Cross-system traffic access processing method and system based on trust anchor

By using a cross-system business access processing method based on trust anchors, and leveraging cloud service platforms and Kubernetes clusters to generate standardized encrypted tokens, the problem of identity trust deficiency and authentication complexity between third-party platforms and enterprise internal systems is solved. This enables seamless transfer and verification of user identities across systems, reduces development costs, and improves security.

CN122268632APending Publication Date: 2026-06-23SICHUAN BRANCH OF CHINA TOBACCO

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SICHUAN BRANCH OF CHINA TOBACCO
Filing Date
2026-03-25
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

In existing technologies, the authentication and authorization mechanisms between third-party platforms and enterprise internal business systems are fragmented, resulting in the scattered storage of user identity information, lack of mutual trust in security contexts, high development costs, and high security vulnerability risks, especially when integrating with legacy systems, where the success rate of interface calls is low.

Method used

A cross-system business access processing method based on trust anchors is adopted. Application identifiers and key credentials are obtained through the cloud service platform. Standardized encrypted tokens are generated by combining the globally unique user identifier in the user center. This enables seamless transmission and verification of user identity information across systems. The user center, authentication center, and application center are deployed using a Kubernetes cluster, and Alibaba Cloud API Gateway is integrated for two-way identity authentication.

Benefits of technology

It enables seamless transfer and verification of user identity information across systems, avoiding the costs of repeated logins and manual maintenance of mapping relationships. It solves the problems of lack of identity trust and complex interoperability between multiple systems, and standardizes and automates permission allocation, ensuring the accuracy and timeliness of cross-system access control.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122268632A_ABST
    Figure CN122268632A_ABST
Patent Text Reader

Abstract

The application discloses a cross-system service access processing method and system based on a trust anchor, relates to the technical field of computer application, and has the technical scheme as follows: sending an authentication request to a cloud service platform to obtain an access token; requesting the cloud service platform to obtain platform user identity information; sending a global user identity query request to a user center; requesting an authentication center to generate an encrypted token containing the global user identity information; and sending a service request containing the encrypted token and related request parameters to a service system, wherein the service system executes service logic based on the global user unique identifier and returns service data. The application realizes seamless transmission and verification of cross-system user identity information, avoids the cost of repeated login and manual maintenance of mapping relations, enables a third-party platform to be connected with multiple heterogeneous systems without adapting diversified protocol stacks, and solves the problems of identity trust loss and complex connection among multiple systems.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of computer application technology, and more specifically, to a method and system for cross-system business access processing based on trust anchors. Background Technology

[0002] As enterprises deepen their IT infrastructure development, the need for collaboration between third-party platforms and internal business systems is becoming increasingly urgent. However, most existing third-party platforms and internal business systems are independently developed based on monolithic architectures, microservice architectures, or legacy systems. Their authentication and authorization mechanisms exhibit significant fragmentation, such as inconsistent authentication protocols, diverse token formats, and conflicting password policies. This results in user identity information, organizational structure, and permission data being stored in various systems, creating "identity silos."

[0003] This fragmented technical architecture causes serious problems when collaborating across systems: the lack of a unified user data model and synchronization mechanism between third-party platforms and business systems leads to a lack of mutual trust in security contexts; when connecting to a single system, multiple protocol stacks need to be adapted, and the development team needs to repeatedly implement protocol conversion, token parsing, and permission verification logic, with development costs increasing exponentially with the number of systems; especially when connecting to legacy systems, due to low interface standardization, password policy conflicts, and other issues, the success rate of interface calls decreases and the risk of security vulnerabilities increases.

