Method, device, equipment, storage medium and program product for checking
By generating independent channel authentication credentials and channel role identifiers for users in different applications, the problem of service platform security risks and identity verification complexity caused by inconsistent security levels of third-party applications is solved, and unified management and security enhancement of user identity are achieved across different services.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BEIJING QISHENG SCIENCE AND TECHNOLOGY CO LTD
- Filing Date
- 2024-12-17
- Publication Date
- 2026-06-19
AI Technical Summary
In existing technologies, the inconsistent security levels of third-party applications can lead to low-security applications obtaining universal authentication credentials, posing a security risk to the service platform. Furthermore, identity verification between different services is complex and costly.
By generating independent channel authentication credentials and channel role identifiers for users in different applications, and determining a unified user identifier based on role information, unified management of identity is achieved across different services, avoiding the abuse and leakage of credentials across applications.
It ensures unified management of user identities across different services, reduces the complexity and transformation costs of identity conversion, improves security and scalability, and prevents the risk of abuse and leakage of credentials across applications.
Smart Images

Figure CN122247626A_ABST
Abstract
Description
Technical Field
[0001] The exemplary embodiments disclosed herein generally relate to the field of computers, and particularly to methods, apparatus, devices, storage media, and program products for verification. Background Technology
[0002] Third-party application login has become a widely adopted method of identity verification. Through third-party applications, users can quickly authenticate their identities and seamlessly access multiple service platforms. However, with the increasing prevalence of third-party applications, users can access service platforms through different applications. If a third-party application has low credibility, it may pose a security risk to the service platform. Summary of the Invention
[0003] In a first aspect of this disclosure, a verification method is provided. This method may include: extracting a channel authentication credential and a channel role identifier corresponding to the user in the application from a service request initiated by the user using an application; in response to the channel authentication credential being verified, obtaining the user's role information associated with the channel authentication credential; in response to the role information matching the channel role identifier, determining the user's unified user identifier based on the role information, wherein the unified user identifier is an identifier shared by the user across different services on the server; and executing the service related to the service request based on the unified user identifier.
[0004] In a second aspect of this disclosure, a verification system is provided. This verification system may include: a login server configured to, in response to successful verification of received channel authentication credentials, obtain role information associated with the channel authentication credentials, wherein the channel authentication credentials are extracted from a service request initiated by a user using an application; a business gateway configured to: receive the role information from the login server, and, in response to a match between the role information and a channel role identifier obtained from the service request, determine a unified user identifier for the user based on the role information, wherein the unified user identifier is an identifier shared by the user across different services on the server; and a business server configured to, in response to the unified user identifier from the business gateway, execute a service related to the service request.
[0005] In a third aspect of this disclosure, a verification apparatus is provided. The apparatus may include: a channel information acquisition module configured to extract, based on a service request initiated by a user using an application, the channel authentication credentials and channel role identifier corresponding to the user in the application; a role information acquisition module configured to, in response to successful verification of the channel authentication credentials, acquire the role information of the user associated with the channel authentication credentials; a unified user identifier determination module configured to, in response to a match between the role information and the channel role identifier, determine the user's unified user identifier based on the role information, wherein the unified user identifier is an identifier shared by the user across different services on the server; and a service execution module configured to, based on the unified user identifier, execute the service related to the service request.
[0006] In a fourth aspect of this disclosure, an electronic device is provided. The device includes at least one processing unit; and at least one memory coupled to the at least one processing unit and storing instructions for execution by the at least one processing unit. When executed by the at least one processing unit, the instructions cause the electronic device to perform the method of the first aspect.
[0007] In a fifth aspect of this disclosure, a computer-readable storage medium is provided. A computer program is stored on the medium, which, when executed by a processor, implements the method of the first aspect.
[0008] In a sixth aspect of this disclosure, a computer program product is provided. The computer program product includes computer-executable instructions that, when executed by a processor, implement the method of the first aspect.
[0009] It should be understood that the description in this section is not intended to limit the key or essential features of the embodiments of this disclosure, nor is it intended to restrict the scope of this disclosure. Other features of this disclosure will become readily apparent from the following description. Attached Figure Description
[0010] The above and other features, advantages, and aspects of the embodiments of this disclosure will become more apparent from the accompanying drawings and the following detailed description. In the drawings, the same or similar reference numerals denote the same or similar elements, wherein:
[0011] Figure 1 A schematic diagram of an example environment in which embodiments of the present disclosure can be implemented is shown;
[0012] Figure 2A A schematic diagram illustrating the process of a verification system processing a login request according to some embodiments of the present disclosure is shown;
[0013] Figure 2B Example diagrams illustrating the process of a verification system processing a service request according to some embodiments of the present disclosure are shown;
[0014] Figure 3 A flowchart of a verification method according to some embodiments of the present disclosure is shown;
[0015] Figure 4 A schematic structural block diagram of a verification apparatus according to some embodiments of the present disclosure is shown; and
[0016] Figure 5 A block diagram of an electronic device that can implement one or more embodiments of the present disclosure is shown. Detailed Implementation
[0017] Embodiments of this disclosure will now be described in more detail with reference to the accompanying drawings. While some embodiments of this disclosure are shown in the drawings, it should be understood that this disclosure can be implemented in various forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided to provide a more thorough and complete understanding of this disclosure. It should be understood that the accompanying drawings and embodiments of this disclosure are for illustrative purposes only and are not intended to limit the scope of protection of this disclosure.
