WO2021047403A1

WO2021047403A1 - Authorization method and device in a plurality of nrf scenarios

Info

Publication number: WO2021047403A1
Application number: PCT/CN2020/112317
Authority: WO
Inventors: 赵绪文
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2019-09-11
Filing date: 2020-08-29
Publication date: 2021-03-18
Anticipated expiration: 2022-03-11
Also published as: CN112492592A

Abstract

Embodiments of the present application provide an authorization method and device for a network function service. The method comprises: a first network repository function (NRF) network element receives a first token request, the first token request comprising an identifier of a service provider network function NF_P; the first NRF determines, according to the identifier, a target NRF network element registered by each service provider NF_R; if the target NRF comprises a second NRF network element, sending a token request to the second NRF; the second NRF generates a token according to the second token request, and returns same to the first NRF; upon receipt of the token sent by the second NRF, the first NRF sends the generated and/or received token to a token requester. By means of the technical solution, the authorization problem in a plurality of NRF scenarios comprised in the same public land mobile network (PLMN) can be solved.

Description

An authorization method and device in multiple NRF scenarios

本申请要求于2019年09月11日提交国家知识产权局、申请号为201910860117.X、申请名称为“一种多个NRF场景下的授权方法”的中国专利申请的优先权，其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the State Intellectual Property Office on September 11, 2019, the application number is 201910860117.X, and the application name is "a method for authorization in multiple NRF scenarios", and the entire content of it is approved The reference is incorporated in this application.

Technical field

本发明实施例涉及通信技术领域，尤其涉及一种多个NRF场景下的授权方法。The embodiment of the present invention relates to the field of communication technology, and in particular to an authorization method in multiple NRF scenarios.

Background technique

第五代移动通信系统(the Fifth Generation，5G)采用服务化架构(Service Based Architecture，SBA)。第三代合作伙伴计划(3rd Generation Partnership Project，3GPP)还提出了服务化架构的增强(enhancement of Service Based Architecture,eSBA)。在SBA或者eSBA中，网络功能(Network Function,NF)允许其他授权的NF访问其服务。网络存储功能(NF Repository Function，NRF)为NF提供管理，发现和授权等服务。NF通过向NRF请求授权，获得服务对应的令牌，并根据这个令牌向拥有该服务的另一NF请求此项服务，所述另一NF校验令牌通过后，返回服务响应。The fifth generation mobile communication system (the Fifth Generation, 5G) adopts a service-based architecture (Service Based Architecture, SBA). The 3rd Generation Partnership Project (3rd Generation Partnership Project, 3GPP) also proposed the enhancement of Service Based Architecture (eSBA). In SBA or eSBA, the network function (Network Function, NF) allows other authorized NFs to access its services. Network storage function (NF Repository Function, NRF) provides management, discovery and authorization services for NF. The NF obtains a token corresponding to the service by requesting authorization from the NRF, and requests the service from another NF that owns the service based on this token, and after the other NF verifies the token, it returns a service response.

当前，3GPP业务与系统工作组2(Service and System Aspects Working Group 2，SA2)的标准规定NRF的部署可以是公共陆地网络(Public Land Mobile Network，PLMN)级别，也可以是切片级别，即同一PLMN内可以部署两个及以上的NRF。各NRF为其管理的NF提供注册、服务发现和授权等服务，不同NRF管理的NF之间不能直接访问，这些NF只能通过各自注册的NRF完成发现和授权等流程。Currently, the 3GPP Service and System Aspects Working Group 2 (SA2) standard stipulates that the deployment of NRF can be at the public land network (Public Land Mobile Network, PLMN) level or at the slice level, that is, the same PLMN. Two or more NRFs can be deployed inside. Each NRF provides services such as registration, service discovery, and authorization for the NFs it manages. NFs managed by different NRFs cannot be directly accessed. These NFs can only complete the discovery and authorization processes through their respective registered NRFs.

目前3GPP业务与系统工作组3(Service and System Aspects Working Group 3，SA3)定义的授权流程仅考虑一个PLMN网络内部仅部署一个NRF的情况，即同一PLMN内所有的NF都注册在同一个NRF上，并由该NRF完成NF的管理和授权。以上同一PLMN内部署多个NRF场景下的授权在3GPP标准中并没有考虑，现有授权机制也无法解决多个NRF场景下的授权问题。At present, the authorization process defined by 3GPP Service and System Aspects Working Group 3 (SA3) only considers the situation that only one NRF is deployed inside a PLMN network, that is, all NFs in the same PLMN are registered on the same NRF , And the NRF completes the management and authorization of NF. The above authorization under multiple NRF scenarios deployed in the same PLMN is not considered in the 3GPP standard, and the existing authorization mechanism cannot solve the authorization problem under multiple NRF scenarios.

发明内容Summary of the invention

本申请提出一种多个NRF场景下的授权方法及装置，用以解决多个NRF场景下的授权问题。本申请提出的授权方法涉及第一网络存储功能NRF，第二网络存储功能NRF，服务请求者网络功能(Service Consumer)，服务提供者网络功能(Service Producer)。其中第一NRF可以是NRF_C或NRF_P0，其中第二NRF可以是NRF_P，服务请求者网络功能可以是NF_C，服务提供者网络功能可以是NF_P。上述“第一”、“第二”等词汇，仅用于区分描述的目的，而不能理解为指示或暗示相对重要性，也不能理解为指示或暗示顺序。另外，本申请中所涉及的A和/或B包括三种情况，比如可以是A，可以是B，也可以是A和B。This application proposes an authorization method and device in multiple NRF scenarios to solve the authorization problem in multiple NRF scenarios. The authorization method proposed in this application involves the first network storage function NRF, the second network storage function NRF, the service requester network function (Service Consumer), and the service provider network function (Service Producer). The first NRF may be NRF_C or NRF_P0, the second NRF may be NRF_P, the service requester network function may be NF_C, and the service provider network function may be NF_P. The above-mentioned words such as "first" and "second" are only used for the purpose of distinguishing description, and cannot be understood as indicating or implying relative importance, nor as indicating or implying order. In addition, A and/or B involved in this application include three situations, for example, it can be A, it can be B, or it can be A and B.

第一方面，提供一种授权方法，该方法适用于网络功能NF_C向一个或多个注册在不同网络存储功能NRF下的网络功能NF_P请求令牌的场景，该方法包括：服务请求者网络功能网元NF_C向所注册的网络存储功能网元NRF_C发送包含服务提供者网络功能网元NF_P的标识的第一令牌请求；所述NRF_C利用接收到的第一令牌请求中的一个或多个NF_P的标识，查询注册信息，以确定每个NF_P所注册的目标NRF；当所述目标NRF为NF_C所注册的NRF_C时，所述NRF_C根据第一令牌请求中的信息进行授权，授权成功后生成令牌，其中所述令牌包含所述令牌发布者NRF_C的实例标识和服务提供者NF_P的实例标识等信息。In the first aspect, an authorization method is provided. The method is suitable for a scenario where a network function NF_C requests a token from one or more network functions NF_P registered under different network storage functions NRF. The method includes: service requester network function network The element NF_C sends a first token request containing the identification of the service provider network function network element NF_P to the registered network storage function network element NRF_C; the NRF_C uses one or more NF_Ps in the received first token request Query the registration information to determine the target NRF registered by each NF_P; when the target NRF is the NRF_C registered by NF_C, the NRF_C is authorized according to the information in the first token request, and it is generated after the authorization is successful A token, where the token includes information such as the instance ID of the token issuer NRF_C and the instance ID of the service provider NF_P.

其中，需要指出的是，所述注册信息是NRF_C在接收第一令牌请求前，NRF_C所保存的网络功能注册信息，和/或所获取的NRF_C所属PLMN内其他NRF上保存的网络功能注册信息。It should be pointed out that the registration information is the network function registration information saved by NRF_C before NRF_C receives the first token request, and/or the network function registration information saved on other NRFs in the PLMN to which NRF_C belongs. .

所述注册信息包括网络功能简况(NF Profiles)，和/或所述NF_P的标识与所述NF_P注册的NRF_P标识的对应关系。The registration information includes network function profiles (NFProfiles), and/or the correspondence between the NF_P identifier and the NRF_P identifier registered by the NF_P.

可选的，所述目标NRF可以是NF_C所注册的NRF_C，也可以是一个或多个其他网络存储功能NRF_P。Optionally, the target NRF may be the NRF_C registered by the NF_C, or may be one or more other network storage functions NRF_P.

可选的，若所述目标NRF包括所述一个或多个NRF_P时，所述NRF_C向所述一个或多个NRF_P发送第二令牌请求，所述第二令牌请求中包含一个或多个每个NRF_P所对应的NF_P的实例标识。其中，所述一个或多个NRF_P可以与所述NRF_C处于同一PLMN。Optionally, if the target NRF includes the one or more NRF_Ps, the NRF_C sends a second token request to the one or more NRF_Ps, and the second token request includes one or more The instance ID of the NF_P corresponding to each NRF_P. Wherein, the one or more NRF_Ps may be in the same PLMN as the NRF_C.

在另一种实现方式中，所述NRF_C和所述NRF_P处于不同PLMN，即所述NRF_C处于服务网络，而所述一个或多个NRF_P处于归属网络。此时，所述NRF_C向所述归属网络中的网络存储功能NRF_P0转发来自NF_C的第一令牌请求，其中所述NRF_P0可以是归属网络内部署的专用于接收漫游信息的NRF，还可以是归属网络内任一NRF，此处不作限定。所述NRF_P0利用第一令牌请求中的NF_P的标识，查询注册信息，以确定每个NF_P所注册的目标NRF；In another implementation manner, the NRF_C and the NRF_P are in different PLMNs, that is, the NRF_C is in the serving network, and the one or more NRF_Ps are in the home network. At this time, the NRF_C forwards the first token request from the NF_C to the network storage function NRF_P0 in the home network, where the NRF_P0 can be an NRF deployed in the home network dedicated to receiving roaming information, or it can be a home network. Any NRF in the network is not limited here. The NRF_P0 uses the NF_P identifier in the first token request to query the registration information to determine the target NRF registered by each NF_P;

若所述目标NRF包括一个或多个其他网络存储功能NRF_P，所述NRF_P0分别向各NRF_P发送第二令牌请求，所述第二令牌请求中包含一个或多个每个NRF_P所对应的NF_P的实例标识。所述每个NRF_P收到所述第二令牌请求后，根据所述第二令牌请求中的信息进行授权并生成令牌，并将所述令牌返回至令牌请求的发送方，即NRF_C或NRF_P0，其中，所述令牌包含所述令牌发布者NRF_P的实例标识和服务提供者NF_P的实例标识等信息。If the target NRF includes one or more other network storage functions NRF_P, the NRF_P0 sends a second token request to each NRF_P respectively, and the second token request includes one or more NF_P corresponding to each NRF_P The instance ID. After receiving the second token request, each NRF_P performs authorization according to the information in the second token request and generates a token, and returns the token to the sender of the token request, namely NRF_C or NRF_P0, wherein the token contains information such as the instance identifier of the token issuer NRF_P and the instance identifier of the service provider NF_P.

