阅读说明：本技术 分布式令牌鉴权方法、存储介质 (Distributed token authentication method and storage medium ) 是由 刘德建 伍张发 陈波 林琛 于 2020-05-06 设计创作，主要内容包括：本发明提供分布式令牌鉴权方法、存储介质,方法包括：客户端发送身份令牌注销请求至登陆服务器；登陆服务器提交注销身份令牌包括签名值的属性值至MQ服务器；鉴权服务器启动后向所述MQ服务器订阅消息；鉴权服务器存储所述MQ服务器发送过来的注销身份令牌的属性值至缓存；当鉴权服务器验证客户端的身份令牌为有效,且其签名值不存在于缓存中,则鉴权通过。不仅能够降低后端数据库服务器的存储与访问压力；而且能够实现全面地对身份令牌的有效性进行检查,从而增强令牌的安全性；支持客户端自主对其身份令牌进行注销,避免非法被利用；能够定时优化鉴权服务器的内存占用,确保鉴权服务器维持良好性能。(The invention provides a distributed token authentication method and a storage medium, wherein the method comprises the following steps: the client sends an identity token logout request to a login server; the login server submits an attribute value of the logout identity token including a signature value to the MQ server; after the authentication server is started, subscribing the message to the MQ server; the authentication server stores the attribute value of the logout identity token sent by the MQ server to a cache; and when the authentication server verifies that the identity token of the client is valid and the signature value does not exist in the cache, the authentication is passed. The storage and access pressure of the back-end database server can be reduced; the validity of the identity token can be comprehensively checked, so that the security of the token is enhanced; the client is supported to autonomously log off the identity token, so that illegal utilization is avoided; the memory occupation of the authentication server can be optimized at regular time, and the authentication server is ensured to maintain good performance.)

1. A distributed token authentication method, comprising:

the client sends an identity token logout request to a login server;

the login server submits an attribute value of the logout identity token including a signature value to the MQ server;

after the authentication server is started, subscribing the message to the MQ server;

the authentication server stores the attribute value of the logout identity token sent by the MQ server to a cache;

and when the authentication server verifies that the identity token of the client is valid and the signature value does not exist in the cache, the authentication is passed.

2. The distributed token authentication method of claim 1, further comprising:

the client requests to obtain identity authorization from a login server;

the login server generates an identity token corresponding to the client according to the request and returns the identity token to the client;

and the gateway server intercepts the identity token submitted by the client and forwards the identity token to the authentication server.

3. The distributed token authentication method of claim 2, further comprising:

and after the authentication is passed, the gateway server forwards the identity token submitted by the client to the service server.

4. The distributed token authentication method of claim 1, further comprising:

and when the authentication server verifies that the identity token of the client is invalid or the signature value exists in the MQ server, the authentication is not passed.

5. The distributed token authentication method of claim 1, wherein the identity token is valid for the signature value of the identity token and the identity token has not expired.

6. The distributed token authentication method of claim 1, further comprising:

and regularly clearing the record of the expired logout identity token in the cache.

7. The distributed token authentication method of claim 1, wherein the attribute values further comprise an expiration time;

the authentication server stores the attribute value of the logout identity token sent by the MQ server to a cache, and specifically comprises the following steps:

and the authentication server stores the attribute value of the logout identity token sent by the MQ server into a cached logout dictionary, wherein the logout dictionary takes the signature value as a key and takes the expiration time as a value.

8. The distributed token authentication method of claim 7, wherein the method further comprises:

storing the attribute value of the logout identity token into a logout dictionary and simultaneously storing the attribute value into a timing check table;

the authentication server starts a timer, periodically searches the timing search table, and acquires the attribute value of the expired logout identity token according to the current time;

and deleting the record corresponding to the expired logout identity token in the logout dictionary.

9. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, is adapted to carry out the steps of the distributed token authentication method of any of the preceding claims 1 to 8.

