The instruction receiving module is used to receive the user's switching instruction from the first application to the second application; The login verification module is used to determine whether a cookie exists in the client browser. If it exists, the user login verification is deemed successful. The authorization code request module is used for: Send an authorization request for the second application to the authorization and certification center; Receive the authorization code for the second application sent by the authorization and authentication center; The token request module is used for: Send a token request for the second application to the gateway. The token request for the second application carries the authorization code and client ID of the second application, so that the gateway forwards the token request to the authorization and authentication center and receives the authorization token for the second application issued by the authorization and authentication center. Receive the second application authorization token returned by the gateway, and access the second application based on the second application authorization token; The second application authorization token includes: a second application identity token and a second application access token; the token request module is specifically used for: The gateway receives the second application identity token returned by the gateway, and the gateway receives the second application identity token and the second application access token sent by the authorization and authentication center. In response to the target menu of the second application pointed to by the switching instruction, an access request for the target menu is sent to the gateway through the second application identity token, so that the gateway can obtain the target menu resource from the authorization and authentication center through the second application access token; Receive the resources of the target menu returned by the gateway.
8. An access control device, characterized in that, The device includes: Memory and processor; The memory is used to store computer programs; The processor is used to execute a computer program stored in the memory to implement the access control method as described in any one of claims 1 to 6.
9. A readable storage medium, characterized in that, The readable storage medium stores a computer program; when executed by a processor, the computer program is used to implement the access control method as described in any one of claims 1 to 6.