[0018] In the description of embodiments of this disclosure, the term "comprising" and similar terms should be understood as open-ended inclusion, i.e., "including but not limited to". The term "based on" should be understood as "at least partially based on". The term "one embodiment" or "the embodiment" should be understood as "at least one embodiment". The term "some embodiments" should be understood as "at least some embodiments". Other explicit and implicit definitions may also be included below.
[0019] In this document, unless explicitly stated otherwise, performing a step in response to A does not mean that the step is performed immediately after A, but may include one or more intermediate steps.
[0020] It is understood that the data involved in this technical solution (including but not limited to the data itself, the acquisition, use, storage or deletion of the data) shall comply with the requirements of relevant laws, regulations and related provisions.
[0021] It is understood that before using the technical solutions disclosed in the various embodiments of this disclosure, relevant users should be informed of the type, scope of use, and usage scenarios of the information involved in this disclosure through appropriate means in accordance with relevant laws and regulations, and authorization should be obtained from the relevant users. Among them, relevant users may include any type of rights holder, such as individuals, enterprises, and groups.
[0022] For example, in response to receiving an active request from a user, a prompt message is sent to the relevant user to clearly inform the user that the requested operation will require obtaining and using the user's information, thereby enabling the relevant user to choose whether to provide information to the software or hardware such as the electronic device, application, server, or storage medium that performs the operation of the technical solution disclosed herein based on the prompt message.
[0023] As an optional but non-restrictive implementation, in response to a user's active request, a prompt message can be sent to the user, such as a pop-up window, where the prompt message can be presented in text format. Furthermore, the pop-up window can also include a selection control allowing the user to choose "agree" or "disagree" to provide information to the electronic device.
[0024] It is understood that the above notification and user authorization process are merely illustrative and do not constitute a limitation on the implementation of this disclosure. Other methods that comply with relevant laws and regulations may also be applied to the implementation of this disclosure.
[0025] Third-party applications are widely used for service access. Currently, after a user logs in through a third-party application, the application can interact with the authentication service by obtaining authorization codes and channel information. Once the authentication service verifies the credentials, it returns universal authentication credentials and user identification information for subsequent service requests. Based on these universal authentication credentials, users can access various related functions provided by the target service platform through the third-party application. However, when different third-party applications have inconsistent security levels, applications with lower security levels may also obtain universal authentication credentials. This could lead to lower-security applications accessing services outside their authorized scope or leaking universal authentication credentials, posing a security threat to the target service platform or other services.
[0026] Figure 1 A schematic diagram of an environment 100 in which embodiments of the present disclosure can be implemented is shown. Environment 100 includes electronic equipment 110 and a verification system 120. It may also include a target vehicle 130 associated with performing the service.
[0027] Electronic device 110 may run at least one application 111. Through this application 111, a user can initiate a login request to verification system 120. Based on the login request, verification system 120 obtains channel information and an authorization code from electronic device 110. The channel information is used to identify application 111. Based on the channel information and authorization code, verification system 120 obtains the user's basic information and generates channel authentication credentials and channel role identifiers related to application 111. Different applications 111 are assigned independent channel authentication credentials, which are not shared between applications 111. This process completes user authentication. After successful login, if the user wishes to access a service (such as a shared vehicle riding service), the user can scan the identifier of the target device (such as a shared vehicle) using electronic device 110 and send the channel authentication credentials and channel role identifier to verification system 120. Verification system 120 verifies the credentials, generates a corresponding identifier, and executes subsequent service requests based on this identifier.
[0028] Electronic device 110 may include, but is not limited to, smartphones, smartwatches, smart glasses, smart helmets, laptops, tablets, personal digital assistants, or any other suitable portable electronic devices. In some embodiments, electronic device 110 may also support any type of user-facing interface (such as "wearable" circuitry).
[0029] It should be understood that the structure and function of the various elements in environment 100 are described for illustrative purposes only and do not imply any limitation on the scope of this disclosure.
[0030] In embodiments of this disclosure, an improved verification scheme is proposed. This scheme includes: extracting the user's corresponding channel authentication credentials and channel role identifier from the service request initiated by the user using the application; in response to the channel authentication credentials being verified, obtaining the user's role information associated with the channel authentication credentials; in response to the role information matching the channel role identifier, determining the user's unified user identifier based on the role information, wherein the unified user identifier is an identifier shared by the user across different services on the server side; and executing the service related to the service request based on the unified user identifier.
