1, an overview of the
Identification is very important in information systems with account systems. With the advent of the mobile Internet era, there are more and more types of clients, and the pattern of one server and N clients gradually emerges.
List of companies that don’t work overtime! The latest edition comes in April 2021! Different clients have different user usage scenarios, such as: Different environment security threats different session life cycles different user right control systems different levels of interface invocation methods To summary, their authentication methods are different to some extent. This paper will spend a certain amount of time to analyze and sort out these scenarios.
2. Application scenarios
Here are some common usage scenarios in IT services: Users log in to the system from the Web browser and use system services Users log in to the system from the mobile phone (Android/iOS). Users who use system services log in to the system through the open interface. Users who invoke system services are authorized to log in to the system by scanning the mobile phone code when the PC processes the login status (rarely used). Users are authorized to log in by scanning codes on mobile phones (common). Different types of authentication tokens are obtained by subdividing the scenarios: 1. Original account Password Category User Name and Password API application ID/KEY 2. Session ID Category Browser-end token Mobile end Token API application token 3
3. Categories of tokens
Tokens in different scenarios are compared in the following dimensions: Comparison of natural attributes: 1. Cost The inconvenience caused by using this authentication mode. For example: The account password requires the user to open the page and type the QR code one by one. The user needs to take out his mobile phone and scan the code. Change the user name and password, the user needs additional memory and retype the new password API application ID/KEY changes, third party applications need to modify in your code and deploy authorized qr code changes, require users to open mobile phone application code scanning environment risk is the risk of get caught peeping risk The risk of forgery Comparison of adjustable attributes:
1. Frequency of use
The frequency transmitted over the network
2. Valid time
Lifetime of this token from creation to termination Ultimate goal: security and impact. Security and privacy are mainly reflected in: Token is not easy to be stolen and misappropriated (by controlling the transmission frequency) Even if token is stolen, the impact is controllable (by controlling the effective time) regarding privacy and the consequences of privacy destruction, there are the following basic conclusions: High exposure frequency is easy to be intercepted, long life cycle and more serious and far-reaching effects after being intercepted. The following principles are observed: Reduce exposure frequency (network transmission times) The life cycle of tokens with high exposure frequency should be as short as possible. After adjusting the inherent characteristics and controllable attributes of various tokens, a quantitative score (1-5 points) should be given for each indicator. We can get the following comparison table:
Note :user_name/passwd and app_id/app_key are equivalent effects
4. Hierarchy of token
Reference in the previous section contrast table, can easily be the token of the different USES layered, mainly can be divided into four layers: password layer: the most traditional agreed upon between the user and the system of digital identity authentication in the session layer: user login session after session authentication of the life cycle Call layer: the user during the session to the application of the call interface certification application layer: The stratified diagram of some scenarios or identity authentication application tokens after the user obtains the interface access and invocation permission is as follows:
In a multi-client information system, the internal connection between the generation and application of these tokens is as follows: A user enters the user name and password for one-time authentication Generate sessions with different life cycles on different terminals Client session Token Switch from the server Short life cycle but frequently exposed interface Access token Session Token Can be generated and refreshed extend access_token The lifetime of access_token can generate the shortest lifetime of the token used for authorization of the QR code using the above architecture has the following benefits: good uniformity. Can solve the problem of normalization of the lifetime of authentication token on different platforms good decoupling. The core interface calls the authentication access_token of the server and can be implemented independently and deployed hierarchically. Different platforms can have completely different user rights control systems, which can be resolved in the session layer for each platform. 4.1. Account password
Generalized accounts/passwords are rendered as follows: traditional registered username and password application app_id/app_key
Their characteristics are as follows:
1. Will have special meaning
For example, in order to facilitate memory, users will set up accounts and passwords with certain meanings.
2, not often modified
The account password has special meaning for users, and they are not willing to change it without special circumstances. The app_id/app_key will be written in the application, and changing it will mean the cost of re-publishing
3. Once leaked, the impact will be far-reaching
Because it is not often modified, as long as the leakage is basically equivalent to the user’s network identity is leaked, and as long as it is not detected this kind of identity theft will always exist, so in the authentication system should minimize the opportunity to transfer, to avoid leakage.
4.2 Client session token
Function:
Acting as a session, different clients have different life cycles.
Use steps:
Users use their accounts and passwords to exchange for session tokens. Tokens on different platforms have different characteristics: The Web platform has a short lifetime. Main reasons are as follows: Environment security: The Web login environment is usually a public environment, and the risk of theft is high. The main reasons for the long life cycle of mobile terminal are as follows: environmental security: mobile terminal platform is an extremely private platform for individual users, and people have little chance to contact it. Input convenience: using fingers on mobile terminal to touch input on a small screen has poor experience and high input cost
4.3, access_token
Function:
Credentials for server application API interface access and invocation.
Use steps:
Use a session token with a long lifetime in exchange for this interface access token. Its exposure frequency is directly related to the interface call frequency, which belongs to the certificate of high frequency use. In order to protect privacy and minimize its life cycle, even if intercepted, it will not have serious consequences. Note: An access_token is added to the client token so that the client tokens with different lifecycles will eventually have a unified authentication mode when calling the API. 4.4, pam_token
Function:
The original serial number of the QR code generated by the logged-in and authenticated PC (PC Auth Mobile). The main steps are as follows:
The user on the PC has completed authentication and logged in to the system. The PC generates a set of PAM_token associated with the user. The PC generates a TWO-DIMENSIONAL code by scanning the usage link of pam_token on the mobile terminal and requests the server. Associate it with user information. Obtain refresh_token on the mobile end (long duration session) Obtain access_token based on refresh_token. Complete normal interface invocation. The validity period is 2 minutes, and the authentication mode expires after 2 minutes. If the authentication mode is not used, it changes every minute and is immediately deleted after being used. 4.5.
The Mobile APP that has been logged in will scan code to authenticate the PC system and complete the login of the PC system (Mobile Auth PC). Main steps:
A PC that does not log in to the APP generates an anonymous MAP_Token. After scanning codes, the MOBILE terminal generates a map_token in the DB and associates the user (complete the signature). The DB also generates a Web_token for the user Search the web_token of the named user for the parameter. The PC obtains the access_token based on the web_token. The life cycle is 2 minutes. If the deletion is not used after 2 minutes, it will be deleted immediately after it is used once every 1 minute
The token-based identity authentication system designed in this paper mainly solves the following problems: Token classification Token privacy Parameter setting Token usage scenarios Token layer-to-layer conversion relationship in different life cycles The design method described in this document applies to but is not limited to the following scenarios: User login valid coupon issuance valid invitation code issuance valid TWO-DIMENSIONAL code authorization valid mobile phone/email verification code Multiple platforms invoke the same API multiple platforms use the same identity authentication center