Communication method, terminal, server, network function, communication device, communication system, storage medium, and computer program product
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BEIJING XIAOMI MOBILE SOFTWARE CO LTD
- Filing Date
- 2024-11-04
- Publication Date
- 2026-06-16
AI Technical Summary
With the introduction of digital identities, existing communication mechanisms are unable to effectively authenticate and authorize users' digital identities, leading to the risk of identity forgery attacks in mobile metaverse services.
The terminal sends a request for authentication and authorization to the first server. The first server and the first network function verify and check the digital identity to ensure its legitimacy, and perform security verification and authorization through a token mechanism.
It enables effective authentication and authorization of digital identities, prevents identity forgery attacks, and ensures secure access to mobile metaverse services.
Smart Images

Figure CN122228680A_ABST
Abstract
Description
Communication methods, terminals, servers, network functions, communication equipment, communication systems, storage media, and computer program products. Technical Field
[0001] This disclosure relates to the field of communication technology, and in particular to a communication method, terminal, first server, first network function, communication equipment, communication system, storage medium, and computer program product. Background Technology
[0002] In the field of communications, digital identity (also known as virtual identity or avatar) has been introduced. Digital identity is a digital representation of a user's interaction with the metaverse and other users. The application enablement layer can create, discover, and manage the user's digital identity configuration information.
[0003] Summary of the Invention
[0004] With the introduction of digital identity, communication mechanisms need to be adjusted.
[0005] This disclosure provides a communication method, a terminal, a first server, a first network function, a communication system, a storage medium, and a computer program product.
[0006] According to a first aspect of the present disclosure, a communication method is provided, the method being executed by a terminal, the method comprising:
[0007] Send the first message to the first server;
[0008] The first information is used to request authentication and / or authorization of the digital identity, which is the identity corresponding to the user's access to the Mobile Metaverse service through the terminal.
[0009] According to a second aspect of the present disclosure, a communication method is provided, the method being executed by a first server, the method comprising:
[0010] The first message sent by the receiving terminal;
[0011] The first information is used to request authentication and / or authorization of the digital identity, which is the identity corresponding to the user's access to the Mobile Metaverse service through the terminal.
[0012] According to a third aspect of the present disclosure, a communication method is provided, the method being executed by a first network function, the method comprising:
[0013] Receive the eighth message sent by the first server;
[0014] The eighth piece of information is used to request the first network function to check whether the digital identity is allowed to be used by the user and / or whether it is allowed to access the mobile metaverse service.
[0015] According to a fourth aspect of the present disclosure, a communication device is provided, the communication device being used to perform the communication methods described in any one of the first, second, third, and / or fourth aspects.
[0016] According to a fifth aspect of the present disclosure, a communication system is provided, comprising: a terminal, a first server, and a first network device; wherein the terminal is configured to perform the method described in the optional implementation of the first aspect, the first server is configured to perform the method described in the optional implementation of the second aspect, and the first network device is configured to perform the method described in the optional implementation of the third aspect.
[0017] According to a sixth aspect of the present disclosure, a computer program product is provided, including a computer program or instructions, which, when executed by a processor, implement the steps of the methods described in the first aspect, the second aspect, and / or the third aspect.
[0018] According to a seventh aspect of the present disclosure, a storage medium is provided, wherein the storage medium stores instructions that, when executed on a communication device, cause the communication device to perform the methods provided in the first aspect, the second aspect, and / or the third aspect.
[0019] The technical solutions provided in this disclosure can adapt to communication mechanisms after the introduction of digital identity.
[0020] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and are not intended to limit the embodiments of this disclosure. Attached Figure Description
[0021] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the embodiments of the invention.
[0022] Figure 1a is a schematic diagram of the architecture of a communication system according to an exemplary embodiment;
[0023] Figure 2a is a flowchart illustrating a communication method according to an exemplary embodiment;
[0024] Figure 3 is a flowchart illustrating a communication method according to an exemplary embodiment;
[0025] Figure 4a is a flowchart illustrating a communication method according to an exemplary embodiment;
[0026] Figure 4b is a flowchart illustrating a communication method according to an exemplary embodiment;
[0027] Figure 5a is a schematic diagram of the structure of a terminal according to an exemplary embodiment;
[0028] Figure 5b is a schematic diagram of the structure of a first server according to an exemplary embodiment;
[0029] Figure 5c is a schematic diagram illustrating the structure of a first network function according to an exemplary embodiment;
[0030] Figure 5d is a schematic diagram of the structure of a second server according to an exemplary embodiment;
[0031] Figure 6a is a schematic diagram of the structure of a UE according to an exemplary embodiment;
[0032] Figure 6b is a schematic diagram of the structure of a communication device according to an exemplary embodiment. Detailed Implementation
[0033] This disclosure provides a communication method, a terminal, a first server, a first network function, a second server, a communication device, a communication system, a computer program product, and a storage medium.
[0034] In a first aspect, embodiments of this disclosure provide a communication method, the method being executed by a terminal, the method comprising:
[0035] Send the first message to the first server;
[0036] The first information is used to request authentication and / or authorization of the digital identity, which is the identity corresponding to the user's access to the Mobile Metaverse service through the terminal.
[0037] In the above embodiments, authentication and / or authorization of the digital identity can be achieved by sending first information to the first server to request authentication and / or authorization of the digital identity, thereby ensuring the security of access to the mobile metaverse service.
[0038] In conjunction with some embodiments of the first aspect, in some embodiments, the first information includes at least one of the following:
[0039] Client identity identifier (ID);
[0040] User ID;
[0041] Digital identity ID;
[0042] The digital identity object corresponding to the digital identity ID;
[0043] The Metaverse Business ID to be accessed.
[0044] In conjunction with some embodiments of the first aspect, in some embodiments, the method further includes:
[0045] Receive the second information sent by the first server;
[0046] The second information is used to indicate that the digital identity object has failed verification.
[0047] In the above embodiment, since the second information sent by the first server is received, it can be determined that the digital identity object has failed verification based on the second information after receiving the second information.
[0048] In conjunction with some embodiments of the first aspect, in some embodiments, the method further includes:
[0049] Receive third information sent by the first server; wherein the third information is used to indicate one of the following: an authorization code; an authorization code and a second server ID; whether the authorization code, the second server ID, and the digital identity are allowed to access multiple mobile metaverse services.
[0050] In the above embodiments, after receiving third information, the terminal can explicitly determine that the digital identity is allowed to access the mobile metaverse service based on the authorization code; and / or, it can determine whether the digital identity is allowed to access multiple mobile metaverse services based on the indication.
[0051] In conjunction with some embodiments of the first aspect, in some embodiments, the method further includes:
[0052] The system receives a fourth message sent by the first server; wherein the fourth message indicates that the digital identity is not allowed to be used by the user or is not allowed to access the mobile metaverse service; and / or, the fourth message indicates the reason why the digital identity is not allowed to be used by the user or is not allowed to access the mobile metaverse service, the reason being that the digital identity is not allowed to represent the user and / or is not allowed to access the mobile metaverse service.
[0053] In the above embodiments, after receiving the fourth information, it can be determined that the digital identity is not allowed to be used by the user or is not allowed to access the mobile metaverse service; the terminal can determine the reason why the digital identity is not allowed to be used by the user or is not allowed to access the mobile metaverse service based on the fourth information.
[0054] In conjunction with some embodiments of the first aspect, in some embodiments, the method further includes:
[0055] Upon receiving the authorization code, the fifth piece of information is sent to the first server;
[0056] The fifth piece of information is used to request a first token and / or a second token. The first token is used by the Metaverse Business Client in the terminal to authenticate the digital identity, and the second token is used by the Metaverse Business Client in the terminal to access the Metaverse Business.
[0057] In the above embodiments, after receiving the authorization code, the terminal can promptly request the first token and / or the second token from the first server.
[0058] In conjunction with some embodiments of the first aspect, in some embodiments, the fifth information is also used to indicate at least one of the following:
[0059] The terminal's ID;
[0060] The ID of the Metaverse business client in the terminal;
[0061] The ID of the second server;
[0062] The authorization code sent by the first server.
[0063] In conjunction with some embodiments of the first aspect, in some embodiments, the method further includes:
[0064] Receive the sixth message sent by the first server;
[0065] The sixth piece of information includes the first token and / or the second token.
[0066] In the above embodiments, the terminal can obtain the requested first token and / or second token from the first server.
[0067] In conjunction with some embodiments of the first aspect, in some embodiments, the first token includes at least one of the following:
[0068] The issuer's declaration is used to instruct the first server;
[0069] A subject statement, which indicates one of the following: a digital identity ID; or an association between a user ID and a digital identity ID;
[0070] Audience statement, which indicates one of the following: the client ID of the metaverse service requested by the user; the ID of the terminal;
[0071] A time statement, which indicates the validity period of the token;
[0072] Additional statement, which indicates at least one of the following: user ID; user name; digital identity object.
[0073] In conjunction with some embodiments of the first aspect, in some embodiments, the method further includes:
[0074] Verify the first token.
[0075] In the above embodiments, the terminal can verify the first token to ensure the secure use of the token.
[0076] In conjunction with some embodiments of the first aspect, in some embodiments, verifying the first token includes at least one of the following:
[0077] Integrity verification of the first token is performed based on the certificate of the first server.
[0078] Determine whether the digital identity ID indicated by the subject claim of the first token matches the requested digital identity ID;
[0079] Determine whether the user ID indicated by the subject claim of the first token matches the requested user ID;
[0080] Determine whether the client ID indicated by the audience claim of the first token matches the ID of the Metaverse business client in the terminal;
[0081] Determine whether the validity period indicated by the time statement of the first token has expired;
[0082] Determine whether the user ID contained in the additional claim of the first token matches the requested user ID;
[0083] Determine whether the digital identity object indicated by the first token appended claim matches the digital identity object selected by the user.
[0084] In the above embodiments, the first token can be verified from multiple aspects to ensure the secure use of the token.
[0085] In conjunction with some embodiments of the first aspect, in some embodiments, the method further includes:
[0086] Send the seventh message to the second server;
[0087] The seventh piece of information includes at least one of the following:
[0088] The digital identity ID;
[0089] The digital identity object corresponding to the digital identity ID;
[0090] The Metaverse Business ID to be accessed;
[0091] The second token.
[0092] In the above embodiments, a second token can be obtained from a second server.
[0093] In conjunction with some embodiments of the first aspect, in some embodiments, the second token includes at least one of the following:
[0094] The issuer's declaration is used to instruct the first server;
[0095] A subject statement, which indicates one of the following: a digital identity ID; or an association between a user ID and a digital identity ID;
[0096] Audience statement, which indicates the server ID of the metaverse service that the user requests to access;
[0097] A time statement, which indicates the validity period of the token;
[0098] Scope declarations are used to indicate the metaverse business ID to be accessed;
[0099] Additional statement, which is used to indicate the user ID.