Technical Field

The invention relates to the field of security, in particular to a distributed token authentication method and a storage medium.

Background

At present, the authentication of the identity token is generally realized by storing the token in a back-end server, and after the validity check of the token is passed, accessing a database server to return the basic information of the user corresponding to the token. However, in the face of accessing a large number of devices of the internet of things into the server in the future, the authentication pressure of the back-end server is greatly increased, and a plurality of servers need to be horizontally expanded to provide support. Therefore, another authentication mode is provided: the user basic information is stored in the token and is issued to the client, the token information is carried to access the back-end server when the request is made, the token validity and signature authentication are carried out in the back-end server, and the user basic information is only extracted from the token information after the token validity and signature authentication are passed. By reducing the access database exchange steps, storage server stress can be greatly reduced. Correspondingly, if the user cannot timely disable the authorized token when logging off the token, and only waits for the expiration of the validity period of the token, certain potential safety hazards exist.

In contrast, the invention provides a distributed identity information authentication scheme, which reduces the storage and access pressure of a server by storing the basic information of a user in a token; but also provides a scheme for checking whether the token logout is invalid or not so as to enhance the security of the token.

Disclosure of Invention

The technical problem to be solved by the invention is as follows: a distributed token authentication method and a storage medium are provided, which can reduce the storage and access pressure of a server and enhance the security of a token.

In order to solve the technical problems, the invention adopts the technical scheme that:

the distributed token authentication method comprises the following steps:

the client sends an identity token logout request to a login server;

the login server submits an attribute value of the logout identity token including a signature value to the MQ server;

after the authentication server is started, subscribing the message to the MQ server;

the authentication server stores the attribute value of the logout identity token sent by the MQ server to a cache;

and when the authentication server verifies that the identity token of the client is valid and the signature value does not exist in the cache, the authentication is passed.

The invention provides another technical scheme as follows:

a computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, is able to carry out the steps of the above-mentioned distributed token authentication method.

The invention has the beneficial effects that: the invention reduces the storage and access pressure of the back-end database server by storing the user basic information in the token and issuing the user basic information to the client; meanwhile, the client is supported to autonomously cancel the identity token and issue the identity token to the MQ server, then the identity token is synchronized to the authentication server in real time, and verification on whether the identity token is cancelled or not is additionally arranged, so that the validity of the identity token is comprehensively checked, and the security of the token is enhanced.

Drawings

Fig. 1 is a schematic flowchart of a distributed token authentication method according to an embodiment of the present invention;

fig. 2 is a schematic diagram of information interaction according to one to four embodiments of the present invention;

Detailed Description

In order to explain technical contents, achieved objects, and effects of the present invention in detail, the following description is made with reference to the accompanying drawings in combination with the embodiments.

The most key concept of the invention is as follows: the storage and access pressure of a rear-end storage server is reduced by storing the user basic information in the token and issuing the user basic information to the client; meanwhile, the verification of whether the identity token is cancelled or not is added, and the security of the token is enhanced.

The technical terms related to the invention are explained as follows:

referring to fig. 1, the present invention provides a distributed token authentication method, including:

the client sends an identity token logout request to a login server;

the login server submits an attribute value of the logout identity token including a signature value to the MQ server;

after the authentication server is started, subscribing the message to the MQ server;

the authentication server stores the attribute value of the logout identity token sent by the MQ server to a cache;

and when the authentication server verifies that the identity token of the client is valid and the signature value does not exist in the cache, the authentication is passed.

From the above description, the beneficial effects of the present invention are: the invention can reduce the times of accessing the database by storing the token at the client, thereby reducing the storage pressure and the access pressure of the storage server; meanwhile, the verification of whether the token is cancelled or not is added, so that the comprehensive verification of the token validity is realized, and the security of the token is enhanced.