[0004] While existing technologies attempt to alleviate these problems through centralized identity management services or federated identity management, significant limitations remain. Centralized solutions require business systems to modify their existing authentication processes, resulting in poor adaptability to legacy systems; federated identity management relies on pre-shared keys or certificate systems, which can easily lead to key management bottlenecks in dynamic scaling scenarios. Therefore, researching and designing a cross-system business access processing method and system based on trust anchors that can overcome the above shortcomings is a problem that urgently needs to be solved. Summary of the Invention

[0005] To address the shortcomings of existing technologies, the purpose of this invention is to provide a cross-system business access processing method and system based on trust anchors. This method enables seamless transmission and verification of user identity information across systems, avoids the costs of repeated logins and manual maintenance of mapping relationships, and eliminates the need for third-party platforms to adapt to diverse protocol stacks when connecting to multiple heterogeneous systems. This solves the problems of lack of identity trust and complex connection between multiple systems.

[0006] The above-mentioned technical objective of the present invention is achieved through the following technical solution: Firstly, a cross-system business access processing method based on trust anchors is provided. This method is applied to a third-party workbench built on a cloud service platform and includes the following steps: Send an authentication request containing an application identifier and key credentials to the cloud service platform to obtain an access token; Using the access token and user identity identifier, request the cloud service platform to obtain the platform user identity information; Based on the platform user identity information, a global user identity query request is sent to the user center, wherein the user center returns global user identity information based on a pre-bound globally unique user identifier; Based on the global user identity information, request the authentication center to generate an encrypted token containing the global user identity information; A business request containing the encrypted token and related request parameters is sent to the business system, wherein the business system executes business logic based on the globally unique user identifier and returns business data.

[0007] Furthermore, the third-party workbench deploys the user center, the authentication center, and the application center based on a Kubernetes cluster, forming a root of trust; Furthermore, multiple of the aforementioned business systems are integrated into the application center via API interfaces.

[0008] Furthermore, the authentication center integrates with Alibaba Cloud API Gateway to perform two-way authentication of interface callers through the AK / SK mechanism.

[0009] Furthermore, the application identifier and key credentials are obtained through registration with the application center, which assigns a unique application identifier and key credentials to each access system. Furthermore, the generation of the access token must meet timeliness constraints and be dynamically bound to the application identifier.

[0010] Furthermore, the step of using the access token and user identity identifier to request platform user identity information from the cloud service platform includes: The third-party workbench calls the method provided by the cloud service platform to generate a temporary authorization code; The third-party workbench initiates an interface call request to the cloud service platform to obtain the user, and the interface call request carries the temporary authorization code and the access token; After receiving the interface call request, the cloud service platform first verifies the validity of the access token; after the verification is successful, it parses the temporary authorization code to extract user identification information, then assembles the platform user information based on the user identification information, and finally returns the assembled platform user information to the third-party workbench.

[0011] Furthermore, sending a global user identity query request to the user center includes: Initiate a call request carrying platform user information to the gateway; The gateway performs verification operations on the caller identification key, security key, and interface request permissions in the call request; After successful verification, the gateway forwards the call request to the user center; The user center completes the assembly of user information based on the call request, and sends the assembled global user information back to the gateway. The gateway will send the received global user information back to the third-party workbench.

[0012] Furthermore, the step of requesting the authentication center to generate an encrypted token containing the global user identity information based on the global user identity information includes: The third-party workbench sends a request to the gateway, the request carrying the AK / SK of the third-party workbench, the currently logged-in global user ID, and the application ID to be requested; The gateway verifies the access permissions of the interface requests corresponding to the AK / SK. If the verification passes, the request is forwarded to the authentication center. The authentication center generates an encryption token based on the received request and returns the encryption token to the gateway; The gateway returns the received encryption token to the third-party workbench.

[0013] Furthermore, the step of sending a business request containing the encrypted token and related request parameters to the business system, wherein the business system executes business logic based on the globally unique user identifier and returns business data, including: The third-party workbench initiates a business request carrying the encryption token and the relevant request parameters; After receiving the service request, the gateway verifies the interface request permissions of the AK / SK and then forwards the service request to the authentication center. The authentication center parses the received encryption token, encrypts the user information using its private key, and then returns the encrypted global user information to the business system. The business system uses the allocated public key to decrypt and verify the encrypted global user information in order to match the user information within the system and perform business processing / data acquisition operations. The business system returns business data to the third-party workbench.