[0100] Secondly, embodiments of this disclosure provide a communication method, which is executed by a first server, the method comprising:
[0101] The first message sent by the receiving terminal;
[0102] The first information is used to request authentication and / or authorization of the digital identity, which is the identity corresponding to the user's access to the Mobile Metaverse service through the terminal.
[0103] In conjunction with some embodiments of the second aspect, in some embodiments, the first information includes at least one of the following:
[0104] Client ID;
[0105] User ID;
[0106] Digital identity ID;
[0107] The digital identity object corresponding to the digital identity ID;
[0108] The Metaverse Business ID to be accessed.
[0109] In conjunction with some embodiments of the second aspect, in some embodiments, the method further includes:
[0110] The digital identity object is verified based on the first certificate;
[0111] The first certificate is obtained from the first network function, and the digital identity object is digitally signed by the first network function.
[0112] In conjunction with some embodiments of the second aspect, in some embodiments, the method further includes one of the following:
[0113] If the digital identity object is verified, an eighth message is sent to the first network function; wherein the eighth message is used to request the first network function to check whether the digital identity is allowed to be used by the user and / or whether the digital identity is allowed to access the mobile metaverse service;
[0114] If the digital identity object fails verification, a second message is sent to the terminal; wherein the second message is used to indicate that the digital identity object has failed verification.
[0115] In conjunction with some embodiments of the second aspect, in some embodiments, the eighth information includes at least one of the following: user ID; digital identity ID; metaverse service ID to be accessed.
[0116] In conjunction with some embodiments of the second aspect, in some embodiments, the method further includes:
[0117] The first network function is determined based on the information contained in the first certificate.
[0118] In conjunction with some embodiments of the second aspect, in some embodiments, the method further includes:
[0119] Receive the ninth message sent by the first network function;
[0120] The ninth information is used to indicate the first result and / or the second result, wherein the first result is used to indicate whether the digital identity is allowed to be used by the user, and the second result is used to indicate whether the digital identity is allowed to access the mobile metaverse service.
[0121] In conjunction with some embodiments of the second aspect, in some embodiments, the ninth information is also used to indicate at least one of the following:
[0122] Second server identifier;
[0123] Is a digital identity allowed to access multiple mobile metaverse services?
[0124] In conjunction with some embodiments of the second aspect, in some embodiments, the method further includes:
[0125] When the digital identity is allowed to be used by the user and is allowed to access mobile metaverse services, a third message is sent to the terminal; wherein the third message is used to indicate one of the following: an authorization code and a second server ID; and whether the authorization code, the second server ID, and the digital identity are allowed to access multiple mobile metaverse services.
[0126] In conjunction with some embodiments of the second aspect, in some embodiments, the method further includes:
[0127] If the digital identity is not permitted for use by the user and / or is not permitted to access the Mobile Metaverse service, a fourth message is sent to the terminal; wherein the fourth message is used to indicate that the digital identity is not permitted for use by the user or is not permitted to access the Mobile Metaverse service; and / or, the fourth message is used to indicate a reason, the reason being that the digital identity is not permitted to represent the user and / or is not permitted to access the Mobile Metaverse service.
[0128] In conjunction with some embodiments of the second aspect, in some embodiments, the method further includes:
[0129] Receive the fifth message sent by the terminal;
[0130] The fifth piece of information is used to request a first token and a second token. The first token is used by the Metaverse business client in the terminal to authenticate the digital identity, and the second token is used by the Metaverse business client in the terminal to access the Metaverse business.
[0131] In conjunction with some embodiments of the second aspect, in some embodiments, the fifth information is also used to indicate at least one of the following:
[0132] The terminal's ID;
[0133] The ID of the Metaverse business client in the terminal;
[0134] The ID of the second server;
[0135] The authorization code sent by the first server.
[0136] In conjunction with some embodiments of the second aspect, in some embodiments, the method further includes:
[0137] Send the sixth message to the terminal;
[0138] The sixth piece of information includes the first token and / or the second token.
[0139] In conjunction with some embodiments of the second aspect, in some embodiments, the first token includes at least one of the following declaration information:
[0140] The issuer's declaration is used to instruct the first server;
[0141] A subject statement, which indicates one of the following: a digital identity ID; or an association between a user ID and a digital identity ID;
[0142] Audience statement, which indicates one of the following: the client ID of the metaverse service requested by the user; the ID of the terminal;
[0143] A time statement, which indicates the validity period of the token;
[0144] Additional statement, which indicates at least one of the following: user ID; user name; digital identity object.
[0145] Thirdly, embodiments of this disclosure provide a communication method, the method being executed by a first network function, the method comprising:
[0146] Receive the eighth message sent by the first server;
[0147] The eighth piece of information is used to request the first network function to check whether the digital identity is allowed to be used by the user and / or whether it is allowed to access the mobile metaverse service.
[0148] In conjunction with some embodiments of the third aspect, in some embodiments, the eighth information includes at least one of the following: user ID; digital identity ID; metaverse service ID to be accessed.
[0149] In conjunction with some embodiments of the third aspect, in some embodiments, the method further includes at least one of the following:
[0150] Based on the configuration information of the digital identity and the eighth information, check whether the digital identity is allowed to be used by the user to obtain a first result;
[0151] Based on the configuration information of the digital identity and the eighth information, check whether the digital identity is allowed to access the mobile metaverse service to obtain a second result;
[0152] The configuration information of the digital identity is used to indicate the configuration information of the digital identity applicable to at least one metaverse business and / or the configuration information of at least one user associated with the digital identity.
[0153] In conjunction with some embodiments of the third aspect, in some embodiments, the method further includes:
[0154] Send the ninth message to the first server;
[0155] The ninth piece of information is used to indicate the first result and / or the second result.
[0156] In conjunction with some embodiments of the third aspect, in some embodiments, the ninth information is also used to indicate at least one of the following:
[0157] Second server identifier;
[0158] Is a digital identity allowed to access multiple mobile metaverse services?
[0159] Fourthly, embodiments of this disclosure provide a communication method, which is executed by a second server, the method comprising:
[0160] The seventh message sent by the receiving terminal;
[0161] The seventh information includes at least one of the following: the digital identity ID; the digital identity object corresponding to the digital identity ID; the metaverse service ID or name to be accessed; and the second token, which is used by the metaverse service client in the terminal to access the metaverse service.
[0162] In conjunction with some embodiments of the fourth aspect, in some embodiments, the second token includes at least one of the following statements:
[0163] The issuer's declaration is used to instruct the first server;
[0164] A subject statement, which indicates one of the following: a digital identity ID; or an association between a user ID and a digital identity ID;
[0165] Audience statement, which indicates the server ID of the metaverse service that the user requests to access;
[0166] A time statement, which indicates the validity period of the token;
[0167] Scope declarations are used to indicate the metaverse business ID to be accessed;
[0168] Additional statement, which is used to indicate the user ID.
[0169] In conjunction with some embodiments of the fourth aspect, in some embodiments, the method further includes:
[0170] Verify the second token.
[0171] In conjunction with some embodiments of the fourth aspect, in some embodiments, verifying the second token includes:
[0172] Integrity verification of the first token is performed based on the certificate of the first server.
[0173] Determine whether the digital identity ID indicated by the subject claim of the second token matches the requested digital identity ID;
[0174] Determine whether the user ID contained in the subject statement or supplementary statement of the second token matches the requested user ID;
[0175] Determine whether the server ID contained in the audience claim of the second token matches the second server ID;
[0176] Determine whether the validity period indicated by the time statement of the second token has expired.
[0177] Fifthly, embodiments of this disclosure provide a communication system, including: a terminal, a first server, a first network device, and / or a second server; wherein the terminal is configured to perform the method described in the optional implementation of the first aspect, the first server is configured to perform the method described in the optional implementation of the second aspect, the first network function is configured to perform the method described in the optional implementation of the third aspect, and the second server is configured to perform the method described in the optional implementation of the fourth aspect.
[0178] In a sixth aspect, embodiments of this disclosure provide a storage medium storing instructions that, when executed on a communication device, cause the communication device to perform the methods described in optional implementations of the first, second, third, and / or fourth aspects.
[0179] In a seventh aspect, embodiments of this disclosure provide a program product that, when executed by a communication device, causes the communication device to perform the method as described in the optional implementations of the first, second, third, and / or fourth aspects.
[0180] In an eighth aspect, embodiments of this disclosure provide a computer program that, when run on a computer, causes the computer to perform the methods described in optional implementations of the first, second, third, and / or fourth aspects.
[0181] Ninthly, embodiments of this disclosure provide a chip or chip system. The chip or chip system includes processing circuitry configured to perform the methods described according to optional implementations of the first, second, third, and / or fourth aspects above.
[0182] It is understood that the aforementioned terminals, servers, network functions, communication devices, communication systems, storage media, program products, computer programs, chips, or chip systems are all used to execute the methods proposed in the embodiments of this disclosure. Therefore, the beneficial effects they can achieve can be referred to the beneficial effects in the corresponding methods, and will not be repeated here.
[0183] This disclosure provides a communication method. In some embodiments, the terms "communication method" and "information indication method," "information processing method," and "information transmission method" can be used interchangeably, as can the terms "communication system" and "information processing system."
[0184] This disclosure is not exhaustive, but merely illustrative of some embodiments, and is not intended to limit the scope of protection of this disclosure. Unless otherwise specified, each step in a particular embodiment can be implemented as an independent embodiment, and the steps can be arbitrarily combined. For example, a solution after removing some steps in a particular embodiment can also be implemented as an independent embodiment, and the order of the steps in a particular embodiment can be arbitrarily interchanged. Furthermore, the optional implementation methods in a particular embodiment can be arbitrarily combined; moreover, the embodiments can be arbitrarily combined, for example, some or all steps of different embodiments can be arbitrarily combined, and a particular embodiment can be arbitrarily combined with the optional implementation methods of other embodiments.
[0185] In each of the disclosed embodiments, unless otherwise specified or in case of logical conflict, the terminology and / or descriptions of the embodiments are consistent and can be referenced by each other. Technical features in different embodiments can be combined to form new embodiments based on their inherent logical relationships.
[0186] The terminology used in the embodiments of this disclosure is for the purpose of describing particular embodiments only and is not intended to limit the scope of this disclosure.
[0187] In this embodiment of the disclosure, unless otherwise stated, elements expressed in the singular form, such as "a," "an," "the," "the," "the," "the," "the," "the," "this," etc., can mean "one and only one," or "one or more," "at least one," etc. For example, when using articles such as "a," "an," "the," etc. in translation, the noun following the article can be understood as either a singular expression or a plural expression.
[0188] In the embodiments disclosed herein, "multiple" refers to two or more.