[0031] Based on the above process, channel authentication credentials and channel role identifiers are extracted from user service requests, and the validity of the channel authentication credentials is verified to ensure compliance and security. By matching user role information with channel role identifiers to determine a unified user identifier, unified management of user identity across different services is achieved. Channel authentication credentials and channel role identifiers for the same user are generated independently in different applications and can only be used in their respective applications, effectively preventing the abuse of credentials across multiple business lines and the risk of leakage through applications. By introducing a unified user identifier, the server can respond to service requests efficiently, avoiding the complexity of identity conversion across multiple business lines, reducing transformation costs, and improving scalability.
[0032] The improved verification scheme can be implemented based on verification system 120. Verification system 120 can handle login requests and service requests initiated by users through applications. The following sections describe the process of verification system 120 handling login requests and the process of handling service requests.
[0033] Figure 2A A schematic diagram illustrating a process 200A of a verification system 120 processing a login request according to some embodiments of the present disclosure is shown. As an example, the login request process 200A can be a flow based on the OAuth 2.0 framework. It should be noted that the process of processing the login request is not limited to this framework; for example, it can also be based on other frameworks with similar functionality.
[0034] The business login interaction module 202 responds (221) to the user's login operation (211) on the interactive interface of application 111 and obtains (222) the channel information of application 111. The channel information can indicate the identifier (ID) of application 111, such as name, version number, and compatible operating system. Application 111 receives (212) the request to obtain the channel information and sends (213) the channel information to the business login interaction module 202. The business login interaction module 202 receives (223) the channel information, agrees to the login request corresponding to the login operation, and sends (224) the authorization code acquisition request to application 111. Application 111 receives (214) the authorization code acquisition request and sends (215) the authorization code and channel information to the business login interaction module 202. The business login interaction module 202 receives (225) and forwards (226) the authorization code and channel information to the login server 205.
[0035] Based on the authorization code, the login server 205 can send a (252) request to the application server 206 to obtain the user's basic information. As an example, the user's basic information may include, for example, the user's name, mobile phone number, or other information. After receiving (261) the request to obtain the user's basic information, the application server 206 can query the user's basic information based on the request and send the basic information to the login server 205 (262).
[0036] The login server 205 can generate (254) a channel authentication credential (role_ticket) and a channel role identifier (role_uid) for the user in application 111, based at least on the basic information of the user and the channel information of application 111 received (253). The login server 205 sends (255) the channel authentication credential and channel role identifier for the user in application 111 to the business login interaction module 202. The business login interaction module 202 receives and caches (227) the channel authentication credential and channel role identifier for the user in application 111, thereby completing the login process.
[0037] In the above process, the actions performed by the login server 205 can be summarized as follows: In response to a login request initiated by the user using the application, the server obtains basic information related to the user and the application's channel information, where the channel information indicates the application's identifier. Based on the basic information and the application's channel information, the server generates channel authentication credentials and a channel role identifier corresponding to the user within the application.
[0038] Based on the above process, independent channel authentication credentials and channel role identifiers are generated for the same user across different applications. This means that even for the same user, when logging in using different applications 111, the login server 205 will generate different channel authentication credentials and channel role identifiers. In this way, channel authentication credentials can only be used in a specific application 111 (and business line), preventing the abuse of credentials across applications. This mechanism effectively prevents attackers from obtaining a universal authentication credential by acquiring one application and attempting to access resources of the business line, thereby improving overall security. The independence of channel authentication credentials and channel role identifiers ensures identity isolation; each channel authentication credential is only valid in its corresponding application (and business line), thus avoiding cross-application security threats.
[0039] Figure 2B A schematic diagram illustrating a process 200B in which a verification system 120 processes a service request according to some embodiments of the present disclosure is shown. As an example, the service request process 200B can be a flow based on the OAuth 2.0 framework. It should be noted that the process of the verification system 120 processing the service request is not limited to this framework; for example, it can also be based on other frameworks with similar functionality.
[0040] The business login interaction module 202 responds to the user's service request operation (e.g., scanning a shared bicycle code) on the interactive interface of application 111 and sends (228) the channel authentication credential and channel role identifier of the user in application 111 to the business gateway 203. The business gateway 203 receives (231) the channel authentication credential and channel role identifier of the user in application 111 and requests (232) the login server 205 to verify the channel authentication credential. The login server 205 receives (256) the request and verifies the validity of the channel authentication credential (257). The verification may include verifying the content of the channel authentication credential and verifying the validity period of the channel authentication credential. If the verification is successful, the basic information of the user associated with the channel authentication credential and the channel information of application 111, as well as the verification identifier determined based on the basic information of the user and the channel information of application 111, can be sent (258) to the business gateway 203. If the verification fails, the result of the failure can be sent (258) to the business gateway 203.