所述注册信息是NRF_P0在接收第一令牌请求前，NRF_P0所保存的和/或所获取的所述归属网络内其他NRF上保存的网络功能的注册信息。The registration information is the registration information of the network functions stored on other NRFs in the home network that is saved and/or acquired by the NRF_P0 before the NRF_P0 receives the first token request.

所述注册信息包括网络功能简况，和/或所述NF_P的标识与所述NF_P注册的NRF_P标识的对应关系。The registration information includes a network function profile, and/or the corresponding relationship between the NF_P identifier and the NRF_P identifier registered by the NF_P.

可选的，所述目标NRF可以是NRF_P0，此时所述NRF_P0根据所述第一令牌请求中的信息进行授权并生成令牌。Optionally, the target NRF may be NRF_P0, and in this case, the NRF_P0 performs authorization and generates a token according to the information in the first token request.

所述NRF_P0收到各NRF_P发送的令牌后，将生成的令牌和/或接收到的令牌发送至所述NRF_C。After receiving the tokens sent by each NRF_P, the NRF_P0 sends the generated token and/or the received token to the NRF_C.

所述NRF_C生成令牌和/或接收到令牌后，将所述生成和/或接收的令牌发送给服务请求者网络功能网元NF_C。After the NRF_C generates the token and/or receives the token, the generated and/or received token is sent to the service requester network function network element NF_C.

所述NF_C收到令牌后选取与服务提供者网络功能网元NF_P相对应的令牌，并向所述NF_P发送携带所述令牌的服务请求。具体地，所述NF_C在服务请求前根据所述NF_P的实例标识，查询各所述令牌的声明Claim，其中所述令牌声明包括服务提供者网络功能网元的标识，所述NF_C使用令牌声明中服务提供者网络功能网元的标识与所述NF_P标识一致的令牌。After receiving the token, the NF_C selects a token corresponding to the service provider network function network element NF_P, and sends a service request carrying the token to the NF_P. Specifically, the NF_C queries the claim claim of each token according to the instance identifier of the NF_P before the service request, wherein the token claim includes the identifier of the service provider network function network element, and the NF_C use order The token whose ID of the service provider network function network element in the card statement is consistent with the NF_P ID.

第二方面，提供一种授权方法，该方法适用于网络功能NF_C向一个或多个注册在不同网络存储功能NRF下的同一类型的网络功能NF_P请求令牌的场景。该方法包括：服务请求者NF_C网络功能网元向所注册的网络存储功能网元NRF_C发送第一令牌请求，所述第一令牌请求包含服务提供者网络功能网元NF_P的类型；所述NRF_C利用所述NF_P的类型，通过查询注册信息，确定属于所述类型的一个或多个NF_P中每个NF_P所注册的目标NRF；In a second aspect, an authorization method is provided, which is suitable for a scenario where a network function NF_C requests a token from one or more network functions NF_P of the same type registered under different network storage functions NRF. The method includes: the service requester NF_C network function network element sends a first token request to the registered network storage function network element NRF_C, where the first token request includes the type of the service provider network function network element NF_P; The NRF_C uses the type of the NF_P to query the registration information to determine the target NRF registered by each NF_P in one or more NF_Ps belonging to the type;

当所述目标NRF为NF_C所注册的NRF_C时，所述NRF_C根据第一令牌请求中的信息进行授权，授权成功后生成令牌，其中所述令牌包含所述令牌发布者NRF_C的实例标识和服务提供者NF_P的类型等信息。When the target NRF is the NRF_C registered by the NF_C, the NRF_C performs authorization according to the information in the first token request, and generates a token after the authorization is successful, wherein the token contains an instance of the token issuer NRF_C Identification and type of service provider NF_P and other information.

所述注册信息是NRF_C在接收第一令牌请求前，NRF_C所保存的网络功能注册信息，和/或所获取的NRF_C所属PLMN内其他NRF上保存的网络功能注册信息。The registration information is the network function registration information saved by the NRF_C before the NRF_C receives the first token request, and/or the acquired network function registration information saved on other NRFs in the PLMN to which the NRF_C belongs.

可选的，当所述目标NRF包括一个或多个NRF_P时，所述NRF_C向所述一个或多个NRF_P发送第二令牌请求，所述第二令牌请求携带注册在所述NRF_P上的NF_P的类型和/或NF_P的实例标识。响应于所述第二令牌请求，所述NRF_P会生成令牌，并向所述NRF_C发送所述令牌。所述一个或多个NRF_P可以与所述NRF_C处于同一PLMN。Optionally, when the target NRF includes one or more NRF_Ps, the NRF_C sends a second token request to the one or more NRF_Ps, and the second token request carries the information registered on the NRF_P The type of NF_P and/or the instance identifier of NF_P. In response to the second token request, the NRF_P will generate a token and send the token to the NRF_C. The one or more NRF_Ps may be in the same PLMN as the NRF_C.

另外，在一种实现方式中，所述NRF_C和所述NRF_P处于不同PLMN，即所述NRF_C处于服务网络，而所述一个或多个NRF_P处于归属网络。此时，所述NRF_C向所述归属网络中的网络存储功能NRF_P0转发来自NF_C的第一令牌请求，其中所述NRF_P0可以是归属网络内部署的专用于接收漫游信息的NRF，还可以是归属网络内任一NRF，此处不作限定。In addition, in an implementation manner, the NRF_C and the NRF_P are in different PLMNs, that is, the NRF_C is in the serving network, and the one or more NRF_Ps are in the home network. At this time, the NRF_C forwards the first token request from the NF_C to the network storage function NRF_P0 in the home network, where the NRF_P0 can be an NRF deployed in the home network dedicated to receiving roaming information, or it can be a home network. Any NRF in the network is not limited here.

所述NRF_P0利用所述NF_P的类型，通过查询注册信息，确定属于所述类型的一个或多个NF_P中每个NF_P所注册的目标NRF；The NRF_P0 uses the type of the NF_P to determine the target NRF registered by each of the one or more NF_Ps belonging to the type by querying registration information;

可选的，所述目标NRF包括位于所述归属网络中的一个或多个其他网络存储功能NRF_P，此时所述NRF_P0分别向各NRF_P发送第二令牌请求，所述第二令牌请求携带注册在所述NRF_P上的NF_P的类型和/或NF_P的实例标识。Optionally, the target NRF includes one or more other network storage functions NRF_P located in the home network. At this time, the NRF_P0 sends a second token request to each NRF_P, and the second token request carries The type of NF_P and/or the instance identifier of NF_P registered on the NRF_P.

所述每个NRF_P收到第二令牌请求后，根据所述令牌请求中的信息进行授权并生成令牌，并将所述令牌返回至令牌请求的发送方，即NRF_C或NRF_P0，其中所述令牌包含所述令牌发布者NRF_C的实例标识和服务提供者NF_P的类型等信息。After receiving the second token request, each NRF_P authorizes and generates a token according to the information in the token request, and returns the token to the sender of the token request, that is, NRF_C or NRF_P0, The token includes information such as the instance identifier of the token issuer NRF_C and the type of the service provider NF_P.

所述NF_C收到令牌后选取与服务提供者网络功能网元NF_P相对应的令牌，并向所述NF_P发送携带所述令牌的服务请求。After receiving the token, the NF_C selects a token corresponding to the service provider network function network element NF_P, and sends a service request carrying the token to the NF_P.

具体地，所述NF_C在服务请求前，根据服务提供者NF_P所注册的NRF_P的实例标识，从NRF_C返回的令牌中选取与当前NF_P对应的令牌。Specifically, before the service request, the NF_C selects the token corresponding to the current NF_P from the tokens returned by the NRF_C according to the instance identifier of the NRF_P registered by the service provider NF_P.

可选的，NF_C可以在获取令牌之前，通过服务发现流程从其所注册的NRF_C处获取本方案所述类型的NF_P所注册的NRF_P的实例标识，并保存所述NF_P的实例标识与NRF_P的实例标识的对应关系；此时，所述NF_C可以根据NF_P的实例标识，查询到NRF_P的实例标识，再根据NRF_P的实例标识，查询各所述令牌的声明Claim，其中所述令牌声明包括网络存储功能网元的标识，所述NF_C使用令牌声明中网络存储功能网元的标识与所述NF_P所注册的NRF_P标识一致的令牌。Optionally, before acquiring the token, the NF_C may obtain the instance ID of the NRF_P registered by the type of NF_P in this solution from the NRF_C where it is registered through the service discovery process, and save the instance ID of the NF_P and the NRF_P The corresponding relationship of the instance ID; at this time, the NF_C can query the instance ID of NRF_P according to the instance ID of NF_P, and then query the claim claim of each token according to the instance ID of NRF_P, wherein the token statement includes The identity of the network storage function network element, and the NF_C uses a token whose identity of the network storage function network element in the token statement is consistent with the NRF_P identity registered by the NF_P.

可选的，所述NF_C可以在获取令牌之后，所述NF_C向所注册的NRF_C请求查询NRF_P的实例标识，所述NRF_C根据所述NF_P的实施例标识查询注册信息，并向所述NF_C返回NF_P所注册的NRF_P的实例标识。所述NF_C根据接收到的NRF_P的实例标识，查询各所述令牌的声明Claim，其中所述令牌声明包括网络存储功能网元的标识，所述NF_C使用令牌声明中网络存储功能网元的标识与所述NF_P所注册的NRF_P标识一致的令牌。Optionally, after the NF_C obtains the token, the NF_C requests the registered NRF_C to query the instance identifier of the NRF_P, and the NRF_C queries the registration information according to the embodiment identifier of the NF_P, and returns to the NF_C The instance ID of the NRF_P registered by NF_P. The NF_C queries the claim claim of each token according to the received instance identifier of the NRF_P, wherein the token claim includes the identity of the network storage function network element, and the NF_C uses the network storage function network element in the token claim The token whose ID is consistent with the NRF_P ID registered by the NF_P.