[0014] Furthermore, the business system uses a pre-allocated JWT key to decrypt and verify the encrypted token; If decryption fails or the global user unique identifier does not match the local user data, an error code is returned and the request is terminated.

[0015] Secondly, a cross-system business access processing system based on trust anchors is provided. This system is applied to third-party workbenches built on cloud service platforms, including: The access authentication request module is configured to send an authentication request containing an application identifier and key credentials to the cloud service platform in order to obtain an access token; The platform information acquisition module is configured to use the access token and user identity identifier to request platform user identity information from the cloud service platform; The global information query module is configured to send a global user identity query request to the user center based on the platform user identity information, wherein the user center returns global user identity information based on a pre-bound global unique user identifier; The encryption token generation module is configured to request the authentication center to generate an encryption token containing the global user identity information based on the global user identity information. The business request processing module is configured to send a business request containing the encryption token and related request parameters to the business system, wherein the business system executes business logic based on the globally unique user identifier and returns business data.

[0016] Compared with the prior art, the present invention has the following beneficial effects: 1. The cross-system business access processing method based on trust anchors provided by this invention allows a third-party workbench to obtain application identifiers and key credentials through a cloud service platform. Combined with the pre-bound globally unique user identifier in the user center, a standardized encrypted token is generated. Through a unified identity governance mechanism that includes application center registration, global user binding, and layered encrypted transmission, seamless transmission and verification of user identity information across systems is achieved. This avoids the costs of repeated logins and manual maintenance of mapping relationships, and enables the third-party platform to connect to multiple heterogeneous systems without having to adapt to diverse protocol stacks. This solves the problems of identity trust deficiency and complex connection between multiple systems. 2. In this invention, the application center assigns a unique credential to each access system and dynamically binds it to the user's globally unique identifier. This design achieves standardization and automation of permission allocation, avoids permission configuration conflicts caused by differences in system architecture (monopoly / microservice / legacy system), and ensures the accuracy and timeliness of cross-system access control by synchronizing user roles and permission data in real time. Attached Figure Description

[0017] The accompanying drawings, which are included to provide a further understanding of embodiments of the invention and form part of this application, do not constitute a limitation thereof. In the drawings: Figure 1 This is a flowchart from Embodiment 1 of the present invention; Figure 2 This is a timing diagram of the user verification process in Embodiment 1 of the present invention; Figure 3 This is a timing diagram of the service access processing in Embodiment 1 of the present invention; Figure 4 This is a system block diagram in Embodiment 2 of the present invention. Detailed Implementation

[0018] To make the objectives, technical solutions, and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the embodiments and accompanying drawings. The illustrative embodiments and descriptions of the present invention are only used to explain the present invention and are not intended to limit the present invention.

[0019] Example 1: A method for handling cross-system business access based on trust anchors. This method is applied to a third-party workbench built on a cloud service platform, such as... Figure 1 As shown, it includes the following steps: S1: Send an authentication request containing the application identifier and key credentials to the cloud service platform to obtain an access token; S2: Use the access token and user identity identifier to request the platform user identity information from the cloud service platform; S3: Based on the platform user identity information, send a global user identity query request to the user center, whereby the user center returns global user identity information based on the pre-bound global unique user identifier; S4: Based on the global user identity information, request the authentication center to generate an encrypted token containing the global user identity information; S5: Sends a business request containing an encrypted token and related request parameters to the business system, whereby the business system executes business logic based on the globally unique user identifier and returns business data.

[0020] The third-party workbench in this invention deploys a user center, authentication center, and application center based on a Kubernetes cluster, forming a root of trust; multiple business systems are integrated into the application center through API interface connections.

[0021] The third-party workbench, various business systems, and the three major centers all use globally unique user IDs to associate users within their respective systems. This unified approach deeply binds platform users with users of various business systems, enabling the third-party workbench to accurately obtain information such as the currently logged-in user's role, permissions, and data when initiating requests or data interactions.

[0022] The user center in this invention analyzes and constructs a global user organization system based on user information and organizational structure data provided by the human resources system.