[0041] Business gateway 203 receives (233) the verification result. If the verification is successful, business gateway 203 will also receive the user's basic information and application 111's channel information associated with the channel authentication credentials, as well as the verification identifier determined based on the user's basic information and application 111's channel information. Business gateway 203 can compare the verification identifier with the channel role identifier. If the two are the same and belong to trusted identifiers (for example, the channel role identifier is listed in the whitelist, and since the two are the same, the authentication is successful), it can obtain the identifier shared by the user in different services in the verification system 120, and send (234) a request to the login server 205 based on the identifier and the user's basic information to request the unified user identifier. The unified user identifier is globally unique in the verification system 120, ensuring that the user's identity and permissions can be consistently verified regardless of which service the user operates in.
[0042] Login server 205 receives the request (259) and determines a unified user identifier based on the identifier and the user's basic information. It then sends the unified user identifier (250) to business gateway 203. Business gateway 203 receives the unified user identifier (235) and completes the user's role identification conversion, thus determining the unified user identifier. Based on this, business gateway 203 can then send a service request (236) to business server 204 (e.g., a request to scan a code to unlock the door) carrying the unified user identifier.
[0043] The business server 204 receives (241) the service request and queries the user's role information and permissions based on the unified user identifier. The business server 204 will send (242) the query result back to the business gateway 203. The business gateway 203 receives (237) the query result and forwards (238) it to the business login interaction module 202 for presentation (229).
[0044] In the above process, the actions performed by the login server 205 can be summarized as follows: upon receiving and verifying the channel authentication credentials, the server obtains the role information associated with the channel authentication credentials. The channel authentication credentials are extracted from the service request initiated by the user using the application. The actions performed by the business gateway 203 can be summarized as follows: receiving role information from the login server, and upon confirming that the role information matches the channel role identifier obtained in the service request, the gateway determines the user's unified user identifier based on the role information. The unified user identifier is an identifier shared by the user across different services on the server. The actions performed by the business server 204 can be summarized as follows: in response to the unified user identifier from the business gateway, the business server executes the service related to the service request.
[0045] By converting the channel role identifiers corresponding to different applications 111 into unified user identifiers at the business gateway 203, the complexity of subsequent role identifier conversion across different business lines and services is effectively avoided. User identities across all applications 111 can be handled consistently. This avoids the need to modify nearly all business lines and services, as well as large-scale modifications to existing business process code and backend services, thus significantly reducing the cost of accessing different applications 111 and improving maintainability.
[0046] Figure 3 An example flow of a verification method 300 according to some embodiments of the present disclosure is shown. For ease of discussion, reference will be made to... Figure 1 environment and Figure 2A and Figure 2B The process 300 is described using the following steps. The verification method 300 can be executed by the verification system 120, which acts as the server. The following section first introduces the processing procedure of the verification system 120 for service requests.
[0047] In box 201, the verification system 120 extracts the channel authentication credentials and channel role identifier corresponding to the user in application 111 from the service request initiated by the user using application 111.
[0048] The verification system 120 can extract the channel authentication credential (role_ticket) and channel role identifier corresponding to the user in application 111 based on the service request initiated by the user using application 111. Role ID (role_uid). Taking a service request for unlocking a bike by scanning a code as an example, the user initiates a service request related to cycling (such as a code scanning unlock request) through application 111. Application 111 sends the service request to the business gateway 203 through the business login interaction module 202.
[0049] The service request includes the user's channel authentication credentials (role_ticket) and channel role identifier (role_uid) in application 111. The channel authentication credentials are used to identify the user's authorization information in application 111, while the channel role identifier is used to identify the user's role information in application 111.
[0050] In the service request, the channel authentication credentials and channel role identifier are bound to application 111 and the user. Unlike other applications that use universal authentication credentials (tickets) and unified user identifiers (unified user uids), this method generates independent channel authentication credentials and independent role identifiers for each application 111, and these credentials are only applicable to application 111. This ensures a one-to-one correspondence between the channel authentication credentials and channel role identifiers and the specific application 111 and user role, avoiding the security risks associated with sharing universal authentication credentials or unified user identifiers across different applications. Users utilize application-bound and independent channel authentication credentials and channel role identifiers across different applications, effectively preventing the risk of credential misuse or leakage across business lines or applications. After receiving the service request, the business gateway 203 can extract the user's channel authentication credentials and channel role identifier.
[0051] In box 202, the verification system 120 responds to the successful verification of the channel authentication credential by obtaining the role information of the user associated with the channel authentication credential.
[0052] After receiving the channel authentication credential, the business gateway 203 in the verification system 120 can request the login server 205 in the verification system 120 to verify the channel authentication credential. As an example, verification may include verifying the integrity and validity of the channel authentication credential's content to ensure that the credential has not been tampered with and is still valid. After successful verification, the login server 205 can query the role information of the user associated with the channel authentication credential.