第三方面，提供一种授权方法，该方法的步骤包括：服务请求者网络功能网元NF_C向所注册的网络存储功能网元NRF_C发送令牌请求，所述令牌请求包含一个或多个服务提供者网络功能NF_P的实例标识或者服务提供者网路功能NF_P的类型，所述令牌请求还包含其他服务请求相关的信息，此处不作限定；In a third aspect, an authorization method is provided. The steps of the method include: the service requester network function network element NF_C sends a token request to the registered network storage function network element NRF_C, and the token request includes one or more services The instance identifier of the provider network function NF_P or the type of the service provider network function NF_P, the token request also includes information related to other service requests, which is not limited here;

在一种可能的设计中，当令牌请求中包含NF_P的实例标识时，NRF_C根据上述一个或多个NF_P的实例标识，通过查询注册信息，确定每个NF_P所注册的目标NRF；In a possible design, when the token request contains the instance ID of NF_P, NRF_C determines the target NRF registered by each NF_P by querying the registration information according to the above-mentioned one or more instance IDs of NF_P;

在又一种可能的设计中，当令牌请求中包含NF_P的类型时，NRF_C根据上述NF_P的类型，通过查询注册信息，确定所述类型的一个或多个NF_P中每个NF_P所注册的目标NRF；In another possible design, when the token request contains the type of NF_P, NRF_C determines the registered target of each NF_P in one or more NF_Ps of the type by querying the registration information according to the type of NF_P mentioned above. NRF;

可选的，所述目标NRF可以是NF_C所注册的NRF_C，此时所述NRF_C根据令牌请求中的信息进行授权，授权成功后生成令牌，并返回给NF_C。其中所述令牌包含所述令牌发布者NRF_C的实例标识和服务提供者NF_P的实例标识或类型等信息。Optionally, the target NRF may be the NRF_C registered by the NF_C. At this time, the NRF_C is authorized according to the information in the token request, and after the authorization is successful, a token is generated and returned to the NF_C. The token includes information such as the instance ID of the token issuer NRF_C and the instance ID or type of the service provider NF_P.

可选的，所述目标NRF包括是一个或多个其他网络存储功能网元NRF_P。此时所述NRF_C向所述NF_C返回所述每个NF_P所注册的NRF_P的实例标识。Optionally, the target NRF includes one or more other network storage function network elements NRF_P. At this time, the NRF_C returns the instance identifier of the NRF_P registered by each NF_P to the NF_C.

所述NF_C收到所述一个或多个NRF_P的实例标识后，根据所述NRF_P的实例标识，分别向每个NRF_P发送令牌请求，所述令牌请求中包含所述NF_P的实例标识或类型，所述令牌请求还包含其他服务请求相关的信息，此处不作限定；After the NF_C receives the instance ID of the one or more NRF_Ps, it sends a token request to each NRF_P according to the instance ID of the NRF_P, and the token request includes the instance ID or type of the NF_P , The token request also includes information related to other service requests, which is not limited here;

所述每个NRF_P收到所述令牌请求后，根据所述令牌请求中的信息进行授权并生成令牌，并将所述令牌返回至令牌请求的发送方NF_C。其中所述令牌包含所述令牌发布者NRF_P的实例标识和服务提供者NF_P的实例标识或类型等信息。After receiving the token request, each NRF_P performs authorization according to the information in the token request and generates a token, and returns the token to the sender NF_C of the token request. The token includes information such as the instance ID of the token issuer NRF_P and the instance ID or type of the service provider NF_P.

所述NF_C收到令牌后选取与服务提供者NF_P相对应的令牌，并向所述NF_P发送携带所述令牌的服务请求。其中令牌选取方法取决于令牌中包含的NF_P的信息。当令牌中包含NF_P的实例标识时，令牌选取方法同上述第一方面中所述令牌选取步骤；当令牌中包含NF_P的类型时，令牌选取方法同上述第二方面中所述令牌选取步骤，此处不再赘述。After receiving the token, the NF_C selects a token corresponding to the service provider NF_P, and sends a service request carrying the token to the NF_P. The method of token selection depends on the information of NF_P contained in the token. When the token contains the NF_P instance identifier, the token selection method is the same as the token selection step described in the first aspect; when the token contains the type of NF_P, the token selection method is the same as that described in the second aspect. The token selection steps will not be repeated here.

第四方面，提供一种授权装置，包括接收模块，用于接收第一令牌请求，所述第一令牌请求包含服务提供者网络功能网元NF_P的标识或类型；处理模块，用于确定每个服务提供者NF_P所注册的目标网络存储功能网元NRF，所述处理模块利用所述NF_P的实例标识或类型，查询注册信息，确定目标NRF；发送模块，用于向所述目标NRF发送第二令牌请求；In a fourth aspect, an authorization device is provided, including a receiving module, configured to receive a first token request, where the first token request includes the identifier or type of the service provider network function network element NF_P; and the processing module is configured to determine The target network storage function network element NRF registered by each service provider NF_P, the processing module uses the instance identifier or type of the NF_P to query the registration information to determine the target NRF; the sending module is used to send to the target NRF Second token request;

所述接收模块还用于接收所述目标NRF反馈的令牌；The receiving module is also used to receive the token fed back by the target NRF;

所述处理模块还可以用于根据所述令牌请求中的信息进行授权并生成令牌；当所述装置和所述NF_P位于不同PLMN时，所述处理模块还用于确定NF_P所在归属网络内的网络存储功能NRF_P0；The processing module may also be used to authorize and generate a token according to the information in the token request; when the device and the NF_P are located in different PLMNs, the processing module is also used to determine the home network where the NF_P is located The network storage function NRF_P0;

所述发送模块还用于向令牌请求的发送方返回所述处理模块所生成的令牌和/或所述接收模块收到的令牌；当所述装置和NF_P位于不同PLMN时，所述发送模块用于向所述NRF_P0转发所述第一令牌请求。The sending module is also used to return the token generated by the processing module and/or the token received by the receiving module to the sender of the token request; when the device and the NF_P are located in different PLMNs, the The sending module is used to forward the first token request to the NRF_P0.

该装置具有实现上述第一方面的任意一种可能的设计中网络存储功能网元NRF_C行为的功能。The device has the function of realizing the NRF_C behavior of the network storage function network element in any one of the possible designs of the above-mentioned first aspect.

第五方面，提供又一种授权装置，包括接收模块，用于接收第一令牌请求，所述第一令牌请求包含服务提供者网络功能网元NF_P的类型；处理模块，用于确定每个服务提供者NF_P所注册的目标网络存储功能网元NRF，所述处理模块用于根据所述NF_P的类型通过查询注册信息确定目标NRF；发送模块，用于向所述目标NRF发送第二令牌请求；In a fifth aspect, another authorization device is provided, including a receiving module, configured to receive a first token request, where the first token request includes the type of the service provider network function network element NF_P; and the processing module is configured to determine each A target network storage function network element NRF registered by a service provider NF_P, the processing module is used to determine the target NRF by querying the registration information according to the type of the NF_P; a sending module is used to send a second order to the target NRF Card request

所述处理模块还可以用于根据所述第一令牌请求中的信息进行授权并生成令牌；当所属装置和NF_P位于不同PLMN时，所述处理模块还用于确定NF_P所在归属网络内的网络存储功能NRF_P0；The processing module can also be used to authorize and generate a token according to the information in the first token request; when the belonging device and the NF_P are located in different PLMNs, the processing module is also used to determine the home network where the NF_P is located Network storage function NRF_P0;

所述发送模块还用于向第一令牌请求的发送方返回所述处理模块所生成的令牌和/或所述接收模块收到的令牌；当所述装置和NF_P位于不同PLMN时，所述发送模块用于向所述NRF_P0转发所述第一令牌请求。The sending module is further configured to return the token generated by the processing module and/or the token received by the receiving module to the sender of the first token request; when the device and the NF_P are located in different PLMNs, The sending module is configured to forward the first token request to the NRF_P0.

该装置具有实现上述第二方面的任意一种可能的设计中网络存储功能网元NRF_C行为的功能。The device has the function of realizing the NRF_C behavior of the network storage function network element in any one of the possible designs of the second aspect.

第六方面，提供又一种授权装置，包括发送模块，用于发送第一令牌请求，所述第一令牌请求包含服务提供者网络功能网元NF_P的标识；接收模块，用于接收由服务提供者网络功能网元NF_P所注册的网络存储功能所生成的令牌；处理模块，用于确定服务提供者NF_P所对应的令牌；所述发送模块还用于向服务提供者NF_P发送携带所述令牌的服务请求；所述接收模块还用于接收服务提供者NF_P反馈的服务响应。In a sixth aspect, another authorization device is provided, including a sending module, configured to send a first token request, where the first token request includes the identifier of the service provider network function network element NF_P; and the receiving module is configured to receive The token generated by the network storage function registered by the service provider network element NF_P; the processing module is used to determine the token corresponding to the service provider NF_P; the sending module is also used to send the carrier to the service provider NF_P The service request of the token; the receiving module is also used to receive the service response fed back by the service provider NF_P.

该装置具有实现上述第一方面的任意一种可能的设计中网络功能网元NF_C行为的功能。The device has the function of realizing the behavior of the network function network element NF_C in any one of the possible designs of the above-mentioned first aspect.

第七方面，提供又一种授权装置，包括发送模块，用于发送第一令牌请求，所述第一令牌请求包含服务提供者网络功能网元NF_P的类型；接收模块，用于接收由服务提供者网络功能网元NF_P所注册的网络存储功能所生成的令牌；处理模块，用于确定服务提供者NF_P所对应的令牌；所述发送模块还用于向服务提供者NF_P发送携带所述令牌的服务请求；所述接收模块还用于接收服务提供者NF_P反馈的服务响应。In a seventh aspect, another authorization device is provided, including a sending module, configured to send a first token request, where the first token request includes the type of the service provider network function network element NF_P; and the receiving module is configured to receive The token generated by the network storage function registered by the service provider network element NF_P; the processing module is used to determine the token corresponding to the service provider NF_P; the sending module is also used to send the carrier to the service provider NF_P The service request of the token; the receiving module is also used to receive the service response fed back by the service provider NF_P.

该装置具有实现上述第二方面的任意一种可能的设计中网络功能网元NF_C行为的功能。The device has the function of realizing the behavior of the network function network element NF_C in any one of the possible designs of the second aspect.