Further, still include:

the client requests to obtain identity authorization from a login server;

the login server generates an identity token corresponding to the client according to the request and returns the identity token to the client;

and the gateway server intercepts the identity token submitted by the client and forwards the identity token to the authentication server.

According to the description, the identity token of the client can be acquired and stored locally through one-time interaction between the client and the login server, the validity of the identity token can be verified through the authentication server during each use, and the pressure of the back-end storage server can be greatly reduced.

Further, still include:

and after the authentication is passed, the gateway server forwards the identity token submitted by the client to the service server.

As can be seen from the above description, the client is allowed to interact with the service server only after the authentication server verifies that the identity token submitted by the client is legitimate, so that the identity of the client can be ensured to be legitimate.

Further, still include:

and when the authentication server verifies that the identity token of the client is invalid or the signature value exists in the MQ server, the authentication is not passed.

As can be seen from the above description, even if the signature value and the validity period of the identity token are verified, if the identity token is applied for logoff by the user, the identity token cannot be authenticated, so that the right to autonomously determine the validity of the identity token is provided for the user; and the token which is cancelled can not be used, and the potential safety hazard of illegal utilization is avoided.

Further, the identity token is valid as the signature value of the identity token is valid and the identity token is not expired.

As can be seen from the above description, the authentication can be passed only when the signature value of the identity token is valid, unexpired and not revoked, so as to ensure that the identity token is fully verified.

Further, still include:

and regularly clearing the record of the expired logout identity token in the cache.

According to the description, the storage space can be released in time, and the occupation space of invalid resources is avoided.

Further, the attribute value further includes an expiration time;

the authentication server stores the attribute value of the logout identity token sent by the MQ server to a cache, and specifically comprises the following steps:

and the authentication server stores the attribute value of the logout identity token sent by the MQ server into a cached logout dictionary, wherein the logout dictionary takes the signature value as a key and takes the expiration time as a value.

According to the description, the information of the identity token is stored in the authentication server locally through the logout dictionary, so that the checking efficiency of the identity token can be improved, less resources are occupied, and the performance of the authentication server is better.

Further, the air conditioner is provided with a fan,

the method further comprises the following steps:

storing the attribute value of the logout identity token into a logout dictionary and simultaneously storing the attribute value into a timing check table;

the authentication server starts a timer, periodically searches the timing search table, and acquires the attribute value of the expired logout identity token according to the current time;

and deleting the record corresponding to the expired logout identity token in the logout dictionary.

As can be seen from the above description, the asynchronous form periodically removes the expired logout identity token, and can optimize the system performance while releasing the storage space in time.

The invention provides another technical scheme as follows:

a computer-readable storage medium, on which a computer program is stored which, when executed by a processor, is capable of implementing the steps comprised by the following distributed token authentication method:

the client sends an identity token logout request to a login server;

the login server submits an attribute value of the logout identity token including a signature value to the MQ server;

after the authentication server is started, subscribing the message to the MQ server;

the authentication server stores the attribute value of the logout identity token sent by the MQ server to a cache;

and when the authentication server verifies that the identity token of the client is valid and the signature value does not exist in the cache, the authentication is passed.

Further, still include:

the client requests to obtain identity authorization from a login server;

the login server generates an identity token corresponding to the client according to the request and returns the identity token to the client;

and the gateway server intercepts the identity token submitted by the client and forwards the identity token to the authentication server.

Further, still include:

and after the authentication is passed, the gateway server forwards the identity token submitted by the client to the service server.

Further, still include:

and when the authentication server verifies that the identity token of the client is invalid or the signature value exists in the MQ server, the authentication is not passed.

Further, the identity token is valid as the signature value of the identity token is valid and the identity token is not expired.

Further, still include:

and regularly clearing the record of the expired logout identity token in the cache.

Further, the attribute value further includes an expiration time;

the authentication server stores the attribute value of the logout identity token sent by the MQ server to a cache, and specifically comprises the following steps:

and the authentication server stores the attribute value of the logout identity token sent by the MQ server into a cached logout dictionary, wherein the logout dictionary takes the signature value as a key and takes the expiration time as a value.