[0053] The login server 205 can use the identification information (such as credential ID) in the channel authentication credentials to find the user's role information in the pre-stored database, such as the user's basic information (e.g., registered name, mobile phone number, or other information) and the application's channel information.
[0054] In box 203, the verification system 120 responds to the matching of role information with channel role identifier, and determines the user's unified user identifier based on the role information. The unified user identifier is an identifier shared by the user among different services in the server.
[0055] The login server 205 in the verification system 120 can determine the identifier used for verification based on the user's basic information and the application's channel information in the role information. If the identifier used for verification is the same as the channel role identifier extracted from the service request, it indicates that the role information matches the channel role identifier. Based on the result of the role information matching the channel role identifier, the business gateway 203 can determine the unified user identifier (unified UID) through interaction with the login server 205 to complete the user's role conversion (from channel role identifier to unified user identifier). This unified user identifier is a globally unique identifier shared among different services of the verification system 120, ensuring the consistency of user identity across services and channels. In this way, unified identity management across multiple channels and multiple business lines can be achieved without relying on independent credentials for each channel.
[0056] As an example, the verification system 120 uses a unified user identifier. Through the role conversion of the business gateway 203, it can be ensured that after application 111 logs into the verification system 120, the user identity of different applications 111 can be unified into a standardized identifier. This not only avoids modifying the interfaces of various business lines within the verification system 120, but also eliminates the need for significant modifications to the business process code, thereby greatly reducing the complexity and cost of integrating new application 111.
[0057] In box 204, the verification system 120 performs services related to the service request based on the unified user identifier.
[0058] At the business gateway 203, after a unified user identifier is determined through role conversion, the business server 204 can then execute subsequent operations related to the service request based on this identifier. For example, in the scenario of using target vehicle 130 (a shared bicycle), the business server 204 will use the unified user identifier to verify the user's identity and permissions, and then authorize the user to unlock the vehicle based on the authentication result. This process ensures that the user's identity is consistently confirmed across different channels and services, and that related service requests are completed securely.
[0059] Through the above process, the independence of channel authentication credentials and channel role identifiers ensures identity isolation. Each channel authentication credential is only valid in its corresponding application 111, thereby avoiding security threats across applications 111. Furthermore, by converting the channel role identifiers corresponding to different applications 111 into unified user identifiers at the business gateway 203, the complexity of subsequent role identifier conversion across different business lines and services is effectively avoided.
[0060] The generation method of channel authentication credentials and channel role identifiers is described below. In response to a login request initiated by a user using application 111, verification system 120 obtains basic information related to the user and the application's channel information. The channel information can be used to indicate the application's identifier. Based on the basic information and the application's channel information, it generates the user's corresponding channel authentication credentials and channel role identifier within the application.
[0061] The business login interaction module 202 in the verification system 120 receives the login request initiated by the user using application 111, and can first obtain the application's channel information and authorization code, etc.
[0062] Based on the channel information and authorization code of application 111, login server 205 can obtain the user's basic information from application server 206 associated with application 111. Based on the user's basic information and the channel information of application 111, login server 205 generates channel authentication credentials and channel role identifiers for the user and binds these credentials and identifiers to application 111. After generating the channel role identifier, it can also list it as a trusted identifier. As an example, trusted identifiers can be recorded in the form of a whitelist. The recorded whitelist can be synchronized to business gateway 203.
[0063] In the above process, the channel authentication credentials and channel role identifiers are assigned specifically to the user in application 111. The channel authentication credentials and channel role identifiers will not be shared by other applications, thus effectively preventing the abuse and leakage of credentials.
[0064] After generating the channel authentication credentials and channel role identifier corresponding to the user in application 111, the login server 205 in the verification system 120 can send the channel authentication credentials and channel role identifier to application 111 to indicate that the login request result is login completed.
[0065] The login server 205 can first send the channel authentication credentials and channel role identifier to the business login interaction module 202, which then returns the information to the application 111 to indicate that the login request has been completed. The business login interaction module 202 can serve as the interaction layer for the application 111 and is configured to receive and store the channel authentication credentials and channel role identifier.
[0066] Based on the above process, users can initiate service requests using application 111 using the obtained channel authentication credentials and channel role identifiers, and add the user's corresponding channel authentication credentials and channel role identifiers in the application to the service request.
[0067] In some embodiments of this disclosure, role information includes basic user-related information and application channel information. The process of matching role information with channel role identifiers is described below. The login server 205 in the verification system 120 generates a verification identifier based on the user-related basic information and application channel information included in the role information. In response to the verification identifier matching the channel role identifier, it is determined that the role information matches the channel role identifier.