[0189] In some embodiments, the terms “at least one of”, “one or more”, “a plurality of”, “multiple”, etc., may be used interchangeably.
[0190] In some embodiments, the notation "at least one of A and B", "A and / or B", "A in one case, B in another", "in response to one case A, in response to another case B", etc., may include the following technical solutions depending on the situation: in some embodiments, A (execute A regardless of B); in some embodiments, B (execute B regardless of A); in some embodiments, execution is selected from A and B (A and B are selectively executed); in some embodiments, A and B (both A and B are executed). The same applies when there are more branches such as A, B, C, etc.
[0191] In some embodiments, the notation "A or B" may include the following technical solutions, depending on the situation: in some embodiments, A (execution of A regardless of B); in some embodiments, B (execution of B regardless of A); in some embodiments, execution is selected from A and B (A and B are selectively executed). The same applies when there are more branches such as A, B, C, etc.
[0192] The prefixes "first," "second," etc., used in the embodiments of this disclosure are merely for distinguishing different descriptive objects and do not impose restrictions on the position, order, priority, quantity, or content of the descriptive objects. The description of the descriptive objects is found in the claims or the context of the embodiments, and the use of prefixes should not constitute unnecessary restrictions. For example, if the descriptive object is a "field," the ordinal numbers preceding "field" in "first field" and "second field" do not restrict the position or order of the "fields." "First" and "second" do not restrict whether the "fields" they modify are in the same message, nor do they restrict the order of "first field" and "second field." Similarly, if the descriptive object is a "level," the ordinal numbers preceding "level" in "first level" and "second level" do not restrict the priority between "levels." Furthermore, the number of descriptive objects is not limited by ordinal numbers and can be one or more. For example, in "first device," the number of "devices" can be one or more. Furthermore, the objects modified by different prefixes can be the same or different. For example, if the object being described is "device", then "first device" and "second device" can be the same device or different devices, and their types can be the same or different. Similarly, if the object being described is "information", then "first information" and "second information" can be the same information or different information, and their content can be the same or different.
[0193] In some embodiments, “including A,” “containing A,” “for indicating A,” and “carrying A” can be interpreted as directly carrying A or indirectly indicating A.
[0194] In some embodiments, terms such as "time / frequency" and "time-frequency domain" refer to the time domain and / or frequency domain.
[0195] In some embodiments, the terms “in response to…”, “in response to determining…”, “in the case of…”, “when…”, “if…”, “if…”, etc., can be used interchangeably.
[0196] In some embodiments, the terms “greater than,” “greater than or equal to,” “not less than,” “more than,” “more than or equal to,” “not less than,” “higher than,” “higher than or equal to,” “not lower than,” and “above” can be used interchangeably, as can the terms “less than,” “less than or equal to,” “not greater than,” “less than,” “less than or equal to,” “not more than,” “lower than,” “lower than or equal to,” “not higher than,” and “below”.
[0197] In some embodiments, devices, etc., can be interpreted as physical or virtual, and their names are not limited to the names recorded in the embodiments. Terms such as “device”, “equipment”, “circuit”, “network element”, “node”, “function”, “unit”, “section”, “system”, “network”, “chip”, “chip system”, “entity”, and “subject” can be used interchangeably.
[0198] In some embodiments, "network" can be interpreted as devices included in the network (e.g., access network devices, core network devices, etc.).
[0199] In some embodiments, the terms "access network device (AN device)," "radio access network device (RAN device)," "base station (BS)," "radio base station," "fixed station," "node," "access point," "transmission point (TP)," "reception point (RP)," "transmission / reception point (TRP)," "panel," "antenna panel," "antenna array," "cell," "macro cell," "small cell," "femto cell," "pico cell," "sector," "cell group," "serving cell," "carrier," "component carrier," and "bandwidth part (BWP)" can be used interchangeably.
[0200] In some embodiments, the terms "terminal", "terminal device", "user equipment (UE)", "user terminal", "mobile station (MS)", "mobile terminal (MT)", "subscriber station", "mobile unit", "subscriber unit", "wireless unit", "remote unit", "mobile device", "wireless device", "wireless communication device", "remote device", "mobile subscriber station", "access terminal", "mobile terminal", "wireless terminal", "remote terminal", "handset", "user agent", "mobile client", and "client" can be used interchangeably.
[0201] In some embodiments, access network devices, core network devices, or network devices can be replaced by terminals. For example, embodiments of this disclosure can also be applied to structures where communication between access network devices, core network devices, or network devices and terminals is replaced by communication between multiple terminals (e.g., device-to-device (D2D), vehicle-to-everything (V2X), etc.). In this case, the structure can also be configured such that the terminal has all or part of the functions of the access network device. Furthermore, terms such as "uplink" and "downlink" can be replaced with terms corresponding to communication between terminals (e.g., "sidelink"). For example, uplink channel, downlink channel, etc., can be replaced with sidelink channel, and uplink link, downlink, etc., can be replaced with sidelink link.
[0202] In some embodiments, the terminal may be replaced by an access network device, a core network device, or a network device. In this case, the access network device, core network device, or network device may also be configured to have all or some of the functions of the terminal.
[0203] In some embodiments, the acquisition of data, information, etc., may comply with the laws and regulations of the country where the location is situated.
[0204] In some embodiments, data, information, etc., may be obtained with the user's consent.
[0205] Furthermore, each element, each row, or each column in the table of this disclosure can be implemented as an independent embodiment, and any combination of any element, any row, or any column can also be implemented as an independent embodiment.
[0206] Figure 1a is a schematic diagram of the architecture of a communication system according to an embodiment of the present disclosure.
[0207] As shown in Figure 1a, the communication system 100 includes a terminal 101, a network device 102, and a server 103.
[0208] In some embodiments, network device 102 may include access network devices and / or core network devices (also referred to as network functions).
[0209] In some embodiments, terminal 101 includes, but is not limited to, at least one of the following: mobile phone, wearable device, Internet of Things device, car with communication function, smart car, tablet computer, computer with wireless transceiver function, virtual reality (VR) terminal device, augmented reality (AR) terminal device, wireless terminal device in industrial control, wireless terminal device in self-driving, wireless terminal device in remote medical surgery, wireless terminal device in smart grid, wireless terminal device in transportation safety, wireless terminal device in smart city, and wireless terminal device in smart home.
[0210] In some embodiments, the access network device is, for example, a node or device that connects a terminal to a wireless network. The access network device may include, but is not limited to, at least one of the following in a 5G communication system: evolved Node B (eNB), next-generation eNB (ng-eNB), next-generation Node B (gNB), node B (NB), home node B (HNB), home evolved node B (HeNB), radio backhaul device, radio network controller (RNC), base station controller (BSC), base transceiver station (BTS), base band unit (BBU), mobile switching center, base station in a 6G communication system, open RAN, cloud RAN, base station in other communication systems, and access node in a Wi-Fi system.
[0211] In some embodiments, the technical solutions of this disclosure can be applied to the Open RAN architecture. In this case, the interfaces between or within access network devices involved in the embodiments of this disclosure can be transformed into internal interfaces of Open RAN. The processes and information interactions between these internal interfaces can be implemented by software or programs.
[0212] In some embodiments, the access network device may be composed of a central unit (CU) and a distributed unit (DU). The CU may also be called a control unit. The CU-DU structure can separate the protocol layer of the access network device. Some of the protocol layer functions are centrally controlled by the CU, while the remaining part or all of the protocol layer functions are distributed in the DU and centrally controlled by the CU. However, this is not the only possibility.
[0213] In some embodiments, the core network equipment can be a single device, such as a first network device or a second network device, or it can be multiple devices or a group of devices, including all or part of the first network device, the second network device, etc. Network devices can be virtual or physical. Network devices can also be referred to as network elements. The core network includes, for example, at least one of the Evolved Packet Core (EPC), 5G Core Network (5GCN), and Next Generation Core (NGC).
[0214] It is understood that the communication system described in this disclosure is for the purpose of more clearly illustrating the technical solutions of this disclosure, and does not constitute a limitation on the technical solutions proposed in this disclosure. As those skilled in the art will know, with the evolution of system architecture and the emergence of new business scenarios, the technical solutions proposed in this disclosure are also applicable to similar technical problems.
[0215] The following embodiments of this disclosure can be applied to the communication system 100 shown in FIG1a, or to some of the main bodies, but are not limited thereto. The main bodies shown in FIG1a are illustrative. The communication system may include all or some of the main bodies in FIG1a, or it may include other main bodies outside of FIG1a. The number and form of each main body are arbitrary. Each main body may be physical or virtual. The connection relationship between the main bodies is illustrative. The main bodies may not be connected or may be connected. The connection may be in any way, such as direct connection or indirect connection, wired connection or wireless connection.
[0216] The embodiments disclosed herein can be applied to Long Term Evolution (LTE), LTE-Advanced (LTE-A), LTE-Beyond (LTE-B), SUPER 3G, IMT-Advanced, 4th generation mobile communication system (4G), 5th generation mobile communication system (5G), 5G new radio (NR), Future Radio Access (FRA), New-Radio Access Technology (RAT), New Radio (NR), New radio access (NX), Future generation radio access (FX), Global System for Mobile communications (GSM), CDMA2000, Ultra Mobile Broadband (UMB), IEEE 802.11 (Wi-Fi), IEEE 802.16 (WiMAX), and IEEE 802.20, Ultra-Wideband (UWB), Bluetooth (a registered trademark), Public Land Mobile Network (PLMN) networks, Device-to-Device (D2D) systems, Machine-to-Machine (M2M) systems, Internet of Things (IoT) systems, Vehicle-to-Everything (V2X) systems, systems utilizing other communication methods, and next-generation systems built upon them, etc. Furthermore, multiple systems can be combined (e.g., a combination of LTE or LTE-A with 5G).
[0217] In some embodiments, a digital identity (also referred to as a virtual identity or avatar) is a digital representation of a user's interaction with the metaverse and other users. The application enablement layer can create, discover, and manage configuration information for a user's digital identity, thereby reducing the burden on applications and enabling core network functions across businesses and vertical industries. The metaverse supports businesses in providing mechanisms to create, update, acquire, or discover digital identities as digital assets. Most metaverse applications require digital identities for users to interact with the application. Furthermore, users can seamlessly switch between metaverse applications using the same digital identity, taking into account the constraints of the applications accessed.
[0218] In some embodiments, without authentication of digital identities, attackers can forge digital identities to impersonate users with legitimate identities. For example, an attacker can download another user's digital identity or generate their own digital identity (such as an avatar) by copying and pasting another user's digital identity, and use the forged or stolen digital identity to impersonate the attacker when interacting with the metaverse and other users. Such attacks cannot be detected as long as the association between the digital identity and the user it truly represents cannot be verified within the mobile metaverse service. As a result, attackers can manipulate forged or copied stolen digital identities within the mobile metaverse service to launch further types of attacks. Even though the unique identifier of a legitimate digital identity may change from time to time, attackers can still launch such attacks within the identifier's validity period.