第八方面，提供一种授权装置，包括接收模块，用于接收第一令牌请求，所述第一令牌请求包含服务提供者网络功能网元NF_P的标识；处理模块，用于确定每个服务提供者NF_P所注册的目标网络存储功能网元NRF，所述处理模块根据所述NF_P的实例标识确定目标NRF；发送模块，用于向所述目标NRF发送第二令牌请求；所述接收模块还用于接收所述目标NRF反馈的令牌；所述处理模块还可以用于根据所述第一令牌请求中的信息进行授权并生成令牌；所述发送模块还用于向令牌请求的发送方返回所述处理模块所生成的令牌和/或所述接收模块收到的令牌。In an eighth aspect, an authorization device is provided, including a receiving module, configured to receive a first token request, where the first token request includes an identifier of a service provider network function network element NF_P; a processing module, configured to determine each The target network storage function network element NRF registered by the service provider NF_P, the processing module determines the target NRF according to the instance identifier of the NF_P; the sending module is configured to send a second token request to the target NRF; the receiving The module is also used to receive the token fed back by the target NRF; the processing module can also be used to authorize and generate the token according to the information in the first token request; the sending module is also used to send the token to the The sender of the request returns the token generated by the processing module and/or the token received by the receiving module.

该装置具有实现上述第一方面的任意一种可能的设计中网络存储功能网元NRF_P0行为的功能。The device has the function of realizing the NRF_P0 behavior of the network storage function network element in any one of the possible designs of the first aspect described above.

第九方面，提供又一种授权装置，包括接收模块，用于接收第一令牌请求，所述第一令牌请求包含服务提供者网络功能网元NF_P的类型；处理模块，用于确定每个服务提供者NF_P所注册的目标网络存储功能网元NRF，所述处理模块根据所述NF_P的类型确定目标NRF；发送模块，用于向所述目标NRF发送第二令牌请求；所述接收模块还用于接收所述目标NRF反馈的令牌；所述处理模块还可以用于根据所述第一令牌请求中的信息进行授权并生成令牌；所述发送模块还用于向令牌请求的发送方返回所述处理模块所生成的令牌和/或所述接收模块收到的令牌。In a ninth aspect, another authorization device is provided, including a receiving module, configured to receive a first token request, where the first token request includes the type of the service provider network function network element NF_P; and the processing module is configured to determine each A target network storage function network element NRF registered by a service provider NF_P, the processing module determines a target NRF according to the type of the NF_P; a sending module is used to send a second token request to the target NRF; the receiving The module is also used to receive the token fed back by the target NRF; the processing module can also be used to authorize and generate the token according to the information in the first token request; the sending module is also used to send the token to the The sender of the request returns the token generated by the processing module and/or the token received by the receiving module.

该装置具有实现上述第二方面的任意一种可能的设计中网络存储功能网元NRF_P0行为的功能。The device has the function of realizing the NRF_P0 behavior of the network storage function network element in any one of the possible designs of the second aspect described above.

第十方面，提供又一种授权装置，包括：In a tenth aspect, another authorization device is provided, including:

接收模块，用于接收令牌请求，所述令牌请求包含服务提供者网络功能网元NF_P的类型或实例标识；The receiving module is configured to receive a token request, where the token request includes the type or instance identifier of the service provider network function network element NF_P;

处理模块，用于根据所述令牌请求中的信息进行授权并生成令牌；所述处理模块还可以用于确定每个服务提供者NF_P所注册的目标网络存储功能网元NRF，所述处理模块根据所述NF_P的实例标识或类型确定目标NRF；The processing module is used to authorize and generate the token according to the information in the token request; the processing module can also be used to determine the target network storage function network element NRF registered by each service provider NF_P, the processing The module determines the target NRF according to the instance identifier or type of the NF_P;

发送模块，向令牌请求者返回所述处理模块所生成的令牌。所述发送模块还用于向令牌请求者返回所述处理模块所确定的每个NF_P所注册的目标NRF的实例标识。The sending module returns the token generated by the processing module to the token requester. The sending module is also used to return to the token requester the instance identification of the target NRF registered by each NF_P determined by the processing module.

该装置具有实现上述第三方面的任意一种可能的设计中网络存储功能网元NRF_C行为的功能。The device has the function of realizing the NRF_C behavior of the network storage function network element in any one of the possible designs of the third aspect.

第十一方面，提供又一种授权装置，包括In an eleventh aspect, another authorization device is provided, including

发送模块，用于发送令牌请求，所述令牌请求包含服务提供者网络功能网元NF_P的实例标识或类型；所述发送模块还用于向服务提供者NF_P发送携带所述令牌的服务请求；The sending module is used to send a token request, the token request includes the instance identifier or type of the service provider network function network element NF_P; the sending module is also used to send the service carrying the token to the service provider NF_P request;

接收模块，用于接收NRF_C生成并发送的令牌；所述接收模块还用于接收NRF_C发送的所述NF_P所注册NRF_P的实例标识；所述接收模块还用于接收所述各NRF_P生成并发送的令牌。所述接收模块还用于接收服务提供者NF_P反馈的服务响应。The receiving module is used to receive the token generated and sent by the NRF_C; the receiving module is also used to receive the instance identifier of the NRF_P registered by the NF_P sent by the NRF_C; the receiving module is also used to receive and send each NRF_P generated and sent Token. The receiving module is also used to receive the service response fed back by the service provider NF_P.

处理模块，用于在服务请求前，从所述接收模块收到的令牌中选取当前服务提供者NF_P所对应的令牌；The processing module is used to select the token corresponding to the current service provider NF_P from the tokens received by the receiving module before the service request;

该装置具有实现上述第三方面的任意一种可能的设计中网络存储功能网元NF_C行为的功能。The device has the function of realizing the behavior of the network storage function network element NF_C in any one of the possible designs of the third aspect.

第十二方面，提供一种设备，该设备包括：存储单元、通信接口及与所述存储单元和通信接口耦合的处理器；所述存储单元用于存储指令，所述处理器用于执行所述指令，所述通信接口用于在所述处理器的控制下与其他设备进行通信；In a twelfth aspect, a device is provided, which includes: a storage unit, a communication interface, and a processor coupled with the storage unit and the communication interface; the storage unit is used to store instructions, and the processor is used to execute the Instructions, the communication interface is used to communicate with other devices under the control of the processor;

所述处理器执行所述指令以实现上述第一方面的任意一种可能的设计中NRF_C行为的功能。The processor executes the instruction to realize the function of the NRF_C behavior in any one of the possible designs of the first aspect.

第十三方面，提供又一种设备，该设备包括：存储单元、通信接口及与所述存储单元和通信接口耦合的处理器；所述存储单元用于存储指令，所述处理器用于执行所述指令，所述通信接口用于在所述处理器的控制下与其他设备进行通信；In a thirteenth aspect, another device is provided, which includes: a storage unit, a communication interface, and a processor coupled with the storage unit and the communication interface; the storage unit is used to store instructions, and the processor is used to execute all The instructions, the communication interface is used to communicate with other devices under the control of the processor;

所述处理器执行所述指令以实现上述第二方面的任意一种可能的设计中NRF_C行为的功能。The processor executes the instructions to implement the function of the NRF_C behavior in any one of the possible designs of the second aspect.

第十四方面，提供又一种设备，该设备包括：存储单元、通信接口及与所述存储单元和通信接口耦合的处理器；所述存储单元用于存储指令，所述处理器用于执行所述指令，所述通信接口用于在所述处理器的控制下与其他设备进行通信；In a fourteenth aspect, another device is provided, which includes: a storage unit, a communication interface, and a processor coupled with the storage unit and the communication interface; the storage unit is used to store instructions, and the processor is used to execute all The instructions, the communication interface is used to communicate with other devices under the control of the processor;

所述处理器执行所述指令以实现上述第一方面的任意一种可能的设计中NF_C行为的功能。The processor executes the instructions to implement the function of the NF_C behavior in any one of the possible designs of the first aspect.

第十五方面，提供一种设备，该设备包括：存储单元、通信接口及与所述存储单元和通信接口耦合的处理器；所述存储单元用于存储指令，所述处理器用于执行所述指令，所述通信接口用于在所述处理器的控制下与其他设备进行通信；In a fifteenth aspect, a device is provided. The device includes: a storage unit, a communication interface, and a processor coupled to the storage unit and the communication interface; the storage unit is used to store instructions, and the processor is used to execute the Instructions, the communication interface is used to communicate with other devices under the control of the processor;

所述处理器执行所述指令以实现上述第二方面的任意一种可能的设计中NF_C行为的功能。The processor executes the instruction to implement the function of the NF_C behavior in any one of the possible designs of the second aspect.

第十六方面，提供又一种设备，该设备包括：存储单元、通信接口及与所述存储单元和通信接口耦合的处理器；所述存储单元用于存储指令，所述处理器用于执行所述指令，所述通信接口用于在所述处理器的控制下与其他设备进行通信；In a sixteenth aspect, another device is provided, the device includes: a storage unit, a communication interface, and a processor coupled with the storage unit and the communication interface; the storage unit is used to store instructions, and the processor is used to execute all The instructions, the communication interface is used to communicate with other devices under the control of the processor;

所述处理器执行所述指令以实现上述第一方面的任意一种可能的设计中NRF_P0行为的功能。The processor executes the instruction to implement the function of the NRF_P0 behavior in any one of the possible designs of the first aspect.

第十七方面，提供又一种设备，该设备包括：存储单元、通信接口及与所述存储单元和通信接口耦合的处理器；所述存储单元用于存储指令，所述处理器用于执行所述指令，所述通信接口用于在所述处理器的控制下与其他设备进行通信；In a seventeenth aspect, another device is provided, which includes: a storage unit, a communication interface, and a processor coupled with the storage unit and the communication interface; the storage unit is used to store instructions, and the processor is used to execute all The instructions, the communication interface is used to communicate with other devices under the control of the processor;

所述处理器执行所述指令以实现上述第二方面的任意一种可能的设计中NRF_P0行为的功能。The processor executes the instruction to implement the function of the NRF_P0 behavior in any one of the possible designs of the second aspect.

第十八方面，提供又一种设备，该设备包括：存储单元、通信接口及与所述存储单元和通信接口耦合的处理器；所述存储单元用于存储指令，所述处理器用于执行所述指令，所述通信接口用于在所述处理器的控制下与其他设备进行通信；In an eighteenth aspect, another device is provided, the device includes: a storage unit, a communication interface, and a processor coupled with the storage unit and the communication interface; the storage unit is used to store instructions, and the processor is used to execute all The instructions, the communication interface is used to communicate with other devices under the control of the processor;

所述处理器执行所述指令以实现上述第三方面的任意一种可能的设计中NRF_C行为的功能。The processor executes the instruction to realize the function of the NRF_C behavior in any one of the possible designs of the third aspect.