[0068] The login server (205) can generate a verification identifier based on basic user information and application channel information. For example, generating the verification identifier could involve concatenating basic information and application channel information into a string in a predetermined order, using this string as the verification identifier. Alternatively, a hash algorithm can be used to encrypt and calculate the basic information and application channel information, generating a fixed-length verification identifier.
[0069] The login server 205 sends basic user information, application channel information, and a verification identifier to the business gateway 203. The business gateway 203 compares the verification identifier with the channel role identifier. If they match, it further checks if the channel role identifier is a trusted identifier. If the channel role identifier is determined to be a trusted identifier, it means the role information matches the channel role identifier and passes verification. Through matching and verification of the verification identifier and the channel role identifier, the correctness of the user's identity and role can be ensured.
[0070] The following describes the process by which the business gateway 203 in the verification system 120 determines a user's unified user identifier. The business gateway 203 determines the user identifier shared by different services within the server (verification system 120). Based on the user's basic information and the user identifier, the unified user identifier is determined.
[0071] The business gateway 203 can first determine the user identifier shared by different services within the verification system 120. This user identifier is the user's basic identity identifier within the verification system 120, typically uniquely assigned to each user by the login server 205 within the verification system 120, and used across different services or business modules within the verification system 120. For example, this user identifier could be a user account ID or a unique user serial number, used to identify the user's basic information and permission scope.
[0072] Based on the user identifier and the user's basic information, the business gateway 203 can generate a request to obtain a unified user identifier and send this request to the login server 205 in the verification system 120. The login server 205 responds to the request and determines the unified user identifier based on the user identifier and the user's basic information. The process of determining the unified user identifier can employ predefined rules, such as encoding the user identifier and basic information, to ensure that the generated unified user identifier is unique and consistent within the verification system 120. The unified user identifier is then fed back to the business gateway 203 as a response to the request.
[0073] Based on the unified user identifier determined by the business gateway 203, the business server 204 in the verification system 120 can obtain the permission scope of the unified user identifier. Responding to service requests that conform to the permission scope, the service related to the service request is executed.
[0074] After the business gateway 203 determines the unified user identifier, it interacts with the business server 204 in the verification system 120. The business server 204 can obtain the permission scope of the unified user identifier. The permission scope can be used to indicate the types of services and operation range that the user can access, such as whether they have permission to use the target vehicle 130 (shared bicycle) or whether the unlocking conditions are met.
[0075] Taking QR code unlocking as an example, a user initiates a QR code scanning request for the target vehicle 130 through application 111. Business gateway 203 determines the user's unique identifier and passes it to business server 204. Upon receiving the request, business server 204 checks the user's permission scope to confirm whether the user has the authority to unlock the vehicle via QR code. For example, the permission scope might include whether the user has an active account, whether a deposit has been paid, and whether there are any outstanding orders.
[0076] If the user's permission scope indicates that they meet the requirements for scanning the code to unlock (for example, the permission status is "authorized to use"), the business server 204 will communicate with the vehicle lock system of the target vehicle 130, send an unlocking command, and execute the unlocking operation.
[0077] Figure 4A schematic structural block diagram of a verification apparatus 400 according to some embodiments of the present disclosure is shown. Apparatus 400 may be implemented in or included in verification system 120, for example. The various modules / components in apparatus 400 may be implemented by hardware, software, firmware, or any combination thereof.
[0078] As shown in the figure, device 400 includes a channel information acquisition module 401, configured to extract the user's corresponding channel authentication credentials and channel role identifier from the service request initiated by the user using the application. A role information acquisition module 402 is configured to acquire the user's role information associated with the channel authentication credentials in response to successful verification. A unified user identifier determination module 403 is configured to determine the user's unified user identifier based on the role information in response to a match between the role information and the channel role identifier. The unified user identifier is an identifier shared by the user across different services on the server. A service execution module 404 is configured to execute the service related to the service request based on the unified user identifier. The channel information acquisition module 401 can be equivalent to the business interaction login module 202. The role information acquisition module 402 can be equivalent to the login server 205. The unified user identifier determination module 403 can be equivalent to the business gateway 203. The service execution module 404 can be equivalent to the business server.
[0079] In some embodiments of this disclosure, the role information acquisition module 402 may further be configured to: in response to a login request initiated by a user using an application, acquire basic information related to the user and channel information of the application, wherein the channel information indicates the application identifier of the application. Based on the basic information and the application's channel information, generate channel authentication credentials and channel role identifiers corresponding to the user in the application.
[0080] In some embodiments of this disclosure, the role information acquisition module 402 may also be configured to send the channel authentication credential and the channel role identifier to the application to indicate that the login request result is login completed.
[0081] In some embodiments of this disclosure, the role information includes basic information related to the user and channel information of the application. The role information acquisition module 402 can also be configured to: generate a verification identifier based on the basic information related to the user and the channel information of the application included in the role information. In response to the verification identifier being identical to the channel role identifier, it is determined that the role information matches the channel role identifier.