[0219] In some embodiments, the key issue focuses on the authentication and authorization of digital representatives (e.g., digital identities) with their unique identifiers. It is required that 5G or 6G systems provide means to support the authentication of digital representatives to represent users in mobile metaverse services, and to provide means to support the use of digital representatives (e.g., digital identities) by authorized users or subscribers in mobile metaverse services. Therefore, it is necessary to investigate a method for a mobile communication system to authenticate digital representatives (digital identities) when representing users.
[0220] Figure 2a is an interactive schematic diagram of a communication method according to an embodiment of the present disclosure. As shown in Figure 2a, the present disclosure relates to a communication method for a communication system 100, the method comprising:
[0221] Step S2101: The terminal sends the first information to the first server.
[0222] In some embodiments, the first server receives first information sent by the terminal.
[0223] In some embodiments, the first server is a service-enabled architecture layer identity management server (SIM-S, SEAL Identity Management Server).
[0224] In some embodiments, the Service Enabled Architecture Layer Identity Management Client (SIM-C) sends first information to the first server via a terminal.
[0225] In some embodiments, the first information is used to request authentication and / or authorization of a digital identity (e.g., digital representation).
[0226] In some embodiments, the digital identity is the identity corresponding to a user's access to the Mobile Metaverse service through the terminal.
[0227] In some embodiments, a digital identity can be an avatar.
[0228] In some embodiments, the first information includes at least one of the following:
[0229] Client identity identifier (ID), for example, Vertical Application Layer (VAL) client ID;
[0230] User ID, for example, User ID;
[0231] Digital identity ID, such as an avatar ID;
[0232] The digital identity object corresponding to the digital identity ID;
[0233] The Metaverse Business ID to be accessed.
[0234] In some embodiments, the Metaverse Service ID to be accessed can be the Metaverse Service Name to be accessed.
[0235] In some embodiments, the terminal sends an OpenID Connect Authentication Request message to the first server, the message containing the first information.
[0236] Step S2102: The first server verifies the digital identity object.
[0237] In some embodiments, the digital identity object is verified based on a first certificate.
[0238] In some embodiments, the first certificate is a certificate obtained from a first network function.
[0239] In some embodiments, the digital identity object is digitally signed by the first network function.
[0240] In some embodiments, the first network function is determined based on information contained in the first certificate.
[0241] In some embodiments, the first network function is Application-Digital Asset Container Management (A-DACM).
[0242] Step S2103: The first server sends the eighth information to the first network function.
[0243] In some embodiments, the first network function receives the eighth information sent by the first server.
[0244] In some embodiments, if the digital identity object is verified, an eighth message is sent to the first network function.
[0245] In some embodiments, the eighth information is used to request the first network function to check whether the digital identity is permitted for use by the user.
[0246] In some embodiments, the eighth piece of information is used to request whether the digital identity is allowed to access the Mobile Metaverse service.
[0247] In some embodiments, the eighth information includes at least one of the following: user ID; digital identity ID; metaverse service ID to be accessed.
[0248] It should be noted that either step S2103 or step S2104 can be performed.
[0249] Step S2104: The first server sends the second information to the terminal.
[0250] In some embodiments, the terminal receives second information sent by the first server.
[0251] In some embodiments, if the digital identity object fails verification, a second message is sent to the terminal.
[0252] In some embodiments, the second information is used to indicate that the digital identity object has failed verification.
[0253] In some embodiments, the second information is used to indicate the reason why the digital identity object failed verification.
[0254] In some embodiments, the reason is that the verification of the digital identity object failed.
[0255] Step S2105: The first network function checks the digital identity.
[0256] In some embodiments, the first network function checks whether the digital identity is permitted to be used by the user based on the configuration information of the digital identity and the eighth information, and obtains a first result.
[0257] In some embodiments, the first network function checks whether the digital identity is allowed to access mobile metaverse services based on the configuration information of the digital identity and the eighth information, and obtains a second result.
[0258] In some embodiments, the configuration information of the digital identity is used to indicate a digital identity applicable to at least one metaverse business.
[0259] In some embodiments, the configuration information of the digital identity is the configuration information of at least one user associated with the digital identity.
[0260] In some embodiments, the configuration information of the digital identity is a digital identity applicable to at least one metaverse business and configuration information of at least one user associated with the digital identity.
[0261] Step S2106: The first network function sends the ninth information to the first server.
[0262] In some embodiments, the first server receives the ninth message sent by the first network function.
[0263] In some embodiments, the ninth information is used to indicate the first result and / or the second result.
[0264] In some embodiments, the first result is used to indicate whether the digital identity is permitted for use by the user.
[0265] In some embodiments, the second result is used to indicate whether the digital identity is allowed to access the Mobile Metaverse service.
[0266] In some embodiments, the ninth information is also used to indicate a second server identifier.
[0267] In some embodiments, the ninth information is also used to indicate at least one of the following:
[0268] Second server identifier;
[0269] Is a digital identity allowed to access multiple mobile metaverse services?
[0270] Step S2107: The first server sends third information to the terminal.
[0271] In some embodiments, the terminal receives third information sent by the first server.
[0272] In some embodiments, the third information is used to indicate one of the following:
[0273] Authorization code;
[0274] Authorization code and second server ID;
[0275] Whether the authorization code, the second server ID, and the digital identity are allowed to access multiple mobile metaverse services.
[0276] In some embodiments, if the digital identity is allowed to access multiple mobile metaverse services, then if the mobile metaverse service client on the terminal belongs to any one of the multiple mobile metaverse services, it is not necessary to request a first token for authentication of the digital identity.
[0277] In some embodiments, where the digital identity is permitted for use by the user and is allowed to access mobile metaverse services, the first server sends third information to the terminal.
[0278] In some embodiments, the first server sends an Open Identity Connection Authentication Response Message to the terminal, which contains third-party information.
[0279] Step S2108: The first server sends the fourth information to the terminal.
[0280] In some embodiments, the terminal receives fourth information sent by the first server.
[0281] In some embodiments, the fourth information is used to indicate that the digital identity is not allowed to be used by the user or is not allowed to access the Mobile Metaverse service and to indicate the reason why the digital identity is not allowed to be used by the user or is not allowed to access the Mobile Metaverse service, the reason being that the digital identity is not allowed to represent the user and / or is not allowed to access the Mobile Metaverse service.
[0282] In some embodiments, if the digital identity is not permitted for use by the user and / or is not permitted to access mobile metaverse services, the first server sends fourth information to the terminal.
[0283] In some embodiments, the fourth information is used to indicate that the digital identity is not permitted for use by the user or is not permitted to access the Mobile Metaverse service.
[0284] In some embodiments, the fourth information is used to indicate the reason why the digital identity is not allowed to be used by the user or is not allowed to access the mobile metaverse service.
[0285] In some embodiments, the reason is that the digital identity is not allowed to represent the user and / or is not allowed to access the Mobile Metaverse service.
[0286] It should be noted that only one of steps S2107 and S2108 is executed.
[0287] Step S2109: The terminal sends the fifth information to the first server.
[0288] In some embodiments, the first server receives the fifth information sent by the terminal.
[0289] In some embodiments, upon receiving the authorization code, the terminal sends fifth information to the first server.
[0290] In some embodiments, the fifth information is used to request a first token (e.g., ID-Token_a) and / or a second token (e.g., an access token).
[0291] In some embodiments, the fifth information is also used to indicate at least one of the following:
[0292] The terminal's ID;
[0293] The ID of the Metaverse business client in the terminal;
[0294] The ID of the second server;
[0295] The authorization code sent by the first server.
[0296] In some embodiments, the first token is used by the Metaverse business client in the terminal to authenticate the digital identity.
[0297] In some embodiments, the second token is used by the Metaverse service client in the terminal to access the Metaverse service.
[0298] In some embodiments, the Metaverse service client in the terminal may be a SIM-C or VAL client, but is not limited thereto.
[0299] In some embodiments, the first token comprises at least one of the following:
[0300] An issuer (e.g., an issuer) statement, which is used to instruct the first server;
[0301] A subject statement (e.g., a subject declaration) is used to indicate one of the following: a digital identity ID; an association between a user ID and a digital identity ID; in some cases, a subject statement may also be referred to as a subject declaration, without limitation.
[0302] An audience (e.g., Audience) statement that indicates one of the following: the client ID of the metaverse service the user requests access to; or the ID of the terminal.
[0303] A time statement (e.g., an expiration time) is used to indicate the validity period of a token. For example, the validity period could be a first time after which the token expires.
[0304] Additional claims (e.g., additional claims if necessary) are used to indicate at least one of the following: user ID; user name; digital identity object. Here, additional claims may also be referred to as other claims, without limitation.
[0305] It should be noted that when an audience declares that the terminal's ID is included, it can be understood that the digital identity is allowed to access multiple metaverse services. If the client on the terminal belongs to any of these multiple mobile metaverse services, it can access the metaverse service based on the digital identity without having to repeatedly request the first token.
[0306] In some embodiments, the second token comprises at least one of the following:
[0307] The issuer's declaration is used to instruct the first server;
[0308] A subject statement, which indicates one of the following: a digital identity ID; or an association between a user ID and a digital identity ID;
[0309] Audience statement, which indicates the server ID of the metaverse service that the user requests to access;
[0310] A time statement, which indicates the validity period of the token;
[0311] Scope (e.g., a scope declaration) is used to indicate the metaverse business ID to be accessed;
[0312] Additional statement, which is used to indicate the user ID.
[0313] Step S2110: The first server sends the sixth information to the terminal.
[0314] In some embodiments, the terminal receives sixth information sent by the first server.
[0315] In some embodiments, the sixth information includes the first token and / or the second token.
[0316] Step S2111: The terminal verifies the first token.
[0317] In some embodiments, integrity verification of the first token is performed based on the certificate of the first server.
[0318] In some embodiments, the terminal determines whether the digital identity ID indicated by the subject claim of the first token matches the requested digital identity ID.
[0319] In some embodiments, the terminal determines whether the user ID indicated by the subject claim of the first token matches the requested user ID.
[0320] In some embodiments, the terminal determines whether the client ID indicated by the audience claim of the first token matches the ID of the Metaverse business client in the terminal.
[0321] In some embodiments, the terminal determines whether the validity period indicated by the time statement of the first token has expired.
[0322] In some embodiments, the terminal determines whether the user ID contained in the additional claim of the first token matches the requested user ID.
[0323] In some embodiments, the terminal determines whether the digital identity object indicated by the additional claim of the first token matches the digital identity object selected by the user.
[0324] Step S2112: The terminal sends the seventh information to the second server.