第十九方面，提供又一种设备，该设备包括：存储单元、通信接口及与所述存储单元和通信接口耦合的处理器；所述存储单元用于存储指令，所述处理器用于执行所述指令，所述通信接口用于在所述处理器的控制下与其他设备进行通信；In a nineteenth aspect, another device is provided, which includes: a storage unit, a communication interface, and a processor coupled with the storage unit and the communication interface; the storage unit is used to store instructions, and the processor is used to execute all The instructions, the communication interface is used to communicate with other devices under the control of the processor;

所述处理器执行所述指令以实现上述第三方面的任意一种可能的设计中NF_C行为的功能。The processor executes the instruction to implement the function of the NF_C behavior in any one of the possible designs of the third aspect.

第二十方面，提供一种计算机可读存储介质，所述计算机可读存储介质存储的程序，所述程序被处理器执行，以完成本申请实施例提供的任意一个设备执行的任意一种方法的部分或全部步骤。In a twentieth aspect, a computer-readable storage medium is provided, and a program stored in the computer-readable storage medium is executed by a processor to complete any method executed by any device provided in the embodiments of the present application Some or all of the steps.

第二十一方面，提供一种计算机程序产品，当所述计算机程序产品在计算机设备上运行时，使得所述计算机设备执行本申请实施例提供的任意一个设备执行的任意一种方法的部分或全部步骤。In a twenty-first aspect, a computer program product is provided, which when the computer program product runs on a computer device, causes the computer device to execute part or part of any method executed by any device provided in the embodiments of this application. All steps.

可以看到本申请实施例中，网络存储功能网元NRF_C接收到携带有一个或多个注册在不同网络存储功能NRF_P下的服务提供者网络功能网元NF_P的信息的第一令牌请求后，根据令牌请求中网络功能网元NF_P的标识或类型，通过查询注册信息，确定每个服务提供者网络功能网元NF_P所注册的网络存储功能网元NRF_P，然后向其发送第二令牌请求，并接收其反馈的令牌。进一步地，NRF_C将保存的和/或接收到的令牌发送给令牌请求者。在请求服务时，请求令牌的服务请求者网络功能网元NF_C，根据服务提供者网络功能网元NF_P的标识从收到的令牌中找出与该NF_P对应的令牌，最终向服务提供者NF_P发送携带有令牌的服务请求。由此可见，实施本申请实施例，能够实现多个NRF场景下的授权，弥补了现有授权机制的空缺。It can be seen that in the embodiment of this application, after the network storage function network element NRF_C receives the first token request carrying information of one or more service provider network function network elements NF_P registered under different network storage functions NRF_P, According to the identification or type of the network function network element NF_P in the token request, by querying the registration information, determine the network storage function network element NRF_P registered by each service provider network function network element NF_P, and then send a second token request to it , And receive its feedback token. Further, NRF_C sends the saved and/or received token to the token requester. When requesting a service, the service requester network function network element NF_C of the requesting token finds the token corresponding to the NF_P from the received token according to the identifier of the service provider network function network element NF_P, and finally provides the service The NF_P sends a service request carrying a token. It can be seen that the implementation of the embodiments of the present application can realize authorization in multiple NRF scenarios and make up for the vacancy of the existing authorization mechanism.

Description of the drawings

为了更清楚地说明本申请实施例或背景技术中的技术方案，下面将对本申请实施例或背景技术中所需要使用的附图进行说明。In order to more clearly illustrate the technical solutions in the embodiments of the present application or the background art, the following will describe the drawings that need to be used in the embodiments of the present application or the background art.

图1为本申请实施例涉及的一种网络系统架构图；FIG. 1 is a diagram of a network system architecture involved in an embodiment of this application;

图2a和2b为本申请实施例涉及的一种应用场景图；2a and 2b are diagrams of an application scenario involved in an embodiment of this application;

图3为本申请实施例的一种授权方法的流程示意图；FIG. 3 is a schematic flowchart of an authorization method according to an embodiment of the application;

图4为本申请实施例的又一种授权方法的流程示意图；FIG. 4 is a schematic flowchart of another authorization method according to an embodiment of the application;

图5a和5b为本申请实施例涉及的又一种应用场景图Figures 5a and 5b are diagrams of another application scenario involved in an embodiment of this application

图6为本申请实施例的又一种授权方法的流程示意图；FIG. 6 is a schematic flowchart of another authorization method according to an embodiment of the application;

图7为本申请实施例的又一种授权方法的流程示意图；FIG. 7 is a schematic flowchart of another authorization method according to an embodiment of the application;

图8a和8b为本申请实施例涉及的又一种应用场景图；8a and 8b are diagrams of another application scenario involved in an embodiment of this application;

图9为本申请实施例的又一种授权方法的流程示意图；FIG. 9 is a schematic flowchart of another authorization method according to an embodiment of the application;

图10为本申请实施例的又一种授权方法的流程示意图；FIG. 10 is a schematic flowchart of another authorization method according to an embodiment of the application;

图11为本申请实施例的一种装置的结构示意图；FIG. 11 is a schematic structural diagram of a device according to an embodiment of the application;

图12为本申请实施例的一种设备的结构示意图。FIG. 12 is a schematic structural diagram of a device according to an embodiment of the application.

detailed description

本申请实施例提供一种多NRF场景下的授权方法及装置，用以实现一个PLMN内存在多个NRF场景下，NF请求服务时的授权。其中，方法和装置是基于同一发明构思的，由于方法及装置解决问题的原理相似，因此装置与方法的实施可以相互参见，重复之处不再赘述。The embodiments of the present application provide an authorization method and device in a multi-NRF scenario, which are used to implement authorization when a NF requests a service in a PLMN with multiple NRF scenarios. Among them, the method and the device are based on the same inventive concept. Since the principles of the method and the device to solve the problem are similar, the implementation of the device and the method can be referred to each other, and the repetition will not be repeated.

本申请实施例的描述中，“和/或”，描述关联对象的关联关系，表示可以存在三种关系，例如，A和/或B，可以表示：单独存在A，同时存在A和B，单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。本申请中所涉及的至少一个是指一个或多个；多个，是指两个或两个以上。另外，需要理解的是，在本申请的描述中，“第一”、“第二”等词汇，仅用于区分描述的目的，而不能理解为指示或暗示相对重要性，也不能理解为指示或暗示顺序。In the description of the embodiments of the present application, “and/or” describes the association relationship of the associated objects, indicating that there can be three types of relationships, for example, A and/or B, which can mean: A alone exists, and both A and B exist separately. There are three cases of B. The character "/" generally indicates that the associated objects before and after are in an "or" relationship. At least one involved in this application refers to one or more; multiple refers to two or more. In addition, it should be understood that in the description of this application, words such as "first" and "second" are only used for the purpose of distinguishing description, and cannot be understood as indicating or implying relative importance, nor can it be understood as indicating Or imply the order.

本申请实施例提供的通信方法可以应用于5G通信系统或未来的各种通信系统。The communication method provided in the embodiments of the present application can be applied to a 5G communication system or various future communication systems.

下面结合本申请实施例中的附图对本申请实施例进行描述。本申请的实施方式部分使用的术语仅用于对本申请的具体实施例进行解释，而非旨在限定本申请。The embodiments of the present application will be described below in conjunction with the drawings in the embodiments of the present application. The terminology used in the implementation mode part of this application is only used to explain the specific embodiments of this application, and is not intended to limit this application.

5G通信系统中提出了基于服务的架构(Service Based Architecture,SBA)。SBA中包含多个网络功能(Network Function，NF)，各个NF之间通过基于服务的接口(Service-based Interface，SBI)进行交互，其中一个NF可以提供一个或多个NF服务。NF服务可以采用“请求-反馈”或者“订阅-通知”的方式。每个NF可以作为服务的提供者(Service Producer)提供应用程序编程接口(Application Programming Interface，API)供其他NF调用，也可以作为服务的消费者(Service Consumer)调用其他NF的API。下文中将Service Producer称作服务提供者，将Service Consumer称作服务请求者。Service-Based Architecture (SBA) is proposed in the 5G communication system. The SBA includes multiple network functions (Network Functions, NF), and each NF interacts through a service-based interface (SBI), and one NF can provide one or more NF services. The NF service can adopt a "request-feedback" or "subscription-notification" approach. Each NF can act as a service provider (Service Producer) to provide an application programming interface (Application Programming Interface, API) for other NFs to call, or as a service consumer (Service Consumer) to call APIs of other NFs. Hereinafter, the Service Producer is called the service provider, and the Service Consumer is called the service requester.

图1为非漫游场景下一种可能的网络架构示意图，该网络架构由用户设备、接入网和运营商网络组成，运营商网络包括核心网和数据网，用户设备通过接入网节点接入运营商网络。具体描述如下：Figure 1 is a schematic diagram of a possible network architecture in a non-roaming scenario. The network architecture consists of user equipment, access network, and operator network. The operator network includes core network and data network, and user equipment accesses through access network nodes. Operator network. The specific description is as follows:

用户设备(User Equipment，UE)，UE为逻辑实体，具体的，UE可以是终端设备(Terminal Equipment)、通信设备(Communication Device)、物联网(Internet of Things，IoT)设备中的任意一种。其中，终端设备可以是智能手机(smart phone)、智能手表(smart watch)，智能平板(smart tablet)等等；通信设备可以是服务器、网关(Gateway，GW)、控制器等等；物联网设备可以是传感器，电表以及水表等等。User Equipment (UE). The UE is a logical entity. Specifically, the UE may be any of a terminal equipment (Terminal Equipment), a communication device (Communication Device), and an Internet of Things (IoT) device. Among them, the terminal device can be a smart phone (smart phone), a smart watch (smart watch), a smart tablet (smart tablet), etc.; the communication device can be a server, a gateway (Gateway, GW), a controller, etc.; IoT devices It can be a sensor, an electric meter, a water meter, and so on.

无线接入网(Radio Access Net，RAN)，RAN负责UE的接入，RAN可以是基站、无线保真(Wireless Fidelity，Wi-Fi)接入点，以及蓝牙接入点等。Radio Access Net (RAN). The RAN is responsible for UE access. The RAN can be a base station, a wireless fidelity (Wi-Fi) access point, and a Bluetooth access point.

数据网络(Data network，DN)，数据网络DN也被称为PDN(Packet Data Network)DN可以为运营商外部网络，也可以为运营商控制的网络，用于向用户提供业务服务。Data network (DN). The data network DN is also called PDN (Packet Data Network). The DN can be an operator's external network or an operator-controlled network for providing business services to users.