[0082] In some embodiments of this disclosure, the unified user identifier determination module 403 can be configured to: determine the user identifier shared by the user among different services on the server. Based on basic information related to the user and the user identifier, the unified user identifier of the user is determined.
[0083] In some embodiments of this disclosure, service execution module 404 can be configured to: obtain the scope of permissions for a Uniform User Identifier; and, in response to a service request matching the scope of permissions, execute the service related to the service request.
[0084] Figure 5 A block diagram of an electronic device 500 in which one or more embodiments of the present disclosure may be implemented is shown. It should be understood that... Figure 5 The electronic device 500 shown is merely exemplary and should not be construed as limiting the functionality and scope of the embodiments described herein. Figure 5 The illustrated electronic device 500 may include or be implemented as Figure 1 The verification system 120, or Figure 4 Device 400.
[0085] like Figure 5 As shown, electronic device 500 is in the form of a general-purpose electronic device. Components of electronic device 500 may include, but are not limited to, one or more processors or processing units 510, memory 520, storage device 530, one or more communication units 540, one or more input devices 550, and one or more output devices 560. Processing unit 510 may be a physical or virtual processor and is capable of performing various processes according to programs stored in memory 520. In a multiprocessor system, multiple processing units execute computer-executable instructions in parallel to improve the parallel processing capability of electronic device 500.
[0086] Electronic device 500 typically includes multiple computer storage media. Such media can be any accessible media that is accessible to electronic device 500, including but not limited to volatile and non-volatile media, removable and non-removable media. Memory 520 can be volatile memory (e.g., registers, cache, random access memory (RAM)), non-volatile memory (e.g., read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory), or some combination thereof. Storage device 530 can be removable or non-removable media and can include machine-readable media, such as flash drives, disks, or any other media that can be used to store information and / or data and can be accessed within electronic device 500.
[0087] Electronic device 500 may further include additional removable / non-removable, volatile / non-volatile storage media. Although not explicitly stated... Figure 5As shown, disk drives for reading from or writing to removable, non-volatile disks (e.g., "floppy disks") and optical disk drives for reading from or writing to removable, non-volatile optical disks can be provided. In these cases, each drive can be connected to a bus (not shown) via one or more data media interfaces. Memory 520 may include computer program product 525 having one or more program modules configured to perform various methods or actions of various embodiments of this disclosure.
[0088] Communication unit 540 enables communication with other electronic devices via a communication medium. Additionally, the functionality of components of electronic device 500 can be implemented using a single computing cluster or multiple computing machines capable of communicating via communication connections. Therefore, electronic device 500 can operate in a networked environment using logical connections to one or more other servers, network personal computers (PCs), or another network node.
[0089] Input device 550 can be one or more input devices, such as a mouse, keyboard, trackball, etc. Output device 560 can be one or more output devices, such as a monitor, speaker, printer, etc. Electronic device 500 can also communicate with one or more external devices (not shown) via communication unit 540 as needed. These external devices include storage devices, display devices, etc., and can communicate with one or more devices that enable user interaction with electronic device 500, or with any device that enables electronic device 500 to communicate with one or more other electronic devices (e.g., network card, modem, etc.). Such communication can be performed via input / output (I / O) interface (not shown).
[0090] According to an exemplary implementation of this disclosure, a computer-readable storage medium is provided that stores computer-executable instructions thereon, wherein the computer-executable instructions are executed by a processor to implement the methods described above. According to an exemplary implementation of this disclosure, a computer program product is also provided, which is tangibly stored on a non-transitory computer-readable medium and includes computer-executable instructions, which are executed by a processor to implement the methods described above.
[0091] According to an exemplary implementation of this disclosure, a computer program product or computer program is provided, comprising computer instructions stored in a computer-readable storage medium. A processor of a computer device reads the computer instructions from the computer-readable storage medium and executes the computer instructions, causing the computer device to perform... Figure 2A , Figure 2B and Figure 3The methods provided are among the various optional methods available in the code, so they will not be elaborated upon here.
[0092] Various aspects of this disclosure are described herein with reference to flowchart illustrations and / or block diagrams of methods, apparatuses, devices, and computer program products implemented according to this disclosure. It should be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer-readable program instructions.
[0093] These computer-readable program instructions can be provided to a processing unit of a general-purpose computer, a special-purpose computer, or other programmable data processing apparatus to produce a machine such that, when executed by the processing unit of the computer or other programmable data processing apparatus, they create means for implementing the functions / actions specified in one or more blocks of the flowchart and / or block diagram. These computer-readable program instructions can also be stored in a computer-readable storage medium that causes a computer, programmable data processing apparatus, and / or other device to operate in a particular manner. Thus, the computer-readable medium storing the instructions comprises an article of manufacture that includes instructions for implementing aspects of the functions / actions specified in one or more blocks of the flowchart and / or block diagram.