Further, the method further comprises:

storing the attribute value of the logout identity token into a logout dictionary and simultaneously storing the attribute value into a timing check table;

the authentication server starts a timer, periodically searches the timing search table, and acquires the attribute value of the expired logout identity token according to the current time;

and deleting the record corresponding to the expired logout identity token in the logout dictionary.

As can be understood from the above description, those skilled in the art can understand that all or part of the processes in the above technical solutions can be implemented by instructing related hardware through a computer program, where the program can be stored in a computer-readable storage medium, and when executed, the program can include the processes of the above methods. The program can also achieve advantageous effects corresponding to the respective methods after being executed by a processor.

The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.

Example one

Referring to fig. 1, the present embodiment provides a distributed token authentication method, which is particularly suitable for performing identity token authentication between distributed services accessed by a large number of devices based on the internet of things. The method reduces the storage pressure and the access pressure of the server by storing the basic information of the user in the token, and simultaneously provides a scheme for checking whether the token is cancelled or not in time, thereby enhancing the security of the token.

As shown in fig. 1, which is a schematic diagram of information interaction in this embodiment, the method includes:

s1: the client requests to obtain identity authorization from a login server;

s2: the login server generates an identity token of the client according to the request and returns the identity token to the client; the identity token comprises attribute values such as a signature value (signature), expiration interval time (exp), token generation time (iat) and the like;

s3: the client requests the identity token returned by the login server for a gateway server at the front end, and the gateway server intercepts the request and forwards the request to an authentication server at the rear end;

s4: after receiving the identity token, the authentication server checks the validity of the identity token;

in particular, the authentication server will check whether the signature value of the identity token is valid and whether the identity token is expired, respectively. Wherein, whether the signature value is valid or not is verified through a key corresponding to the client; whether the identity token is expired is determined by the expiration time calculation formula exp + iat according to two attribute values of an expiration interval time (exp) and a generation token time (iat) in the identity token. The expiration time is used to determine the validity period of the token and is typically set to 1 or 2 hours.

S5: if the validity check of the identity token fails, the authentication server returns a corresponding unauthorized prompt message to the client; wherein failure to verify corresponds to a situation in which the signature value of the identity token is not legitimate and/or the identity token has expired.

S6: if the validity of the identity token passes the verification, the authentication server judges whether the identity token is cancelled.

The validity of the identity token corresponds to the condition that the signature value is legal and is not expired.

In any process of this embodiment, any client will log off its identity token through the following process:

1. the client can initiate an identity token logout request through logging in the server;

2. the login server acquires the signature value and the expiration time attribute value of the identity token of the client and submits the signature value and the expiration time attribute value to the MQ server at the later stage; wherein, the MQ server refers to a message queue MQ server, such as RabbitMQ, kafka, for providing message publishing and subscribing functions, and it is utilized to implement the logoff information synchronization policy of the identity token between distributed authentication servers (the authentication servers are heavy in burden, so the system generally adopts a horizontal extension to deploy multiple authentication servers).

3. When the authentication server at the back end is started, the subscription message is registered to the MQ server at the back end, so that the MQ server can be synchronized to each authentication server in time when receiving the logout identity token.

4. And after receiving the logout identity token sent by the MQ server, the authentication server at the rear end stores the logout identity token into a cache. Thus, the identity token that has applied for logoff by the current time will be recorded in the cache.

Therefore, the process of the authentication server verifying whether the identity token has been revoked includes:

5. the authentication server judges whether the identity token of the client exists in a logout identity token set of the cache record or not; if yes, the authentication is not passed; if not, the authentication is passed, and the next step is executed.