[0023] In this invention, when importing user data, the third-party platform organization uses a globally unique user identifier as the platform user's userid; each business system binds its own user data to the globally unique user identifier according to the company-department-name system.

[0024] In this invention, the business system accesses the application center, which assigns the application clientid, API interface appkey and appsecret, and JWT key; at the same time, it assigns interface call permissions to each application.

[0025] Furthermore, the third-party workbench in this invention relies on the token acquisition and parsing of the authentication center to design interface call specifications for different services, thus improving the various services of the third-party workbench. It uniformly uses the GET request method to call different interfaces to request different services.

[0026] In some optional examples, containerized deployment is based on the Kubernetes cluster provided by Alibaba Cloud. This deployment solution can manage and configure the relevant interfaces of the three centers through the Alibaba Cloud API Gateway. At the same time, relying on the authentication function of the Alibaba Cloud API Gateway, the permission allocation and verification of the interface can be completed. It can also reduce the complexity of various business systems and third-party workbench connecting to the three centers. After the connecting system introduces the unified SDK package, it can make API calls using the assigned application identifier (clientid) and key credentials (clientsecret).

[0027] The authentication center integrates with Alibaba Cloud API Gateway to perform two-way authentication of API callers through the AK / SK (public key / private key) mechanism.

[0028] The token generation interface requires the transmission parameters to include the application clientid and user ID. During parsing, the transmission parameters must include both the application clientid and the token. The generated token has an expiration date. After successful token authentication, the returned user information is encrypted using JWT. This interface definition scheme aims to address the security risks of stolen and parsed tokens, prevent system B from parsing tokens generated for system A, thereby improving the security of user information transmission and ensuring that tokens are generated and parsed only once.

[0029] In step S1, the application identifier and key credential are obtained through registration with the application center, which assigns a unique application identifier and key credential to each access system; and the generation of the access token must meet the timeliness constraint and be dynamically bound to the application identifier.

[0030] In step S2, the user requests platform user identity information from the cloud service platform using the access token and user identity identifier, such as... Figure 2As shown, the specific steps include: When a user opens a third-party workbench, the third-party workbench uses the relevant methods provided by the cloud service platform to generate a temporary authorization code (authCode) for obtaining the currently logged-in user's information; the third-party workbench uses the clientid and clientsecret assigned when registering the application on the cloud service platform as parameters to call the relevant interfaces provided by the cloud service platform to obtain an access token (access_token) for verifying the caller's identity; after receiving the interface call request, the cloud service platform first verifies the validity of the access token; after the verification is successful, it parses the temporary authorization code to extract user identification information, then assembles platform user information based on the user identification information, and finally returns the assembled platform user information to the third-party workbench. The platform user information includes, but is not limited to, user ID, user name, user department, user role, and other information.

[0031] In step S3, as Figure 2 As shown, a global user identity query request is sent to the user center, including: initiating a call request carrying platform user information to the gateway; the gateway performs verification operations on the caller identification key, security key, and interface request permissions in the call request; after successful verification, the gateway forwards the call request to the user center; the user center completes the assembly of user information based on the call request and sends the assembled global user information back to the gateway; the gateway sends the received global user information back to the third-party workbench, and the global user information includes, but is not limited to, employee ID, account ID, company, department, role, and sequence number.

[0032] In some optional examples, after obtaining global user information, the third-party workbench can also obtain relevant configurations, such as obtaining system-related configurations, user-defined configurations, setting key parameters such as themes, fonts, and layouts, obtaining the number of to-do items, and obtaining the message notification list; after the third-party workbench completes rendering, it will display the interface to the user.

[0033] In step S4, based on the global user identity information, a request is made to the authentication center to generate an encrypted token containing the global user identity information, such as... Figure 3 As shown, the specific steps include: the third-party workbench sends a request to the gateway, the request carrying the third-party workbench's AK / SK, the currently logged-in global user ID, and the application ID to be requested; the gateway verifies the interface request permissions corresponding to the AK / SK, and if the verification passes, it forwards the request to the authentication center; the authentication center generates an encryption token based on the received request and returns the encryption token to the gateway; the gateway returns the received encryption token to the third-party workbench.

