Search

CN-122003836-A - Authority management method, device, equipment and storage medium

CN122003836ACN 122003836 ACN122003836 ACN 122003836ACN-122003836-A

Abstract

Embodiments of the present disclosure relate to a method, apparatus, device, and storage medium for rights management. The method presented herein includes receiving an application request from a proxy service, the application request indicating rights information for a target application with respect to a set of resources, sending an access token corresponding to the rights information to the proxy service, receiving an access request for the target resource from the target application, the access request including the access token, determining whether the access request matches the rights information corresponding to the access token, and authorizing the target application to access the target resource in response to the access request matching the rights information. In this way, embodiments of the present disclosure can improve security and flexibility of resource access.

Inventors

  • CHEN XI
  • CHEN CHANG
  • LIU BOYANG

Assignees

  • 抖音视界有限公司

Dates

Publication Date
20260508
Application Date
20240520

Claims (14)

  1. A method of rights management, comprising: receiving an application request from a proxy service, the application request indicating rights information for a target application with respect to a set of resources; Sending an access token corresponding to the authority information to the proxy service; receiving an access request for a target resource from the target application, the access request including the access token; determining whether the access request matches the rights information corresponding to the access token, and And in response to the access request matching the authority information, authorizing the target application to access the target resource.
  2. The method of claim 1, wherein the rights information comprises policy information indicating an access control policy for a first resource in the set of resources.
  3. The method of claim 1, wherein the rights information comprises condition information indicating access control conditions associated with a second resource in the set of resources.
  4. A method according to claim 3, wherein the access control condition indicates at least one of: a data transmission channel allowing access to the second resource; a network address range allowing access to the second resource; Allowing access to a client version of the second resource.
  5. The method of claim 1, wherein the application request includes structured data indicating the rights information.
  6. The method of claim 5, wherein the application request is generated based on an OAuth protocol and the structured data is included in a destination field in the OAuth protocol.
  7. The method of claim 1, wherein the access token is sent from the proxy service to the target application via a secure communication channel.
  8. The method of claim 1, wherein determining whether the access request matches the rights information corresponding to the access token comprises: Determining attribute information of the access request, the attribute information including at least one of the target resource, an access type for the target resource, application description information associated with the target application, and And determining whether the attribute information is matched with the authority information.
  9. The method of claim 1, further comprising: And rejecting the access request in response to the access request not matching the authority information.
  10. The method of claim 1, wherein the access token is generated by an authorization service in a first trust domain with the target resource, the proxy service and the target application in a second trust domain.
  11. An apparatus for rights management, comprising: a first receiving module configured to receive an application request from a proxy service, the application request indicating rights information for a target application with respect to a set of resources; a token transmitting module configured to transmit an access token corresponding to the authority information to the proxy service; A second receiving module configured to receive an access request for a target resource from the target application, the access request including the access token; a rights verification module configured to determine whether the access request matches the rights information corresponding to the access token, and An access control module configured to grant the target application access to the target resource in response to the access request matching the rights information.
  12. An electronic device, comprising: At least one processing unit, and At least one memory coupled to the at least one processing unit and storing instructions for execution by the at least one processing unit, which when executed by the at least one processing unit, cause the electronic device to perform the method of any one of claims 1 to 10.
  13. A computer readable storage medium having stored thereon a computer program executable by a processor to implement the method of any of claims 1 to 10.
  14. A computer program product comprising computer executable instructions which when executed by a processor implement the method of any one of claims 1 to 10.

Description

Authority management method, device, equipment and storage medium Technical Field Example embodiments of the present disclosure relate generally to the field of computers and, more particularly, relate to a method, apparatus, device, and computer-readable storage medium for rights management. Background In the field of modern information technology, with diversification and complexity of network services, demands for secure and efficient user identity authentication and resource access authorization are increasing. Although the conventional authentication and authorization technology meets the requirements to a certain extent, many challenges still exist in cross-platform and cross-system resource sharing and management, and especially when the identification and resource sharing of user identities among different organizations or services are processed, the universality and the security of the conventional scheme are still to be improved. Disclosure of Invention In a first aspect of the present disclosure, a method of rights management is provided. The method includes receiving an application request from a proxy service, the application request indicating rights information for a set of resources for a target application, sending an access token corresponding to the rights information to the proxy service, receiving an access request for the target resource from the target application, the access request including the access token, determining whether the access request matches the rights information corresponding to the access token, and authorizing the target application to access the target resource in response to the access request matching the rights information. In a second aspect of the present disclosure, an apparatus for rights management is provided. The apparatus includes a first receiving module configured to receive an application request from a proxy service, the application request indicating rights information of a target application with respect to a set of resources, a token transmitting module configured to transmit an access token corresponding to the rights information to the proxy service, a second receiving module configured to receive an access request for the target resource from the target application, the access request including the access token, a rights checking module configured to determine whether the access request matches the rights information corresponding to the access token, and an access control module configured to grant the target application access to the target resource in response to the access request matching the rights information. In a third aspect of the present disclosure, an electronic device is provided. The apparatus includes at least one processing unit, and at least one memory coupled to the at least one processing unit and storing instructions for execution by the at least one processing unit. The instructions, when executed by at least one processing unit, cause the apparatus to perform the method of the first aspect. In a fourth aspect of the present disclosure, a computer-readable storage medium is provided. The computer readable storage medium has stored thereon a computer program executable by a processor to implement the method of the first aspect. In a fifth aspect of the present disclosure, a computer program product is provided. The computer program product comprises computer executable instructions which, when executed by a processor, implement a method according to the first aspect of the present disclosure. It should be understood that what is described in this section of the disclosure is not intended to limit key features or essential features of the embodiments of the disclosure, nor is it intended to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following description. Drawings The above and other features, advantages and aspects of embodiments of the present disclosure will become more apparent by reference to the following detailed description when taken in conjunction with the accompanying drawings. In the drawings, wherein like or similar reference numerals designate like or similar elements, and wherein: FIG. 1 illustrates an architecture of an example system capable of implementing some embodiments of the present disclosure; FIG. 2 illustrates a flow chart of a process of rights management in accordance with some embodiments of the present disclosure; FIG. 3 shows a schematic block diagram of an example apparatus for rights management in accordance with some embodiments of the present disclosure, and Fig. 4 illustrates a block diagram of an electronic device capable of implementing various embodiments of the present disclosure. Detailed Description Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure have been illustrated in the accompanying drawings,