[0325] In some embodiments, the second server receives the seventh information sent by the terminal.
[0326] In some embodiments, the seventh information includes the second token.
[0327] In some embodiments, the seventh information includes at least one of the following:
[0328] The digital identity ID;
[0329] The digital identity object corresponding to the digital identity ID;
[0330] The Metaverse Business ID to be accessed;
[0331] The second token.
[0332] In some embodiments, the second server is a VAL server.
[0333] Step S2113: The second server verifies the second token.
[0334] In some embodiments, the second server performs integrity verification on the first token based on the certificate of the first server.
[0335] In some embodiments, the second server determines whether the digital identity ID indicated by the subject claim of the second token matches the requested digital identity ID.
[0336] In some embodiments, the second server determines whether the user ID contained in the subject statement or additional statement of the second token matches the requested user ID.
[0337] In some embodiments, the second server determines whether the server ID contained in the audience claim of the second token matches the second server ID.
[0338] In some embodiments, the second server determines whether the validity period indicated by the time statement of the second token has expired.
[0339] In some embodiments, the term "information" may be used interchangeably with terms such as "message," "signal," "signaling," "report," "configuration," "indication," "instruction," "command," "channel," "parameter," "field," and "data."
[0340] In some embodiments, the term "send" may be used interchangeably with terms such as "transmit," "report," or "transmit."
[0341] The information indication method involved in the embodiments of this disclosure may include at least one of steps S2101 to S2113. For example, step S2101 can be implemented as an independent embodiment, step S2102 can be implemented as an independent embodiment, step S2103 can be implemented as an independent embodiment, step S2104 can be implemented as an independent embodiment, step S2105 can be implemented as an independent embodiment, step S2106 can be implemented as an independent embodiment, step S2107 can be implemented as an independent embodiment, step S2108 can be implemented as an independent embodiment, step S2109 can be implemented as an independent embodiment, step S2110 can be implemented as an independent embodiment, step S2111 can be implemented as an independent embodiment, step S2112 can be implemented as an independent embodiment, and step S2113 can be implemented as an independent embodiment. For example, steps S2101 and S2102 combined with step S2104 can be implemented as an independent embodiment; steps S2101, S2102, S2103, and S2105 combined with step S2106 can be implemented as an independent embodiment; steps S2101, S2102, S2103, S2105, and S2106 combined with step S2108 can be implemented as an independent embodiment; and steps S2101, S2102, S2103, and S2105 combined with step S2108 can be implemented as an independent embodiment. Steps S2106, S2107, S2109, and S2110 combined with step S2111 can be implemented as an independent embodiment. Steps S2101, S2102, S2103, S2105, S2106, S2107, S2109, S2110, S2111, and S2112 combined with step S2113 can be implemented as an independent embodiment. Step S2112 combined with step S2113 can be implemented as an independent embodiment, but the implementation is not limited to these steps. It should be noted that each step can be implemented independently, or, without contradiction, its order can be arbitrarily changed and it can be freely combined for implementation.
[0342] This disclosure provides a communication method executed by a terminal, the method comprising:
[0343] Step S3101: Send the first information to the first server;
[0344] The first information is used to request authentication and / or authorization of the digital identity, which is the identity corresponding to the user's access to the Mobile Metaverse service through the terminal.
[0345] The first information includes at least one of the following:
[0346] Client identity identifier (ID);
[0347] User ID;
[0348] Digital identity ID;
[0349] The digital identity object corresponding to the digital identity ID;
[0350] The Metaverse Business ID to be accessed.
[0351] In some embodiments, the method further includes:
[0352] Receive the second information sent by the first server;
[0353] The second information is used to indicate that the digital identity object has failed verification.
[0354] In some embodiments, the second information is used to indicate the reason why the digital identity object failed verification, the reason being that the verification of the digital identity object failed.
[0355] In some embodiments, the method further includes:
[0356] Receive third information sent by the first server; wherein the third information is used to indicate one of the following: authorization code and the second server ID; whether the authorization code, the second server ID, and the digital identity are allowed to access multiple mobile metaverse services.
[0357] In some embodiments, the method further includes:
[0358] The system receives a fourth message sent by the first server; wherein the fourth message indicates that the digital identity is not allowed to be used by the user or is not allowed to access the mobile metaverse service; and / or, the fourth message indicates the reason why the digital identity is not allowed to be used by the user or is not allowed to access the mobile metaverse service, the reason being that the digital identity is not allowed to represent the user and / or is not allowed to access the mobile metaverse service.
[0359] In some embodiments, the method further includes:
[0360] Upon receiving the authorization code, the fifth piece of information is sent to the first server;
[0361] The fifth piece of information is used to request a first token and / or a second token. The first token is used by the Metaverse Business Client in the terminal to authenticate the digital identity, and the second token is used by the Metaverse Business Client in the terminal to access the Metaverse Business.
[0362] In some embodiments, the fifth information is also used to indicate at least one of the following:
[0363] The terminal's ID;
[0364] The ID of the Metaverse business client in the terminal;
[0365] The ID of the second server;
[0366] The authorization code sent by the first server.
[0367] In some embodiments, the method further includes:
[0368] Receive the sixth message sent by the first server;
[0369] The sixth piece of information includes the first token and / or the second token.
[0370] In some embodiments, the first token comprises at least one of the following:
[0371] The issuer's declaration is used to instruct the first server;
[0372] A subject statement, which indicates one of the following: a digital identity ID; or an association between a user ID and a digital identity ID;
[0373] Audience statement, which indicates one of the following: the client ID of the metaverse service requested by the user; the ID of the terminal;
[0374] A time statement, which indicates the validity period of the token;
[0375] Additional statement, which indicates at least one of the following: user ID; user name; digital identity object.
[0376] In some embodiments, the method further includes:
[0377] Verify the first token.
[0378] In some embodiments, verifying the first token includes at least one of the following:
[0379] Integrity verification of the first token is performed based on the certificate of the first server.
[0380] Determine whether the digital identity ID indicated by the subject claim of the first token matches the requested digital identity ID;
[0381] Determine whether the user ID indicated by the subject claim of the first token matches the requested user ID;
[0382] Determine whether the client ID indicated by the audience claim of the first token matches the ID of the Metaverse business client in the terminal;
[0383] Determine whether the validity period indicated by the time statement of the first token has expired;
[0384] Determine whether the user ID contained in the additional claim of the first token matches the requested user ID;
[0385] Determine whether the digital identity object indicated by the additional claim of the first token matches the digital identity object selected by the user.
[0386] In some embodiments, the method further includes:
[0387] Send the seventh message to the second server;
[0388] The seventh piece of information includes at least one of the following:
[0389] The digital identity ID;
[0390] The digital identity object corresponding to the digital identity ID;
[0391] The Metaverse Business ID to be accessed;
[0392] The second token.
[0393] In some embodiments, the second token comprises at least one of the following:
[0394] The issuer's declaration is used to instruct the first server;
[0395] A subject statement, which indicates one of the following: a digital identity ID; or an association between a user ID and a digital identity ID;
[0396] Audience statement, which indicates the server ID of the metaverse service that the user requests to access;
[0397] A time statement, which indicates the validity period of the token;
[0398] Scope declarations are used to indicate the metaverse business ID to be accessed;
[0399] Additional statement, which indicates at least one of the following: user ID; user name; digital identity object.
[0400] This disclosure provides a communication method executed by a first server, the method comprising:
[0401] Step S3201: Receive the first information sent by the terminal;
[0402] The first information is used to request authentication and / or authorization of the digital identity, which is the identity corresponding to the user's access to the Mobile Metaverse service through the terminal.
[0403] In some embodiments, the first information includes at least one of the following:
[0404] Client ID;
[0405] User ID;
[0406] Digital identity ID;
[0407] The digital identity object corresponding to the digital identity ID;
[0408] The Metaverse Business ID to be accessed.
[0409] In some embodiments, the method further includes:
[0410] The digital identity object is verified based on the first certificate;
[0411] The first certificate is obtained from the first network function, and the digital identity object is digitally signed by the first network function.
[0412] In some embodiments, the method further includes one of the following:
[0413] If the digital identity object is verified, an eighth message is sent to the first network function; wherein the eighth message is used to request the first network function to check whether the digital identity is allowed to be used by the user and / or whether the digital identity is allowed to access the mobile metaverse service;
[0414] If the digital identity object fails verification, a second message is sent to the terminal; wherein the second message is used to indicate that the digital identity object has failed verification.
[0415] In some embodiments, the eighth information includes at least one of the following: user ID; digital identity ID; metaverse service ID to be accessed.
[0416] In some embodiments, the second information is used to indicate the reason why the digital identity object failed verification, the reason being that the verification of the digital identity object failed.
[0417] In some embodiments, the method further includes:
[0418] The first network function is determined based on the information contained in the first certificate.
[0419] In some embodiments, the method further includes:
[0420] Receive the ninth message sent by the first network function;
[0421] The ninth information is used to indicate the first result and / or the second result, wherein the first result is used to indicate whether the digital identity is allowed to be used by the user, and the second result is used to indicate whether the digital identity is allowed to access the mobile metaverse service.
[0422] In some embodiments, the ninth information is also used to indicate at least one of the following:
[0423] Second server identifier;
[0424] Is a digital identity allowed to access multiple mobile metaverse services?
[0425] In some embodiments, the method further includes:
[0426] When the digital identity is permitted for use by the user and is allowed to access mobile metaverse services, a third message is sent to the terminal; wherein the third message is used to indicate one of the following: an authorization code; an authorization code and the second server ID; or whether the authorization code, the second server ID, and the digital identity are permitted to access multiple mobile metaverse services.
[0427] In some embodiments, the method further includes:
[0428] In cases where the digital identity is not permitted for use by the user and / or is not permitted to access the Mobile Metaverse service, a fourth message is sent to the terminal; wherein the fourth message is used to indicate that the digital identity is not permitted for use by the user or is not permitted to access the Mobile Metaverse service; and / or, the fourth message is used to indicate the reason why the digital identity is not permitted for use by the user or is not permitted to access the Mobile Metaverse service, the reason being that the digital identity is not permitted to represent the user and / or is not permitted to access the Mobile Metaverse service.
[0429] In some embodiments, the method further includes:
[0430] Receive the fifth message sent by the terminal;
[0431] The fifth piece of information is used to request a first token and a second token. The first token is used by the Metaverse business client in the terminal to authenticate the digital identity, and the second token is used by the Metaverse business client in the terminal to access the Metaverse business.
[0432] In some embodiments, the fifth information is also used to indicate at least one of the following:
[0433] The terminal's ID;
[0434] The ID of the Metaverse business client in the terminal;
[0435] The ID of the second server;
[0436] The authorization code sent by the first server.
[0437] In some embodiments, the method further includes:
[0438] Send the sixth message to the terminal;
[0439] The sixth piece of information includes the first token and / or the second token.