核心网(Core network，CN)，CN作为承载网络提供到DN的接口，为UE提供通信连接、认证、管理、策略控制以及对数据业务完成承载等。其中，CN包括：接入和移动管理网元、会话管理网元、用户面节点功能、认证服务器、统一数据管理网元、网络暴露功能网元、应用功能网元、网络切片选择功能网元、策略控制网元、网络存储功能等。Core network (CN), CN, as a bearer network, provides an interface to the DN, providing UE with communication connection, authentication, management, policy control, and carrying data services. Among them, CN includes: access and mobility management network element, session management network element, user plane node function, authentication server, unified data management network element, network exposure function network element, application function network element, network slice selection function network element, Policy control network elements, network storage functions, etc.

接入和移动管理功能(Access and Mobility Management Function，AMF)，由运营商提供的控制面网元，负责UE接入运营商网络的接入控制和移动性管理。Access and Mobility Management Function (AMF), the control plane network element provided by the operator, is responsible for the access control and mobility management of the UE's access to the operator's network.

会话管理功能(Session Management Function，SMF)，由运营商提供的控制面网元，负责管理UE的数据包的会话。The Session Management Function (SMF), a control plane network element provided by the operator, is responsible for managing the session of the data packet of the UE.

用户面节点功能(User Plane Function，UPF)，由运营商提供的用户面网元，是运营商网络与DN通信的网关。UPF可以是网关、服务器、控制器、用户面功能网元等。UPF可以设置在运营网内部，也可以设置在运营网外部。User Plane Function (UPF), a user plane network element provided by an operator, is a gateway for communication between the operator's network and the DN. UPF can be a gateway, server, controller, user plane function network element, etc. The UPF can be set inside or outside the operating network.

鉴权服务器功能(Authentication Server Function，AUSF)，由运营商提供的控制面网元，可用于运营商网络对网络签约用户的认证。The authentication server function (Authentication Server Function, AUSF), the control plane network element provided by the operator, can be used for the operator's network to authenticate the network subscribers.

统一数据管理网元(Unified Data Manager，UDM)，由运营商提供的控制面网元，负责存储运营商网络的签约用户持久标识(Subscriber Permanent Identifier，SUPI)、注册信息、信任状(credential)、签约数据等。Unified Data Manager (UDM), the control plane network element provided by the operator, is responsible for storing the Subscriber Permanent Identifier (SUPI), registration information, credential, etc. of the operator’s network Contract data, etc.

网络暴露功能(Network Exposure Function，NEF)，由运营商提供控制面网元，NEF以安全的方式对第三方暴露运营商网络的对外接口。Network Exposure Function (NEF), the operator provides control plane network elements, and NEF exposes the external interface of the operator's network to third parties in a safe manner.

应用功能(Application Function，AF)，用于存储业务安全需求，提供策略判定的信息。Application Function (AF) is used to store business security requirements and provide information for policy determination.

策略控制功能(Policy Control Function，PCF)，可用于负责策略控制决策、提供基于业务数据流和应用检测、门控、QoS和基于流的计费控制等功能等。The policy control function (Policy Control Function, PCF) can be used to be responsible for policy control decision-making, to provide functions such as service data flow and application detection, gating, QoS, and flow-based charging control.

网络切片选择功能网元(Network Slice Selection Function，NSSF)，用于选择服务用户设备的网络切片实例，确定用于用户设备的AMF集合等。A network slice selection function (Network Slice Selection Function, NSSF) is used to select a network slice instance serving the user equipment, determine the AMF set for the user equipment, and so on.

网络存储功能(NF Repository Function，NRF)，负责NF自动化管理、选择和扩展，具体包括NF服务的注册登记、发现、状态监测、服务的授权等，实现网络功能和服务的按需配置及NF间的互连。在具体实现中，NRF可以是网元、控制器或服务器等功能实体。Network storage function (NF Repository Function, NRF), responsible for NF automated management, selection and expansion, specifically including NF service registration, discovery, status monitoring, service authorization, etc., to achieve on-demand configuration of network functions and services and NF inter-connection Interconnection. In a specific implementation, the NRF can be a functional entity such as a network element, a controller, or a server.

图1中，N1、N2、N3、N4和N6为相应网元之间的接口；Namf、Nsmf、Nausf、Nudm、Nnef、Npcf、Naf、Nnssf和Nnrf分别为AMF、SMF、AUSF、UDM、NEF、PCF、AF、NSSF和NRF所展现的服务化接口SBI。In Figure 1, N1, N2, N3, N4, and N6 are the interfaces between the corresponding network elements; Namf, Nsmf, Nausf, Nudm, Nnef, Npcf, Naf, Nnssf, and Nnrf are AMF, SMF, AUSF, UDM, NEF, respectively , PCF, AF, NSSF, and NRF, the service-oriented interface SBI.

本实施例中，NF可以是AMF、SMF、AUSF、UDM、NEF、PCF、AF或NSSF中的网络功能。上述网元既可以是在专用硬件上实现的网络元件，也可以是在专用硬件上运行的软件实例，或者是在适当平台上虚拟化功能的实例。In this embodiment, NF may be a network function in AMF, SMF, AUSF, UDM, NEF, PCF, AF, or NSSF. The aforementioned network elements may be network elements implemented on dedicated hardware, software instances running on dedicated hardware, or instances of virtualized functions on an appropriate platform.

本申请实施例主要应用于同一PLMN内部署两个或两个以上NRF的场景。各NRF为其管理的NF提供注册、服务发现和授权等服务，不同NRF管理的NF之间不能直接访问，这些NF只能通过各自注册的NRF完成发现和授权等流程。本申请实施例还考虑了漫游场景和非漫游场景，在漫游场景下存在服务网络和归属网络，服务网络和归属网络的架构可能相同或不同。The embodiments of this application are mainly applied to a scenario where two or more NRFs are deployed in the same PLMN. Each NRF provides services such as registration, service discovery, and authorization for the NFs it manages. NFs managed by different NRFs cannot be directly accessed. These NFs can only complete the discovery and authorization processes through their respective registered NRFs. The embodiments of the present application also consider roaming scenarios and non-roaming scenarios. In a roaming scenario, there are a service network and a home network, and the architecture of the service network and the home network may be the same or different.

基于上述服务化架构系统，下面介绍本申请实施例的应用场景以及对应的授权方法。Based on the above-mentioned service-oriented architecture system, the application scenarios and corresponding authorization methods of the embodiments of the present application are introduced below.

本申请实施例提出的授权方法涉及第一网络存储功能NRF，第二网络存储功能NRF，服务请求者网络功能(Service Consumer)，服务提供者网络功能(Service Producer)。其中第一NRF可以是NRF_C或NRF_P0，其中第二NRF可以是NRF_P，服务请求者网络功能可以是NF_C，服务提供者网络功能可以是NF_P。本申请实施例的应用场景中可以存在一个或多个上述NRF_P，例如NRF_P1，NRF_P2等；还可以存在一个或多个NF_P，例如NF_P1，NF_P2，NF_P3等。The authorization method proposed in the embodiment of the application involves a first network storage function NRF, a second network storage function NRF, a service requester network function (Service Consumer), and a service provider network function (Service Producer). The first NRF may be NRF_C or NRF_P0, the second NRF may be NRF_P, the service requester network function may be NF_C, and the service provider network function may be NF_P. There may be one or more of the aforementioned NRF_Ps in the application scenarios of the embodiments of the present application, such as NRF_P1, NRF_P2, etc.; there may also be one or more of NF_Ps, such as NF_P1, NF_P2, NF_P3, and so on.

图2a和图2b描述了服务请求者NF请求注册在不同NRF上的某一特定服务提供者NF的令牌的场景。例如AMF向SMF请求服务，或AUSF向UDM请求服务等，此处不作限定。Figures 2a and 2b describe the scenario where the service requester NF requests a token of a specific service provider NF registered on different NRFs. For example, AMF requests service from SMF, or AUSF requests service from UDM, etc., which is not limited here.

图2a示出了服务请求者网元和服务提供者网元位于同一PLMN内的场景。具体的，服务请求者NF_C注册在NRF_C上；服务提供者NF_P注册在NRF_P上；NRF_C和NRF_P可进行交互。Figure 2a shows a scenario where the service requester network element and the service provider network element are located in the same PLMN. Specifically, the service requester NF_C is registered on NRF_C; the service provider NF_P is registered on NRF_P; NRF_C and NRF_P can interact.

图2b示出了服务请求者网元和服务提供者网元位于不同PLMN内的场景。具体的，服务请求者NF_C注册在位于服务网络cPLMN的NRF_C上；服务提供者NF_P1注册在位于归属网络pPLMN的NRF_P1上；NRF_C与pPLMN内的NRF_P0交互；NRF_P0与NRF_P1交互。Figure 2b shows a scenario where the service requester network element and the service provider network element are located in different PLMNs. Specifically, the service requester NF_C is registered on NRF_C located in the service network cPLMN; the service provider NF_P1 is registered on NRF_P1 located in the home network pPLMN; NRF_C interacts with NRF_P0 in pPLMN; NRF_P0 interacts with NRF_P1.

参见图3，本申请实施例提供的授权方法之一的一种可能的流程如下所述。Referring to FIG. 3, a possible process of one of the authorization methods provided in the embodiment of the present application is as follows.

该流程描述了服务请求者NF发送的令牌请求中包含注册在不同NRF下的服务提供者NF的标识的授权场景，其中所述服务请求者NF和服务提供者NF位于同一PLMN网络内，即非漫游场景，场景描述详见图2a。该场景涉及四个网元，包括服务请求者NF_C以及对应的NRF_C，服务提供者NF_P以及对应的NRF_P。This process describes the authorization scenario in which the token request sent by the service requester NF contains the identities of the service provider NF registered under different NRFs, where the service requester NF and the service provider NF are located in the same PLMN network, namely For non-roaming scenes, the scene description is shown in Figure 2a. This scenario involves four network elements, including the service requester NF_C and the corresponding NRF_C, the service provider NF_P and the corresponding NRF_P.

S300、该步骤为授权流程开始前需完成的前序步骤。S300. This step is a preliminary step that needs to be completed before the authorization process starts.

授权流程开始前，各网络功能网元NF注册到其对应的网络存储功能网元NRF上，例如本实施例中，服务请求者NF_C注册到NRF_C上，服务提供者NF_P注册到NRF_P上。各个网络存储功能NRF之间通过注册的方式保存对方的注册信息，即一个NRF注册到另一个NRF上；Before the authorization process starts, each network function network element NF is registered with its corresponding network storage function network element NRF. For example, in this embodiment, the service requester NF_C is registered with NRF_C, and the service provider NF_P is registered with NRF_P. Each network storage function NRF stores each other's registration information through registration, that is, one NRF is registered to another NRF;

可选的NRF_C和NRF_P之间也可以通过网络配置保存对方的注册信息，比如，NRF_C上保存了注册在NRF_P上所有NF的信息；可选的，NRF_C和NRF_P之间也可以通过Nnrf_NFManagement服务中的NFStatusSubscribe和NFStatusNotify两个操作，完成注册信息的获取和更新。NRF_C和NRF_P之间注册信息的获取包括但不限于以上方式，本申请不做限制。Optional NRF_C and NRF_P can also save each other's registration information through network configuration. For example, NRF_C saves all NF information registered on NRF_P; optionally, NRF_C and NRF_P can also pass through the Nnrf_NFManagement service Two operations, NFStatusSubscribe and NFStatusNotify, complete the acquisition and update of registration information. The acquisition of registration information between NRF_C and NRF_P includes but is not limited to the above methods, and this application is not limited.