[0034] It should be noted that when a user initiates a request, the third-party platform identifies the application requested by the user, the request type, and the request parameters.

[0035] In step S5, a business request containing an encryption token and relevant request parameters is sent to the business system. The business system executes business logic based on a globally unique user identifier and returns business data, such as... Figure 3 As shown, the specific steps include: a third-party workbench initiating a business request carrying an encryption token and relevant request parameters; the gateway receiving the business request, verifying the interface request permissions of the AK / SK, and forwarding the business request to the authentication center; the authentication center parsing the received encryption token, encrypting the user information using the private key, and then returning the encrypted global user information to the business system; the business system using the allocated public key to decrypt and verify the encrypted global user information to match the user information within the system, and performing business processing / data acquisition operations; and the business system returning business data to the third-party workbench.

[0036] In some optional examples, the business system uses a pre-assigned JWT key to decrypt and verify the encrypted token; if decryption fails or the global user unique identifier does not match the local user data, an error code is returned and the request is terminated.

[0037] It should be noted that accessing business systems includes, but is not limited to, single sign-on, loading of independent card pages, global search, and availability verification.

[0038] Example 2: A cross-system service access processing system based on trust anchors. This system is used to implement the cross-system service access processing method based on trust anchors as described in Example 1, such as... Figure 4 As shown, it includes an access authentication request module, a platform information acquisition module, a global information query module, an encryption token generation module, and a business request processing module.

[0039] The system includes the following modules: an access authentication request module, configured to send an authentication request containing an application identifier and key credentials to the cloud service platform to obtain an access token; a platform information acquisition module, configured to use the access token and user identity identifier to request platform user identity information from the cloud service platform; a global information query module, configured to send a global user identity query request to the user center based on the platform user identity information, wherein the user center returns global user identity information based on a pre-bound globally unique user identifier; an encrypted token generation module, configured to request the authentication center to generate an encrypted token containing global user identity information based on the global user identity information; and a business request processing module, configured to send a business request containing the encrypted token and related request parameters to the business system, wherein the business system executes business logic based on the globally unique user identifier and returns business data.

[0040] Working principle: The third-party workbench in this invention obtains application identifiers and key credentials through a cloud service platform. Combined with the pre-bound globally unique user identifier in the user center, it generates a standardized encrypted token. Through a unified identity governance mechanism that includes application center registration, global user binding, and layered encrypted transmission, it achieves seamless transmission and verification of user identity information across systems. This avoids the costs of repeated logins and manual maintenance of mapping relationships, and enables the third-party platform to connect to multiple heterogeneous systems without adapting to diverse protocol stacks. It solves the problems of identity trust deficiency and complex connection between multiple systems.

[0041] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0042] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this application. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart... Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0043] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0044] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1The steps of the function specified in one or more boxes.

[0045] The specific embodiments described above further illustrate the purpose, technical solution, and beneficial effects of the present invention. It should be understood that the above description is only a specific embodiment of the present invention and is not intended to limit the scope of protection of the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the scope of protection of the present invention.

Claims

1. A cross-system business access processing method based on trust anchors, characterized in that, This method is applied to third-party workbenches built on cloud service platforms and includes the following steps: Send an authentication request containing an application identifier and key credentials to the cloud service platform to obtain an access token; Using the access token and user identity identifier, request the cloud service platform to obtain the platform user identity information; Based on the platform user identity information, a global user identity query request is sent to the user center, wherein the user center returns global user identity information based on a pre-bound globally unique user identifier; Based on the global user identity information, request the authentication center to generate an encrypted token containing the global user identity information; A business request containing the encrypted token and related request parameters is sent to the business system, wherein the business system executes business logic based on the globally unique user identifier and returns business data.