S7: the authentication server returns the information of the authentication notification to the gateway server;

s8: and the gateway server releases the interception to continue to forward the identity token submitted by the client to the service server for subsequent processing. The service server can also be distributed, and the service server decrypts the received identity token to obtain the basic information of the user and performs related service processing.

Example two

Referring to fig. 2, the embodiment provides further limitations on the basis of the first embodiment, and specifically, a way of storing a logout identity token in a cache of an authentication server is limited, so that the retrieval efficiency is improved, and the system performance is better than that of a way of using an out-of-process cache.

Specifically, each authentication server maintains a logoff cache dictionary in the process (in memory) for storing logoff identity tokens received from the MQ server. The logout cache dictionary is positioned in a process (a memory), and is a dictionary structure commonly used by the memory. Specifically, the logout cache dictionary stores the logout identity token in a manner of taking a signature value of the logout identity token as a key and taking expiration time as a value.

Particularly, because the validity period of the identity token is generally about 1-2 hours, the validity period is relatively short, and if the user logs off the identity token in the validity period, the validity period of the logged-off identity token is certainly less than 1-2 hours, so that the caching period is smaller, the logging-off frequency of the user is not too frequent, and the generated caching key is smaller. Therefore, the performance of the scene is better by directly adopting the in-process cache than by adopting the out-process cache (third parties such as Redis, MemoryCache and the like).

EXAMPLE III

Referring to fig. 2, the embodiment is further limited to the first embodiment or the second embodiment, and provides a function of deleting expired logout identity tokens at a fixed time, so as to optimize storage of the logout identity tokens.

Specifically, the method of the first embodiment further includes:

s9: and regularly cleaning the record of the expired logout identity token in the cache of the authentication server.

Preferably, after receiving the logout identity token sent by the MQ server, the authentication server at the back end also stores the attribute value of the logout identity token into the timing check table; the authentication server at the rear end starts a timer, searches the timing search table at regular time, and acquires the attribute value of the expired logout identity token according to the current time; and deleting the record corresponding to the expired logout identity token in the logout dictionary.

Example four

Referring to fig. 2, the present embodiment corresponds to the first to third embodiments, and provides a specific application scenario:

1. the client requests a login server to acquire the identity authorization of a user; the login server generates an identity TOKEN in a JSON WEB TOKEN (JWT) mode, basic information and expiration time of a user are encrypted through base64 and then serve as a part of the TOKEN, and the identity TOKEN is successfully generated and then returned to the client.

Examples of tokens are as follows:

token format: { base64(header) }. { base64(payload) }. { signature };

wherein, the header is the header data:

{

'typ':'JWT',

'alg':'HS256'

}；

wherein, the payload is load data:

{

"exp":7200,// time out of date (seconds)

"iat":1585215104,// generate token time, in Unix timestamp format

"uid" 5c20a5cc33b3f03cd03ac072 "// user's globally unique identification

"name": test01",// user nickname

"tent _ id" 101,// tenant number where user is located

100102// department number to which the user belongs

}；

Wherein, signature is a signature value (adopting HMACSHA256 signature algorithm):

signing the original string: base64(header) + "+" base64(payload)

Secret key: VjRTiUotoojEXIKMuwkBcsNmgVs 94Bmz// stored only in the server

Signature value: HMACSHA256 (signature original string, Secret).

The identity token generated finally is as follows:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjcyMDAsImlhdCI6MTU4NTIxNTEwNCwidWlkIjoiNWMyMGE1Y2MzM2IzZjAzY2QwM2FjMDcyIiwibmFtZSI6InRlc3QwMSIsInRlbmFudF9pZCI6MTAxLCJkZXB0X2lkIjoxMDAxMDJ9.WZeOvOoA6ll9yxAwwh7Hip9LP29qc9wNEcMzzx9Tksg。