[0440] In some embodiments, the first token contains at least one of the following declaration information:
[0441] The issuer's declaration is used to instruct the first server;
[0442] A subject statement, which indicates one of the following: a digital identity ID; or an association between a user ID and a digital identity ID;
[0443] Audience statement, which indicates one of the following: the client ID of the metaverse service requested by the user; the ID of the terminal;
[0444] A time statement, which indicates the validity period of the token;
[0445] Additional statement, which indicates at least one of the following: user ID; user name; digital identity object.
[0446] This disclosure provides a communication method executed by a first network function, the method comprising:
[0447] Step S3301: Receive the eighth message sent by the first server;
[0448] The eighth piece of information is used to request the first network function to check whether the digital identity is allowed to be used by the user and / or whether it is allowed to access the mobile metaverse service.
[0449] In some embodiments, the eighth information includes at least one of the following: user ID; digital identity ID; metaverse service ID to be accessed.
[0450] In some embodiments, the method further includes at least one of the following:
[0451] Based on the configuration information of the digital identity and the eighth information, check whether the digital identity is allowed to be used by the user to obtain a first result;
[0452] Based on the configuration information of the digital identity and the eighth information, check whether the digital identity is allowed to access the mobile metaverse service to obtain a second result;
[0453] The configuration information of the digital identity is a digital identity applicable to at least one metaverse business and / or configuration information of at least one user associated with the digital identity.
[0454] In some embodiments, the method further includes:
[0455] Send the ninth message to the first server;
[0456] The ninth piece of information is used to indicate the first result and / or the second result.
[0457] In some embodiments, the ninth information is also used to indicate at least one of the following:
[0458] Second server identifier;
[0459] Is a digital identity allowed to access multiple mobile metaverse services?
[0460] This disclosure provides a communication method executed by a second server, the method comprising:
[0461] Step S3401: Receive the seventh message sent by the terminal;
[0462] The seventh information includes at least one of the following: the digital identity ID; the digital identity object corresponding to the digital identity ID; the metaverse service ID or name to be accessed; and the second token, which is used by the metaverse service client in the terminal to access the metaverse service.
[0463] In some embodiments, the second token contains at least one of the following statements:
[0464] The issuer's declaration is used to instruct the first server;
[0465] A subject statement, which indicates one of the following: a digital identity ID; or an association between a user ID and a digital identity ID;
[0466] Audience statement, which indicates the server ID of the metaverse service that the user requests to access;
[0467] A time statement, which indicates the validity period of the token;
[0468] Scope declarations are used to indicate the metaverse business ID to be accessed;
[0469] Additional statement, which indicates at least one of the following: user ID; user name; digital identity object.
[0470] In some embodiments, the method further includes:
[0471] Verify the second token.
[0472] In some embodiments, verifying the second token includes at least one of the following:
[0473] Integrity verification of the first token is performed based on the certificate of the first server.
[0474] Determine whether the digital identity ID indicated by the subject claim of the second token matches the requested digital identity ID;
[0475] Determine whether the user ID contained in the main statement of the second token or the additional statement of the token matches the requested user ID;
[0476] Determine whether the server ID contained in the audience claim of the second token matches the second server ID;
[0477] Determine whether the validity period indicated by the time statement of the second token has expired.
[0478] Figure 3 is an interactive schematic diagram of a communication method according to an embodiment of the present disclosure. As shown in Figure 3, the present disclosure relates to a communication method for a communication system 100, the method including one of the following steps:
[0479] Step S4101: The terminal sends the first information to the first server.
[0480] In some embodiments, the first information is used to request authentication and / or authorization of a digital identity, which is the identity corresponding to a user's access to the Mobile Metaverse service through the terminal.
[0481] In some embodiments, optional implementations of step S4101 can be found in the optional implementations of the steps in FIG2a and other related parts in the embodiments involved in FIG2a, which will not be repeated here.
[0482] In some embodiments, the above methods may include the methods of the terminal side, the first server side, the first network function side, the second server side, etc., as described above, which will not be repeated here.
[0483] To better understand the embodiments of this disclosure, the following exemplary embodiments are provided for further explanation:
[0484] In some embodiments, it is assumed that the user has been authenticated to download his / her digital identity, and that the digital identity has been downloaded from the A-DACM function to the UE he / she is using. Through the user authentication process, the UE has obtained the user's ID-Token (ID-Token_u). The avatar is created by the A-DACM function and digitally signed by the A-DACM function.
[0485] In some embodiments, mobile metaverse services / applications can benefit from shared digital assets used by different mobile metaverse services / applications (e.g., consistent user digital representations across different applications), allowing users to benefit from having available information when accessing mobile metaverse services / applications. This means that digital assets, including digital identities, need to be uniquely identifiable to maintain consistency across different mobile metaverse services / applications. Therefore, a digital identity downloaded in the UE should be shareable by multiple metaverse VAL clients within the UE.
[0486] In some embodiments, since the UE can be used by multiple users, the currently logged-in user may not be a user who downloaded his / her digital identity earlier and then logged off. It is also assumed that a user can possess multiple digital assets (1:n) and can use more than one digital asset (1:n), while a digital asset can be used by multiple authorized users (1:m). This means that multiple users are allowed to use the digital identity downloaded in the UE. Therefore, when a logged-in user on the UE intends to access metaverse services / applications via the corresponding metaverse VAL client in the UE by using a downloaded digital identity on his / her behalf, the metaverse VAL client needs to ensure that the digital identity being used is legitimately associated with the user using it as a digital representative.
[0487] In some embodiments, an ID token is defined and introduced to authenticate digital identity by binding the digital identity ID and the user ID in the ID token of digital identity (ID-Token_a).
[0488] In some embodiments, at least one of the following is assumed:
[0489] The VAL client in the UE has established a secure tunnel with SIM-S;
[0490] The VAL UE has downloaded a digital identity object from the A-DACM function, which is digitally signed using the private key of the A-DACM function;
[0491] SIM-S is equipped with a certificate that supports A-DACM;
[0492] The VAL client and VAL server in the UE are configured with SIM-S certificates;
[0493] The A-DACM function enables digital identity management, including the creation of digital identity profiles, linking digital identities to users, downloading / uploading digital identities, updating / modifying digital identities, and deleting digital identities.
[0494] Example 1
[0495] Please refer to Figure 4a, which provides a communication method, the method comprising:
[0496] Step S5101: Send an OpenID connection authentication request.
[0497] In some embodiments, when a logged-in user on the UE intends to access a metaverse application on his / her behalf via the corresponding metaverse VAL client in the UE using a downloaded digital identity, the VAL client in the UE sends an OpenID connection authentication request to the SIM-S. This request includes the VAL client ID, user ID, digital identity ID, and the corresponding digital identity object, as well as the identity of the metaverse service to be accessed. The digital identity object is digitally signed by the A-DACM function.
[0498] Step S5102: Verify the digital identity object.
[0499] In some embodiments, SIM-S uses a certificate with A-DACM functionality to verify the authenticity of the received signed digital identity object.
[0500] Step S5103: Perform the first processing operation based on the verification result.
[0501] Step S5103 includes one of the following:
[0502] Step S5103a: Send a proxy identity verification request.
[0503] In some embodiments, if authentication is successful, SIM-S sends a proxy identity verification request to the A-DACM function. This request includes at least the user ID, digital identity ID, and service ID.
[0504] In some embodiments, SIM-S can locate the A-DACM function via information in the certificate verifying the digital identity object.
[0505] Step S5103b: Send a response message.
[0506] In some embodiments, if verification fails, the SIM-S considers the received avatar to be authentic and returns a response with a reason for failure to the VAL client in the UE.
[0507] In some embodiments, the reason for failure may indicate that the verification of the digital identity object failed.
[0508] Step S5104: Perform verification.
[0509] In some embodiments, based on the received user ID and digital identity ID, the A-DACM function checks whether the digital identity is permitted for use by the user by comparing it against the digital identity profile.
[0510] In some embodiments, the A-DACM function also checks whether the digital identity is permitted to access the service indicated by the service ID. A digital identity profile is a specific configuration and parameters of a digital identity applicable to one or more applications and can be associated with one or more users.
[0511] Step S5105: Send a representative identity verification response message.
[0512] In some embodiments, the A-DACM function returns a response representing an identity check, which includes the check results and additional information, such as the VAL server ID.
[0513] Step S5106: Perform the second processing operation based on the verification result.
[0514] Step S5106 includes one of the following:
[0515] Step S5106a: If the check result is positive, the SIM-S sends an OpenID connection authentication response containing the authorization code to the VAL client in the UE.
[0516] In some embodiments, the OpenID connection authentication response may also include information indicating whether the digital identity is permitted to access multiple mobile metaverse services.
[0517] Step S5106b: If any check result is negative, the SIM-S sends an OpenID connection authentication response with a reason for failure to the VAL client in the UE. The reason for failure may indicate a mismatch between the digital identity and the user it represents, or that the service is not allowed to be accessed by the digital identity.
[0518] Step S5107: Send an OpenID connection token request.
[0519] In some embodiments, when an authorization code is received, the VAL client in the UE sends an OpenID connection token request to the SIM-S that transmits the code.
[0520] In some embodiments, an OpenID connection token request may indicate at least one of the following:
[0521] The terminal's ID;
[0522] The ID of the Metaverse business client in the terminal;
[0523] The ID of the VAL server;
[0524] The authorization code sent by the SIM-S.
[0525] Step S5108: Send OpenID connection token response.
[0526] In some embodiments, SIM-S sends an OpenID connection token response containing ID-Token_a and an access token to the VAL client in the UE.
[0527] In some embodiments, ID-Token_a includes at least the following claim information:
[0528] Issuer: In this example, SIM-S;
[0529] Main components: User ID and Digital Identity ID (i.e., a concatenation of User ID and Avatar ID);
[0530] Audience: The VAL client ID of the metaverse application that the user requests to access;
[0531] Expiration time: The expiration time after which the token cannot be processed;
[0532] Other statements (or additional statements) as necessary, such as user names, digital identity objects (e.g., images, media), etc.
[0533] In some embodiments, ID-Token_a is consumed by the Metaverse VAL client, which processes the following steps:
[0534] Verify the integrity of the token using the SIM-S (issuer in the token) certificate;
[0535] Check whether the digital identity ID and user ID, which are the subject claim values, match the identities of the requesting user and the avatar representing the user;
[0536] Check if the audience claim matches the identity of the VAL client itself;
[0537] Check if the token has expired;
[0538] Examine the appended claims, such as whether the digital identity object in the claims matches the digital identity object selected by the user.
[0539] In some embodiments, by examining the claims in the obtained ID-Token_a, the Metaverse VAL client is able to determine that the digital identity object used by the user is authentic and permitted for use by the user requesting access to the digital identity service.