所述注册信息包括网络功能简况(NF Profiles)，所述NF Profiles可以包含NF的实例标识(Instance ID)、NF的类型、PLMN ID、网络切片相关标识、NF的全限定域名(Fully Qualified Domain Name，FQDN)或IP地址、NF的容量信息、NF的优先级信息、NF的集合ID、NF所支持的服务名称、NF特定服务授权信息等。可选的，所述注册信息还包含所述NF类型与该类型NF注册的所有NRF的实例标识的对应关系，和/或所述NF的实例标识与该NF所注册的NRF的实例标识的对应关系；The registration information includes network function profiles (NFProfiles), and the NFProfiles may include NF instance ID (Instance ID), NF type, PLMN ID, network slicing related ID, and NF fully qualified domain name (Fully Qualified Domain Name). , FQDN) or IP address, NF capacity information, NF priority information, NF set ID, service name supported by NF, NF specific service authorization information, etc. Optionally, the registration information further includes the correspondence between the NF type and the instance IDs of all NRFs registered with this type of NF, and/or the correspondence between the instance ID of the NF and the instance ID of the NRF registered by the NF relationship;

注册完成后，服务请求者NF_C向NRF_C发起NF发现流程，NRF_C向NF_C返回能够提供特定NF服务或属于目标NF类型的一组NF的信息，所述信息包含NF的实例标识和/或NF所注册的NRF的标识，NF的类型，NF的FQDN或IP地址，提供的服务名称等。所述服务发现返回的信息还包含PLMN ID，NF的位置信息，NF集合ID等其他相关信息，此处不再一一列举。例如本实施例中所述信息包含NF_P的实例标识。After the registration is completed, the service requester NF_C initiates an NF discovery process to NRF_C, and NRF_C returns to NF_C information that can provide a specific NF service or a group of NFs belonging to the target NF type. The information includes the instance ID of the NF and/or the NF registered The identification of the NRF, the type of the NF, the FQDN or IP address of the NF, the name of the service provided, etc. The information returned by the service discovery also includes PLMN ID, NF location information, NF set ID and other related information, which will not be listed here. For example, the information in this embodiment includes the instance identifier of NF_P.

S301、服务请求者NF_C向所注册的NRF_C发送第一令牌请求，相应的，NRF_C接收来自NF_C的令牌请求。S301. The service requester NF_C sends a first token request to the registered NRF_C, and correspondingly, the NRF_C receives the token request from the NF_C.

所述令牌请求携带服务提供者NF_P的标识，例如携带NF_P的实例标识。该令牌请求还携带服务请求者NF_C的标识，服务名称等其他授权和令牌生成所需的参数，此处不做限定。The token request carries the identifier of the service provider NF_P, for example, carries the instance identifier of NF_P. The token request also carries the identity of the service requester NF_C, the service name and other parameters required for authorization and token generation, which are not limited here.

S302、网络存储功能NRF_C确定服务提供者NF_P所注册的NRF。S302. The network storage function NRF_C determines the NRF registered by the service provider NF_P.

NRF_C接收令牌请求后，根据上述令牌请求中的服务提供者NF_P的标识，通过查询所述注册信息，获取NF_P所对应的目标NRF，即NRF_P的标识。所述标识可以为NRF_P的实例标识和/或FQDN，或NRF_P的其他标识或者地址等，此处不做限定。After receiving the token request, the NRF_C obtains the target NRF corresponding to the NF_P, that is, the identification of the NRF_P, by querying the registration information according to the identifier of the service provider NF_P in the token request. The identifier may be the instance identifier and/or FQDN of NRF_P, or other identifiers or addresses of NRF_P, etc., which is not limited here.

S303、NRF_C根据NRF_P的标识向NRF_P转发令牌请求，相应的，NRF_P接收来自NRF_C的令牌请求。S303. NRF_C forwards the token request to NRF_P according to the identifier of NRF_P, and correspondingly, NRF_P receives the token request from NRF_C.

S304、NRF_P进行授权，生成令牌并进行完整性保护。S304, NRF_P performs authorization, generates a token, and performs integrity protection.

NRF_P接收到令牌请求后，获取令牌请求中的信息结合本地配置的策略或者授权信息等进行授权，NRF_P授权成功后生成令牌。After receiving the token request, NRF_P obtains the information in the token request combined with locally configured policies or authorization information for authorization, and NRF_P generates a token after successful authorization.

所述NRF_P生成的令牌的令牌声明Claim中包含令牌发布者的标识，即NRF_P的实例标识。所述令牌还携带所述服务请求者NF_C的实例标识、所述服务提供者NF_P的实例标识、所述请求的服务名称以及所述令牌的有效期等信息。The Token Claim Claim of the token generated by the NRF_P contains the identity of the token issuer, that is, the instance identity of the NRF_P. The token also carries information such as the instance identifier of the service requester NF_C, the instance identifier of the service provider NF_P, the requested service name, and the validity period of the token.

此外，NRF_P使用与服务提供者NF_P的共享密钥或者使用其本身的私钥对所述令牌进行完整性保护。In addition, NRF_P uses the shared key with the service provider NF_P or uses its own private key to protect the integrity of the token.

S305、NRF_P向NRF_C发送令牌，所述令牌是NRF_P进行完整性保护后的令牌，相应的NRF_C接收所述令牌。S305. The NRF_P sends a token to the NRF_C, where the token is a token after integrity protection by the NRF_P, and the corresponding NRF_C receives the token.

S306、NRF_C将接收到的令牌发送给NF_C，相应的，NF_C接收所述令牌。S306. NRF_C sends the received token to NF_C, and correspondingly, NF_C receives the token.

可选的，NRF_C在发送令牌的同时还将所述NF_P与所述NRF_P的实例标识的对应关系发送给NF_C，相应的，NF_C接收并保存NF_P与所述NRF_P的对应关系。后续NF_C请求所述NF_P的令牌时，可通过查询保存的信息找出与NF_P对应的NRF_P的标识，并直接向所述NRF_P发送令牌请求。Optionally, when sending the token, the NRF_C also sends the correspondence between the NF_P and the instance identifier of the NRF_P to the NF_C, and correspondingly, the NF_C receives and saves the correspondence between the NF_P and the NRF_P. When the subsequent NF_C requests the token of the NF_P, the identification of the NRF_P corresponding to the NF_P can be found by querying the stored information, and the token request can be sent directly to the NRF_P.

S307、服务请求者NF_C向服务提供者NF_P发送服务请求，所述服务请求携带令牌。相应的，NF_P接收来自NF_C的携带令牌的服务请求。S307. The service requester NF_C sends a service request to the service provider NF_P, and the service request carries the token. Correspondingly, NF_P receives a service request carrying a token from NF_C.

S308、NF_P使用与NRF_P协商的共享密钥，或者使用NRF_P的公钥对令牌进行完整性校验，校验通过后执行令牌校验。S308. NF_P uses the shared key negotiated with NRF_P, or uses the public key of NRF_P to perform integrity verification on the token, and executes the token verification after the verification passes.

所述令牌校验是指服务请求者NF_P校验令牌携带的信息是否与NF_P的相关信息相符，例如令牌中携带的服务提供者的实例标识是否为该NF_P的实例标识。The token verification means that the service requester NF_P verifies whether the information carried in the token is consistent with the relevant information of the NF_P, for example, whether the instance identifier of the service provider carried in the token is the instance identifier of the NF_P.

S309、上述令牌校验通过后，服务提供者NF_P向服务请求者NF_C发送服务响应。相应的NF_C接收来自NF_P的服务响应。S309. After the above token verification is passed, the service provider NF_P sends a service response to the service requester NF_C. The corresponding NF_C receives the service response from NF_P.

本实施例中，NRF_C和NRF_P之间共享注册信息，NRF_C收到令牌请求后，通过查询注册信息，确定服务提供者NF_P所注册的NRF_P并向其转发令牌请求，使得NRF_P完成授权和令牌生成，后续服务提供者NF_P对令牌进行校验，从而解决了现有技术中同一PLMN网络内部署多个NRF时NF之间的服务授权问题。In this embodiment, the registration information is shared between NRF_C and NRF_P. After receiving the token request, NRF_C determines the NRF_P registered by the service provider NF_P by querying the registration information and forwards the token request to it, so that NRF_P completes the authorization and order The token is generated, and the subsequent service provider NF_P verifies the token, thereby solving the problem of service authorization between NFs when multiple NRFs are deployed in the same PLMN network in the prior art.

参见图4，本申请实施例提供的授权方法之一的一种可能的流程如下所述。Referring to FIG. 4, a possible process of one of the authorization methods provided in the embodiment of the present application is as follows.

该流程描述了服务请求者NF发送的令牌请求中包含注册在不同NRF下的服务提供者NF的标识的授权场景，其中所述服务请求者NF和服务提供者NF位于不同PLMN网络内，即漫游场景，场景描述详见图2b。该场景涉及五个网元，包括位于服务网络的服务请求者NF_C以及对应的NRF_C，位于归属网络的第一网络存储功能NRF_P0、服务提供者NF_P1以及对应的NRF_P1。所述NRF_P0可以是pPLMN中部署的专门负责接收漫游请求的网络存储功能，也可以是pPLMN内任意一个网络存储功能。This process describes the authorization scenario where the token request sent by the service requester NF contains the identities of the service provider NF registered under different NRFs, where the service requester NF and the service provider NF are located in different PLMN networks, namely Roaming scene, the scene description is shown in Figure 2b. This scenario involves five network elements, including the service requester NF_C and the corresponding NRF_C located in the service network, the first network storage function NRF_P0, the service provider NF_P1 and the corresponding NRF_P1 located in the home network. The NRF_P0 can be a network storage function deployed in pPLMN that is specifically responsible for receiving roaming requests, or it can be any network storage function in pPLMN.

S400、该步骤为授权流程开始前需完成的前序步骤。S400. This step is a preliminary step that needs to be completed before the authorization process starts.