2. The cross-system service access processing method based on trust anchors according to claim 1, characterized in that, The third-party workbench deploys the user center, authentication center, and application center on a Kubernetes cluster, forming a root of trust. Furthermore, multiple of the aforementioned business systems are integrated into the application center via API interfaces.

3. The cross-system service access processing method based on trust anchors according to claim 1, characterized in that, The authentication center integrates Alibaba Cloud API Gateway and performs two-way authentication of interface callers through the AK / SK mechanism.

4. The cross-system service access processing method based on trust anchors according to claim 1, characterized in that, The application identifier and key credentials are obtained through registration with the application center, which assigns a unique application identifier and key credentials to each access system. Furthermore, the generation of the access token must meet timeliness constraints and be dynamically bound to the application identifier.

5. The cross-system service access processing method based on trust anchors according to claim 1, characterized in that, The step of requesting platform user identity information from the cloud service platform using the access token and user identity identifier includes: The third-party workbench calls the method provided by the cloud service platform to generate a temporary authorization code; The third-party workbench initiates an interface call request to the cloud service platform to obtain the user, and the interface call request carries the temporary authorization code and the access token; After receiving the interface call request, the cloud service platform first verifies the validity of the access token; after the verification is successful, it parses the temporary authorization code to extract user identification information, then assembles the platform user information based on the user identification information, and finally returns the assembled platform user information to the third-party workbench.

6. The cross-system service access processing method based on trust anchors according to claim 1, characterized in that, Sending a global user identity query request to the user center includes: Initiate a call request carrying platform user information to the gateway; The gateway performs verification operations on the caller identification key, security key, and interface request permissions in the call request; After successful verification, the gateway forwards the call request to the user center; The user center completes the assembly of user information based on the call request, and sends the assembled global user information back to the gateway. The gateway will send the received global user information back to the third-party workbench.

7. The cross-system service access processing method based on trust anchors according to claim 1, characterized in that, The step of requesting the authentication center to generate an encrypted token containing the global user identity information based on the global user identity information includes: The third-party workbench sends a request to the gateway, the request carrying the AK / SK of the third-party workbench, the currently logged-in global user ID, and the application ID to be requested; The gateway verifies the access permissions of the interface requests corresponding to the AK / SK. If the verification passes, the request is forwarded to the authentication center. The authentication center generates an encryption token based on the received request and returns the encryption token to the gateway; The gateway returns the received encryption token to the third-party workbench.

8. The cross-system service access processing method based on trust anchors according to claim 1, characterized in that, The process involves sending a business request to the business system, which includes the encrypted token and related request parameters. The business system executes business logic based on the globally unique user identifier and returns business data, including: The third-party workbench initiates a business request carrying the encryption token and the relevant request parameters; After receiving the service request, the gateway verifies the interface request permissions of the AK / SK and then forwards the service request to the authentication center. The authentication center parses the received encryption token, encrypts the user information using its private key, and then returns the encrypted global user information to the business system. The business system uses the allocated public key to decrypt and verify the encrypted global user information in order to match the user information within the system and perform business processing / data acquisition operations. The business system returns business data to the third-party workbench.

9. The cross-system service access processing method based on trust anchors according to claim 8, characterized in that, The business system uses a pre-allocated JWT key to decrypt and verify the encrypted token; If decryption fails or the global user unique identifier does not match the local user data, an error code is returned and the request is terminated.

10. A cross-system business access processing system based on trust anchors, characterized in that, This system is applied to third-party workbenches built on cloud service platforms, including: The access authentication request module is configured to send an authentication request containing an application identifier and key credentials to the cloud service platform in order to obtain an access token; The platform information acquisition module is configured to use the access token and user identity identifier to request platform user identity information from the cloud service platform; The global information query module is configured to send a global user identity query request to the user center based on the platform user identity information, wherein the user center returns global user identity information based on a pre-bound global unique user identifier; The encryption token generation module is configured to request the authentication center to generate an encryption token containing the global user identity information based on the global user identity information. The business request processing module is configured to send a business request containing the encryption token and related request parameters to the business system, wherein the business system executes business logic based on the globally unique user identifier and returns business data.