2. the client requests a gateway server at the front end according to an identity token returned by the login server, and the gateway server intercepts the request and forwards the request to an authentication server at the rear end; the authentication server can verify the validity of the signature value through a Secret key (specifically, the signature values of two parts of data, namely a header and a payload, of the identity token are recalculated through an HMACSHA256 signature algorithm, and whether the signature values are consistent with the signature value of the signature of the original identity token or not is compared with the signature value of the signature of the original identity token); then verifying whether the identity token is expired (decrypting the payload data through base64, obtaining iat token generation time and exp expiration interval time attribute values, and judging whether the current time is less than iat + exp time);

3. in the authentication server, if the signature value of the identity token is invalid or expired, an unauthorized error code is returned 403 to the client;

4. if the signature value of the identity token is valid and is not expired, judging whether a signature value for logging off the identity token exists in a logging-off cache dictionary in the process; the logout cache dictionary takes a signature value of a logout identity token as a key and takes expiration time as a value;

5. if the logout signature value exists in the logout cache dictionary in the process, returning 403 an unauthorized error code to the client;

6. if the logout signature value does not exist in the logout cache dictionary in the process, the authentication is successful, the gateway server can release interception and continue to forward to a plurality of service servers at the rear end, and the service servers can perform base64 decryption on the identity token to obtain the basic information (attributes such as uid, name, content _ id, depth _ id and the like) of the user;

7. any client can apply for logout identity token from a login server at any time, the login server acquires the signature value, expiration time, uid and other attribute values of the identity token, and submits the attribute values to a message queue MQ server at the back end, and the message example comprises:

{

"exposed": 1585222304,// time 2020/3/2619: 31:44

"sign":"WZeOvOoA6ll9yxAwwh7Hip9LP29qc9wNEcMzzx9Tksg",

"uid":"5c20a5cc33b3f03cd03ac072"

}。

8. When the authentication server at the rear end is started, the authentication server needs to register with a message queue MQ server at the rear end and subscribe the message for logging out the identity token;

9. and the authentication server at the rear end receives the message (corresponding to the message example) of the message queue MQ server for logging out the identity token, reads the signature value and the expiration time, takes the signature value as a key, updates the expiration time as a value into a logging-out cache dictionary in the process, and simultaneously registers the signature value into a timing check table.

The structure of the logout cache dictionary is as follows:

{

"WZeOvOoA6ll9yxAwwh7Hip9LP29qc9wNEcMzzx9Tksg":1585222304

}；

the timing check table structure (expiration time reserved in a year, month, day and time format) is as follows:

{

"202032619":[

"WZeOvOoA6ll9yxAwwh7Hip9LP29qc9wNEcMzzx9Tksg"

]

}。

note: if a key (202032619) for the timing check table is present, it is added to the list structure.

10. And starting a timer by an authentication server at the rear end, retrieving a timing check table every 1 minute, acquiring an expired signature value list according to the current time (reserved to hours), and deleting a key corresponding to the signature value from a logout cache dictionary in the process.

EXAMPLE five

This embodiment corresponds to the first to the fourth embodiments, and provides a computer-readable storage medium, on which a computer program is stored, where the computer program is capable of implementing the steps included in the distributed token authentication method according to any one of the first to the fourth embodiments when the computer program is executed by a processor. The detailed steps are not repeated here, and refer to the descriptions of the first to fourth embodiments for details.

In summary, the distributed token authentication method and the storage medium provided by the invention can reduce the storage and access pressure of the back-end database server; the validity of the identity token can be comprehensively checked, so that the security of the token is enhanced; furthermore, the client is supported to autonomously log off the identity token, so that illegal utilization is avoided; furthermore, the memory occupation of the authentication server can be optimized at regular time, and the authentication server is ensured to maintain good performance; in addition, the method has the characteristics of easiness in implementation, strong usability and the like.

The above description is only an embodiment of the present invention, and not intended to limit the scope of the present invention, and all equivalent changes made by using the contents of the present specification and the drawings, or applied directly or indirectly to the related technical fields, are included in the scope of the present invention.