[0540] In some embodiments, the access token returned by SIM-S is used by the VAL client for service access of the avatar authorized by the VAL server in the following processes.
[0541] Example 1
[0542] Please refer to Figure 4b, which provides a communication method, the method comprising:
[0543] Step S5201: Establish a safe tunnel.
[0544] In some embodiments, a secure HTTP tunnel using Hypertext Transfer Protocol Secure (HTTPS) is established between the VAL client and the VAL server prior to authorization of the metaverse service.
[0545] Step S5202: Send an HTTP message.
[0546] In some embodiments, the VAL client in the UE sends an HTTP message containing an access token to the VAL server requesting service authorization.
[0547] In some embodiments, an HTTP message may contain at least one of the following:
[0548] The digital identity ID;
[0549] The digital identity object corresponding to the digital identity ID;
[0550] The Metaverse Business ID to be accessed;
[0551] The access token.
[0552] Step S5203: Token check.
[0553] In some embodiments, the VAL server authorizes the avatar to access the requested metaverse service only when the access token is valid.
[0554] In some embodiments, the access token includes at least the following statement:
[0555] Issuer: In this example, SIM-S;
[0556] Main components: User ID and Digital Identity ID (i.e., a concatenation of User ID and Avatar ID);
[0557] Audience: The VAL server ID of the metaverse application that the user requests to access;
[0558] Expiration time: The expiration time after which the token cannot be processed;
[0559] If necessary, add additional declarations, such as scope, etc.
[0560] In some embodiments, the access token is consumed by the Metaverse VAL server, which processes the following steps:
[0561] Verify the integrity of the token using the SIM-S (issuer in the token) certificate;
[0562] Check whether the digital identity ID and user ID, which are the subject claim values, match the identities of the requesting user and the digital identity representing the user;
[0563] Check if the audience claim matches the identifier of the VAL server itself;
[0564] Check if the token has expired;
[0565] Check any additional statements, such as whether the scope matches the service access restrictions for digital identities.
[0566] Step S5204: Send a response message.
[0567] In some embodiments, the VAL server sends a failure or success response message.
[0568] In some embodiments, the VAL server can also provide service-related information to the VAL client.
[0569] This disclosure also provides an apparatus for implementing any of the above methods. For example, an apparatus is provided that includes units or modules for implementing the steps performed by the terminal in any of the above methods. Alternatively, another apparatus is provided that includes units or modules for implementing the steps performed by a network device (e.g., an access network device, a core network functional node, a core network device, etc.) in any of the above methods.
[0570] It should be understood that the division of units or modules in the above device is only a logical functional division. In actual implementation, they can be fully or partially integrated into a single physical entity, or they can be physically separated. Furthermore, the units or modules in the device can be implemented by a processor calling software: for example, the device includes a processor connected to a memory containing instructions. The processor calls the instructions stored in the memory to implement any of the above methods or to implement the functions of the units or modules in the above device. The processor can be, for example, a general-purpose processor, such as a Central Processing Unit (CPU) or a microprocessor, and the memory can be internal or external to the device. Alternatively, the units or modules in the device can be implemented in the form of hardware circuits. The functionality of some or all of the units or modules can be achieved through the design of these hardware circuits, which can be understood as one or more processors. For example, in one implementation, the hardware circuit is an application-specific integrated circuit (ASIC). The functionality of some or all of the units or modules is achieved through the design of the logical relationships between the components within the circuit. In another implementation, the hardware circuit can be implemented using a programmable logic device (PLD). Taking a field-programmable gate array (FPGA) as an example, it can include a large number of logic gates. The connection relationships between the logic gates are configured through configuration files, thereby achieving the functionality of some or all of the units or modules. All units or modules of the above device can be implemented entirely through processor-called software, entirely through hardware circuits, or partially through processor-called software with the remaining parts implemented through hardware circuits.
[0571] In this embodiment, the processor is a circuit with signal processing capabilities. In one implementation, the processor can be a circuit with instruction read and execute capabilities, such as a Central Processing Unit (CPU), a microprocessor, a graphics processing unit (GPU) (which can be understood as a microprocessor), or a digital signal processor (DSP). In another implementation, the processor can implement certain functions through the logical relationships of hardware circuits. The logical relationships of the aforementioned hardware circuits are fixed or reconfigurable. For example, the processor is a hardware circuit implemented using an application-specific integrated circuit (ASIC) or a programmable logic device (PLD), such as an FPGA. In a reconfigurable hardware circuit, the process of the processor loading a configuration document and configuring the hardware circuit can be understood as the process of the processor loading instructions to implement the functions of some or all of the above units or modules. Furthermore, it can also be a hardware circuit designed for artificial intelligence, which can be understood as an ASIC, such as a Neural Network Processing Unit (NPU), a Tensor Processing Unit (TPU), or a Deep Learning Processing Unit (DPU).
[0572] Figure 5a is a schematic diagram of the terminal structure proposed in an embodiment of this disclosure. As shown in Figure 5a, the terminal 5100 may include at least one of a transceiver module 5101, a processing module 5102, etc. In some embodiments, the transceiver module is used to send and receive information. Optionally, the transceiver module is used to perform at least one of the communication steps such as sending and / or receiving performed by the terminal in any of the above methods, which will not be described in detail here. Optionally, the processing module is used to perform at least one of the other steps performed by the terminal in any of the above methods, which will not be described in detail here.
[0573] Figure 5b is a schematic diagram of the structure of the first server according to an embodiment of this disclosure. As shown in Figure 5b, the first server 5200 may include at least one of a transceiver module 5201, a processing module 5202, etc. In some embodiments, the transceiver module is used to send and receive information. Optionally, the transceiver module is used to perform at least one of the communication steps such as sending and / or receiving performed by the first server in any of the above methods, which will not be described in detail here. Optionally, the processing module is used to perform at least one of the other steps performed by the first server in any of the above methods, which will not be described in detail here.
[0574] Figure 5c is a schematic diagram of the structure of the first network function proposed in this embodiment of the present disclosure. As shown in Figure 5c, the first network function 5300 may include at least one of a transceiver module 5301, a processing module 5302, etc. In some embodiments, the transceiver module is used to send and receive information. Optionally, the transceiver module is used to perform at least one of the communication steps such as sending and / or receiving performed by the first network function in any of the above methods, which will not be described in detail here. Optionally, the processing module is used to perform at least one of the other steps performed by the first network function in any of the above methods, which will not be described in detail here.
[0575] Figure 5d is a schematic diagram of the structure of the second server according to an embodiment of this disclosure. As shown in Figure 5d, the second server 5400 may include at least one of a transceiver module 5401, a processing module 5402, etc. In some embodiments, the transceiver module is used to send and receive information. Optionally, the transceiver module is used to perform at least one of the communication steps such as sending and / or receiving performed by the second server in any of the above methods, which will not be described in detail here. Optionally, the processing module is used to perform at least one of the other steps performed by the second server in any of the above methods, which will not be described in detail here.
[0576] Figure 6a is a schematic diagram of the structure of the communication device 9100 proposed in an embodiment of this disclosure. The communication device 9100 can be a network device (e.g., access network device, core network device, etc.), a terminal (e.g., user equipment, etc.), a chip, chip system, or processor that supports the network device in implementing any of the above methods, or a chip, chip system, or processor that supports the terminal in implementing any of the above methods. The communication device 9100 can be used to implement the methods described in the above method embodiments; for details, please refer to the descriptions in the above method embodiments.
[0577] As shown in Figure 6a, the communication device 9100 includes one or more processors 9101. The processor 9101 can be a general-purpose processor or a dedicated processor, such as a baseband processor or a central processing unit (CPU). The baseband processor can be used to process communication protocols and communication data, while the CPU can be used to control communication devices (e.g., base stations, baseband chips, terminal devices, terminal device chips, DUs or CUs, etc.), execute programs, and process program data. The communication device 9100 is used to execute any of the above methods.
[0578] In some embodiments, the communication device 9100 further includes one or more memories 9102 for storing instructions. Optionally, all or part of the memories 9102 may also be located outside the communication device 9100.
[0579] In some embodiments, the communication device 9100 further includes one or more transceivers 9103. When the communication device 9100 includes one or more transceivers 9103, the transceivers 9103 perform at least one of the communication steps such as sending and / or receiving in the above method, and the processor 9101 performs at least one of the other steps.
[0580] In some embodiments, a transceiver may include a receiver and / or a transmitter, which may be separate or integrated. Optionally, the terms transceiver, transceiver unit, transceiver, transceiver circuit, etc., may be used interchangeably; the terms transmitter, transmitting unit, transmitter, transmitting circuit, etc., may be used interchangeably; and the terms receiver, receiving unit, receiver, receiving circuit, etc., may be used interchangeably.
[0581] In some embodiments, the communication device 9100 may include one or more interface circuits 9104. Optionally, the interface circuit 9104 is connected to the memory 9102, and the interface circuit 9104 can be used to receive signals from the memory 9102 or other devices, and can be used to send signals to the memory 9102 or other devices. For example, the interface circuit 9104 can read instructions stored in the memory 9102 and send the instructions to the processor 9101.
[0582] The communication device 9100 described in the above embodiments may be a network device or a terminal, but the scope of the communication device 9100 described in this disclosure is not limited thereto, and the structure of the communication device 9100 may not be limited by FIG. 6a. The communication device may be a standalone device or a part of a larger device. For example, the communication device may be: (1) a standalone integrated circuit IC, or chip, or chip system or subsystem; (2) a collection of one or more ICs, optionally, the IC collection may also include storage components for storing data and programs; (3) an ASIC, such as a modem; (4) a module that can be embedded in other devices; (5) a receiver, terminal device, smart terminal device, cellular phone, wireless device, handheld device, mobile unit, vehicle device, network device, cloud device, artificial intelligence device, etc.; (6) others, etc.
[0583] Figure 6b is a schematic diagram of the structure of the chip 9200 proposed in an embodiment of this disclosure. For cases where the communication device 9100 can be a chip or a chip system, the schematic diagram of the chip 9200 shown in Figure 6b can be referenced, but the invention is not limited thereto.
[0584] Chip 9200 includes one or more processors 9201, which are used to perform any of the above methods.
[0585] In some embodiments, chip 9200 further includes one or more interface circuits 9202. Optionally, the interface circuit 9202 is connected to memory 9203, and the interface circuit 9202 can be used to receive signals from memory 9203 or other devices, and the interface circuit 9202 can be used to send signals to memory 9203 or other devices. For example, the interface circuit 9202 can read instructions stored in memory 9203 and send the instructions to processor 9201.
[0586] In some embodiments, the interface circuit 9202 performs at least one of the communication steps such as sending and / or receiving in the above method, and the processor 9201 performs at least one of the other steps.