[0094] Computer-readable program instructions can be loaded onto a computer, other programmable data processing apparatus, or other device to cause a series of operational steps to be performed on the computer, other programmable data processing apparatus, or other device to produce a computer-implemented process, thereby causing the instructions that execute on the computer, other programmable data processing apparatus, or other device to perform the functions / actions specified in one or more boxes of a flowchart and / or block diagram.
[0095] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this disclosure. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of an instruction, which contains one or more executable instructions for implementing the specified logical function. In some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutive blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, may be implemented using a dedicated hardware-based system that performs the specified function or action, or using a combination of dedicated hardware and computer instructions.
[0096] Various implementations of this disclosure have been described above. These descriptions are exemplary and not exhaustive, nor are they limited to the disclosed implementations. Many modifications and variations will be apparent to those skilled in the art without departing from the scope and spirit of the described implementations. The terminology used herein is chosen to best explain the principles, practical applications, or improvements to technology in the market, or to enable others skilled in the art to understand the various implementations disclosed herein.
Claims
1. A verification method, implemented on the server side, including: Based on the service request initiated by the user using the application, extract the channel authentication credential and channel role identifier corresponding to the user in the application from the service request; In response to the successful verification of the channel authentication credential, the user's role information associated with the channel authentication credential is obtained; In response to the role information matching the channel role identifier, a unified user identifier for the user is determined based on the role information. The unified user identifier is an identifier shared by the user among different services in the server. as well as Based on the unified user identifier, the service related to the service request is executed.
2. The method according to claim 1, wherein the channel authentication credential and channel role identifier corresponding to the user in the application are generated in the following manner: In response to a login request initiated by the user using the application, basic information related to the user and channel information of the application are obtained, wherein the channel information indicates the application identifier of the application; Based on the basic information and the channel information of the application, the channel authentication credentials and channel role identifier corresponding to the user in the application are generated.
3. The method according to claim 2, after generating the channel authentication credential and channel role identifier corresponding to the user in the application, the method further includes: The channel authentication credentials and the channel role identifier are sent to the application to indicate that the login request has been completed.
4. The method according to claim 1, wherein the role information includes basic information related to the user and channel information of the application, and the role information is determined by matching the channel role identifier in the following manner: Based on the user-related basic information included in the role information and the application's channel information, a verification identifier is generated; and In response to the fact that the verification identifier is the same as the channel role identifier, it is determined that the role information matches the channel role identifier.
5. The method according to claim 1, wherein the role information includes basic information related to the user, and determining the user's unified user identifier based on the role information includes: Determine the user identifier shared by the user across different services on the server; as well as Based on the basic information associated with the user and the user identifier, a unified user identifier is determined for the user.
6. The method of claim 1, wherein performing the service related to the service request comprises: Obtain the scope of permissions for the unified user identifier; as well as If the service related to the service request conforms to the permission scope, the service related to the service request shall be executed.
7. A verification system, comprising: The login server is configured to, in response to the received channel authentication credentials being verified, obtain role information associated with the channel authentication credentials, which are extracted from service requests initiated by the user using the application; The business gateway is configured to: receive the role information from the login server, and in response to the role information matching the channel role identifier obtained in the service request, determine the unified user identifier of the user based on the role information, wherein the unified user identifier is an identifier shared by the user among different services in the server. The service server is configured to perform services related to the service request in response to the unified user identifier from the service gateway.
8. The system according to claim 7, wherein the login server is further configured as: In response to a login request initiated by the user using the application, basic information related to the user and channel information of the application are obtained, wherein the channel information indicates the application identifier of the application; Based on the basic information and the channel information of the application, the channel authentication credential and the channel role identifier corresponding to the user in the application are generated.
9. A verification device, comprising: The channel information acquisition module is configured to extract the channel authentication credentials and channel role identifier corresponding to the user in the application from the service request initiated by the user using the application. The role information acquisition module is configured to acquire the user's role information associated with the channel authentication credential in response to the successful verification of the channel authentication credential. A unified user identifier determination module is configured to determine the user's unified user identifier based on the role information in response to a match between the role information and the channel role identifier. The unified user identifier is an identifier shared by the user among different services in the server. as well as The service execution module is configured to execute services related to the service request based on the unified user identifier.
10. An electronic device, comprising: At least one processing unit; as well as At least one memory, coupled to the at least one processing unit and storing instructions for execution by the at least one processing unit, which, when executed by the at least one processing unit, cause the electronic device to perform the method according to any one of claims 1 to 6.
11. A computer-readable storage medium having a computer program stored thereon, the computer program being executable by a processor to implement the method according to any one of claims 1 to 6.
12. A computer program product comprising computer-executable instructions that, when executed by a processor, implement the method of any one of claims 1 to 6.