[0587] In some embodiments, the terms interface circuit, interface, transceiver pin, transceiver, etc., can be used interchangeably.
[0588] In some embodiments, chip 9200 further includes one or more memories 9203 for storing instructions. Optionally, all or part of the memories 9203 may be located outside of chip 9200.
[0589] This disclosure also proposes a storage medium storing instructions that, when executed on the communication device 9100, cause the communication device 9100 to perform any of the above methods. Optionally, the storage medium is an electronic storage medium. Optionally, the storage medium is a computer-readable storage medium, but not limited thereto; it may also be a storage medium readable by other devices. Optionally, the storage medium may be a non-transitory storage medium, but not limited thereto; it may also be a temporary storage medium.
[0590] This disclosure also provides a program product that, when executed by the communication device 9100, causes the communication device 9100 to perform any of the above methods. Optionally, the program product is a computer program product.
[0591] This disclosure also proposes a computer program that, when run on a computer, causes the computer to perform any of the above methods.
Claims
1. A communication method, characterized in that, The method is executed by a terminal, and the method includes: Send the first message to the first server; The first information is used to request authentication and / or authorization of the digital identity, which is the identity corresponding to the user's access to the Mobile Metaverse service through the terminal.
2. The method according to claim 1, characterized in that, The first information includes at least one of the following: Client identity identifier (ID); User ID; Digital identity ID; The digital identity object corresponding to the digital identity ID; The Metaverse Business ID to be accessed.
3. The method according to claim 1 or 2, characterized in that, The method further includes: Receive the second information sent by the first server; The second information is used to indicate that the digital identity object has failed verification.
4. The method according to claim 1 or 2, characterized in that, The method further includes: Receive third information sent by the first server; wherein the third information is used to indicate one of the following: an authorization code; an authorization code and a second server ID; whether the authorization code, the second server ID, and the digital identity are allowed to access multiple mobile metaverse services.
5. The method according to claim 1 or 2, characterized in that, The method further includes: Receive a fourth message sent by the first server; wherein the fourth message is used to indicate that the digital identity is not allowed to be used by the user or is not allowed to access the mobile metaverse service; and / or The fourth piece of information is used to indicate the reason why the digital identity is not allowed to be used by the user or is not allowed to access the Mobile Metaverse service, the reason being that the digital identity is not allowed to represent the user and / or is not allowed to access the Mobile Metaverse service.
6. The method according to claim 4, characterized in that, The method further includes: Upon receiving the authorization code, the fifth piece of information is sent to the first server; The fifth piece of information is used to request a first token and / or a second token. The first token is used by the Metaverse Business Client in the terminal to authenticate the digital identity, and the second token is used by the Metaverse Business Client in the terminal to access the Metaverse Business.
7. The method according to claim 6, characterized in that, The fifth piece of information is also used to indicate at least one of the following: The terminal's ID; The ID of the Metaverse business client in the terminal; The ID of the second server; The authorization code sent by the first server.
8. The method according to claim 6 or 7, characterized in that, The method further includes: Receive the sixth message sent by the first server; The sixth piece of information includes the first token and / or the second token.
9. The method according to claim 7 or 8, characterized in that, The first token includes at least one of the following: The issuer's declaration is used to instruct the first server; A subject statement, which indicates one of the following: a digital identity ID; or an association between a user ID and a digital identity ID; Audience statement, which indicates one of the following: the client ID of the metaverse service requested by the user; the ID of the terminal; A time statement, which indicates the validity period of the token; Additional statement, which indicates at least one of the following: user ID; user name; digital identity object.
10. The method according to any one of claims 8 to 9, characterized in that, The method further includes: Verify the first token; The verification of the first token includes at least one of the following: Integrity verification of the first token is performed based on the certificate of the first server. Determine whether the digital identity ID indicated by the subject claim of the first token matches the requested digital identity ID; Determine whether the user ID indicated by the subject claim of the first token matches the requested user ID; Determine whether the client ID indicated by the audience claim of the first token matches the ID of the Metaverse business client in the terminal; Determine whether the validity period indicated by the time statement of the first token has expired; Determine whether the user ID contained in the additional claim of the first token matches the requested user ID; Determine whether the digital identity object indicated by the additional claim of the first token matches the digital identity object selected by the user.
11. The method according to any one of claims 8 to 10, characterized in that, The method further includes: Send the seventh message to the second server; The seventh piece of information includes at least one of the following: The digital identity ID; The digital identity object corresponding to the digital identity ID; The Metaverse Business ID to be accessed; The second token.
12. The method according to any one of claims 6 to 11, characterized in that, The second token contains at least one of the following: The issuer's declaration is used to instruct the first server; A subject statement, which indicates one of the following: a digital identity ID; or an association between a user ID and a digital identity ID; Audience statement, which indicates the server ID of the metaverse service that the user requests to access; A time statement, which indicates the validity period of the token; Scope declarations are used to indicate the metaverse business ID to be accessed; Additional statement, wherein the additional is used to indicate at least one of the following: user ID; user name; digital identity object.
13. A communication method, characterized in that, The method is executed by a first server, and the method includes: The first message sent by the receiving terminal; The first information is used to request authentication and / or authorization of the digital identity, which is the identity corresponding to the user's access to the Mobile Metaverse service through the terminal.
14. The method according to claim 13, characterized in that, The first information includes at least one of the following: Client ID; User ID; Digital identity ID; The digital identity object corresponding to the digital identity ID; The Metaverse Business ID to be accessed.
15. The method according to claim 14, characterized in that, The method further includes: The digital identity object is verified based on the first certificate; The first certificate is obtained from the first network function, and the digital identity object is digitally signed by the first network function.
16. The method according to claim 15, characterized in that, The method also includes one of the following: If the digital identity object is verified, an eighth message is sent to the first network function; wherein the eighth message is used to request the first network function to check whether the digital identity is allowed to be used by the user and / or whether the digital identity is allowed to access the mobile metaverse service; If the digital identity object fails verification, a second message is sent to the terminal; wherein the second message is used to indicate that the digital identity object has failed verification.
17. The method according to claim 16, characterized in that, The eighth piece of information includes at least one of the following: user ID; digital identity ID; metaverse service ID to be accessed.
18. The method according to any one of claims 15 to 17, characterized in that, The method further includes: The first network function is determined based on the information contained in the first certificate.
19. The method according to claim 18, characterized in that, The method further includes: Receive the ninth message sent by the first network function; The ninth information is used to indicate the first result and / or the second result, wherein the first result is used to indicate whether the digital identity is allowed to be used by the user, and the second result is used to indicate whether the digital identity is allowed to access the mobile metaverse service.
20. The method according to claim 19, characterized in that, The ninth information is also used to indicate at least one of the following: Second server identifier; Is a digital identity allowed to access multiple mobile metaverse services? 21. The method according to claim 19 or 20, characterized in that, The method further includes: When the digital identity is permitted for use by the user and is authorized to access mobile metaverse services, third information is sent to the terminal; wherein the third information is used to indicate one of the following: an authorization code; an authorization code and a second server ID; an authorization code, a third server ID, and a third server ID. Whether the server ID and the digital identity are allowed to access multiple mobile metaverse services.
22. The method according to claim 19 or 20, characterized in that, The method further includes: In cases where the digital identity is not permitted for use by the user and / or is not permitted to access the Mobile Metaverse service, a fourth message is sent to the terminal; wherein the fourth message is used to indicate that the digital identity is not permitted for use by the user or is not permitted to access the Mobile Metaverse service; and / or, the fourth message is used to indicate the reason why the digital identity is not permitted for use by the user or is not permitted to access the Mobile Metaverse service, the reason being that the digital identity is not permitted to represent the user and / or is not permitted to access the Mobile Metaverse service.
23. The method according to claim 21, characterized in that, The method further includes: Receive the fifth message sent by the terminal; The fifth piece of information is used to request a first token and / or a second token. The first token is used by the Metaverse Business Client in the terminal to authenticate the digital identity, and the second token is used by the Metaverse Business Client in the terminal to access the Metaverse Business.
24. The method according to claim 23, characterized in that, The fifth piece of information is also used to indicate at least one of the following: The terminal's ID; The ID of the Metaverse business client in the terminal; The ID of the second server; The authorization code sent by the first server.
25. The method according to claim 23 or 24, characterized in that, The method further includes: Send the sixth message to the terminal; The sixth piece of information includes the first token and / or the second token.
26. The method according to any one of claims 23 to 25, characterized in that, The first token contains at least one of the following claims: The issuer's declaration is used to instruct the first server; A subject statement, which indicates one of the following: a digital identity ID; or an association between a user ID and a digital identity ID; Audience statement, which indicates one of the following: the client ID of the metaverse service requested by the user; the ID of the terminal; A time statement, which indicates the validity period of the token; Additional statement, which indicates at least one of the following: user ID; user name; digital identity object.
27. A communication method, characterized in that, The method is performed by a first network function, and the method includes: Receive the eighth message sent by the first server; The eighth piece of information is used to request the first network function to check whether the digital identity is allowed to be used by the user and / or whether it is allowed to access the mobile metaverse service.
28. The method according to claim 27, characterized in that, The eighth piece of information includes at least one of the following: user ID; digital identity ID; metaverse service ID to be accessed.
29. The method according to claim 27 or 28, characterized in that, The method further includes at least one of the following: Based on the configuration information of the digital identity and the eighth information, check whether the digital identity is allowed to be used by the user to obtain a first result; Based on the configuration information of the digital identity and the eighth information, check whether the digital identity is allowed to access the mobile metaverse service to obtain a second result; The configuration information of the digital identity is a digital identity applicable to at least one metaverse business and / or configuration information of at least one user associated with the digital identity.
30. The method according to any one of claims 27 to 29, characterized in that, The method further includes: Send the ninth message to the first server; The ninth piece of information is used to indicate the first result and / or the second result.
31. The method according to claim 30, characterized in that, The ninth information is also used to indicate at least one of the following: Second server identifier; Is a digital identity allowed to access multiple mobile metaverse services? 32. A communication device, characterized in that, The communication device is used to perform the communication method according to any one of claims 1 to 12, claims 13 to 26 and / or claims 27 to 31.
33. A communication system, characterized in that, include: A terminal, a first server, and a first network function; wherein the terminal is configured to implement the communication method of any one of claims 1 to 12, the first server is configured to implement the communication method of any one of claims 13 to 26, and the first network function is configured to implement the communication method of any one of claims 27 to 31.
34. A storage medium storing instructions, characterized in that, When the instructions are executed on the communication device, the communication device performs the communication method as described in any one of claims 1 to 12, 13 to 26, or 27 to 31.
35. A computer program product, said computer program product comprising a computer program or instructions, characterized in that, When the computer program or instructions are executed by a processor, they implement the communication method as described in any one of claims 1 to 12, 13 to 26, or 27 to 31.