授权流程开始前，各网络功能网元NF注册到其对应的网络存储功能网元NRF上，例如本实施例中，服务请求者NF_C注册到NRF_C上，服务提供者NF_P1注册到NRF_P1上。Before the authorization process starts, each network function network element NF is registered with its corresponding network storage function network element NRF. For example, in this embodiment, the service requester NF_C is registered with NRF_C, and the service provider NF_P1 is registered with NRF_P1.

网络存储功能NRF_C和NRF_P0，以及NRF_P0和NRF_P1之间可以通过网络配置保存对方的注册信息，即注册在NRF上所有NF的信息；The network storage functions NRF_C and NRF_P0, as well as NRF_P0 and NRF_P1 can save the registration information of each other through the network configuration, that is, the information of all NFs registered on the NRF;

可选的，NRF_P0和NRF_P1之间通过注册的方式保存对方的注册信息，即一个NRF注册到另一个NRF上；Optionally, the registration information of each other is saved between NRF_P0 and NRF_P1 through registration, that is, one NRF is registered to another NRF;

可选的NRF_C和NRF_P0，以及NRF_P0和NRF_P1之间也可以通过Nnrf_NFManagement服务中的NFStatusSubscribe和NFStatusNotify两个操作，完成注册信息的获取和更新。NRF之间注册信息的获取包括但不限于上述方式，本申请不做限制。Optional NRF_C and NRF_P0, as well as NRF_P0 and NRF_P1, can also use the two operations of NFStatusSubscribe and NFStatusNotify in the Nnrf_NFManagement service to complete the acquisition and update of registration information. The acquisition of registration information between NRFs includes but is not limited to the above methods, and this application is not limited.

注册完成后，服务请求者NF_C向NRF_C发起NF发现流程，NRF_C向NF_C返回能能够提供特定NF服务或属于目标NF类型的一组NF的信息，所述信息可能包含的内容详见S300，本实施例中所述信息包含NF_P1的实例标识。After the registration is completed, the service requester NF_C initiates an NF discovery process to NRF_C, and NRF_C returns to NF_C information that can provide specific NF services or a group of NFs belonging to the target NF type. The information that may contain is detailed in S300, this implementation The information in the example includes the instance ID of NF_P1.

S401、该步骤与S301类似，区别在于，除S301所述内容外，所述令牌请求还包含服务请求者NF_C所属服务网络cPLMN的PLMN ID和服务提供者NF_P所属归属网络pPLMN的PLMN ID。S401. This step is similar to S301. The difference is that in addition to the content described in S301, the token request also includes the PLMN ID of the service network cPLMN to which the service requester NF_C belongs and the PLMN ID of the home network pPLMN to which the service provider NF_P belongs.

S402、网络存储功能NRF_C确定服务提供者所在PLMN内部署的第一网络存储功能NRF_P0。S402. The network storage function NRF_C determines the first network storage function NRF_P0 deployed in the PLMN where the service provider is located.

NRF_C根据上述令牌请求中的服务提供者NF_P1所属归属网络pPLMN的PLMN ID，通过查询注册信息，获取pPLMN内部署的网络存储功能NRF_P0的实例标识和/或FQDN，或其他NRF_P的标识或者地址等，本申请不做限制。NRF_C obtains the instance ID and/or FQDN of the network storage function NRF_P0 deployed in the pPLMN according to the PLMN ID of the home network pPLMN to which the service provider NF_P1 belongs in the above token request, and obtains the ID or address of other NRF_P, etc. , This application is not restricted.

S403、NRF_C根据NRF_P0的标识向NRF_P0转发令牌请求，相应的，NRF_P0接收来自NRF_C的令牌请求。S403. NRF_C forwards the token request to NRF_P0 according to the identifier of NRF_P0, and correspondingly, NRF_P0 receives the token request from NRF_C.

S404、网络存储功能NRF_P0确定服务提供者NF_P1所注册NRF_P1。S404. The network storage function NRF_P0 determines the NRF_P1 registered by the service provider NF_P1.

网络存储功能NRF_P0根据上述令牌请求中的服务提供者NF_P1的标识，通过查询注册信息，确定NF_P1所注册的目标NRF，即NRF_P1的标识。所述标识可以是NRF_P1的实例标识和/或FQDN，或NRF_P1的其他标识或者地址等，本申请不做限制。The network storage function NRF_P0 determines the target NRF registered by NF_P1, that is, the identification of NRF_P1, by querying the registration information according to the identification of the service provider NF_P1 in the token request. The identifier may be an instance identifier and/or FQDN of NRF_P1, or other identifiers or addresses of NRF_P1, etc., which is not limited in this application.

S405、网络存储功能NRF_P0根据NRF_P1的标识将令牌请求发送给NF_P1注册的NRF_P1，相应的NRF_P1接收来自NRF_P0的令牌请求。S405. The network storage function NRF_P0 sends the token request to the NRF_P1 registered by the NF_P1 according to the identifier of the NRF_P1, and the corresponding NRF_P1 receives the token request from the NRF_P0.

S406、NRF_P1进行授权，生成令牌并进行完整性保护。S406, NRF_P1 performs authorization, generates a token, and performs integrity protection.

该步骤与S304类似，区别在于，除了S304所述内容外，所述令牌还携带服务请求者NF_C所属服务网络cPLMN的PLMN ID和服务提供者NF_P1所属归属网络pPLMN的PLMN ID。This step is similar to S304, except that, in addition to the content of S304, the token also carries the PLMN ID of the service network cPLMN to which the service requester NF_C belongs and the PLMN ID of the home network pPLMN to which the service provider NF_P1 belongs.

S407、所述服务提供者对应的NRF_P1向所述NRF_P0发送令牌，相应的，所述NRF_P0接收来自NRF_P1的令牌。S407. The NRF_P1 corresponding to the service provider sends a token to the NRF_P0, and correspondingly, the NRF_P0 receives the token from the NRF_P1.

所述令牌为NRF_P1使用与服务提供者NF_P1的共享密钥或者使用其本身的私钥对所述令牌进行完整性保护后的令牌。The token is a token obtained by NRF_P1 using a shared key with the service provider NF_P1 or using its own private key to protect the integrity of the token.

S408、NRF_P0将接收到的令牌转发给NRF_C，相应的，NRF_C接收所述令牌。S408. NRF_P0 forwards the received token to NRF_C, and correspondingly, NRF_C receives the token.

S409～S412同S306～S309，此处不再赘述。S409~S412 are the same as S306~S309, and will not be repeated here.

相较于实施例1，本实施例适用于漫游场景。NRF_C和NRF_P0，以及NRF_P0和NRF_P1之间共享注册信息。NRF_C收到令牌请求后，先查询到NRF_P0并向其转发令牌请求，然后NRF_P0查询到NRF_P1并向其转发令牌请求，使得NRF_P1完成授权和令牌生成，后续服务提供者NF_P1对令牌进行校验，从而解决了现有技术中同一PLMN网络内部署多个NRF时漫游场景下NF之间的服务授权问题。Compared with Embodiment 1, this embodiment is suitable for roaming scenarios. NRF_C and NRF_P0, and NRF_P0 and NRF_P1 share registration information. After receiving the token request, NRF_C first queries NRF_P0 and forwards the token request to it, then NRF_P0 queries NRF_P1 and forwards the token request to it, so that NRF_P1 completes the authorization and token generation, and the subsequent service provider NF_P1 pairs the token The verification is performed, thereby solving the service authorization problem between NFs in the roaming scenario when multiple NRFs are deployed in the same PLMN network in the prior art.

图5a和图5b描述了服务请求者NF请求某几个注册在不同NRF上的特定服务提供者NF的令牌的场景，例如AMF向SMF、NEF和UDM请求服务，或AUSF向AMF、UDM和SMF请求服务等，此处不作限定。Figures 5a and 5b describe the scenario where the service requester NF requests certain tokens of specific service providers NF registered on different NRFs. For example, AMF requests services from SMF, NEF, and UDM, or AUSF requests AMF, UDM, and UDM tokens. SMF requests for services, etc., are not limited here.

图5a示出了服务请求者网元和几个服务提供者网元位于同一PLMN网络的场景。具体的，服务请求者NF_C注册在NRF_C上；服务提供者一NF_P1注册在NRF_P1上，服务提供者二NF_P2和服务提供者三NF_P3注册在NRF_P2上；NRF_C、NRF_P1和NRF_P2之间可进行交互。Figure 5a shows a scenario where the service requester network element and several service provider network elements are located in the same PLMN network. Specifically, the service requester NF_C is registered on NRF_C; service provider one NF_P1 is registered on NRF_P1, service provider two NF_P2 and service provider three NF_P3 are registered on NRF_P2; NRF_C, NRF_P1 and NRF_P2 can interact with each other.

图5b示出了服务请求者和几个服务提供者位于不同PLMN网络的场景。例如位于服务网络cPLMN内的AMF向位于归属网络pPLMN内的SMF、NEF和UDM请求服务，或位于服务网络cPLMN内的AUSF向位于归属网络pPLMN内的AMF、UDM和SMF请求服务等，此处不作限定。NRF_C与归属网络pPLMN内的NRF_P0交互，NRF_P0、NRF_P1和NRF_P2相互交互；各网络功能NF的注册关系同图5a此处不再赘述。Figure 5b shows a scenario where the service requester and several service providers are located in different PLMN networks. For example, the AMF located in the serving network cPLMN requests services from SMF, NEF, and UDM located in the home network pPLMN, or the AUSF located in the serving network cPLMN requests services from AMF, UDM, and SMF located in the home network pPLMN. limited. NRF_C interacts with NRF_P0 in the home network pPLMN, and NRF_P0, NRF_P1, and NRF_P2 interact with each other; the registration relationship of each network function NF is the same as that in Figure 5a, and will not be repeated here.

参见图6，本申请实施例提供的授权方法之一的一种可能的流程如下所述。Referring to FIG. 6, a possible process of one of the authorization methods provided in the embodiment of the present application is as follows.

该流程描述了服务请求者网络功能网元NF_C注册在网络存储功能NRF_C上，至少两个或以上的服务提供者网络功能网元NF_P分别注册在同一PLMN内的不同NRF_P上的场景下的授权流程，场景描述详见图5a。该场景涉及七个网元，包括服务请求者网络功能网元NF_C及对应的NRF_C，服务提供者网络功能网元NF_P1及对应的NRF_P1和服务提供者NF_P2、NF_P3及它们所对应的NRF_P2。This process describes the authorization process in a scenario where the service requester network function network element NF_C is registered on the network storage function NRF_C, and at least two or more service provider network function network elements NF_P are registered on different NRF_Ps in the same PLMN. , The scene description is shown in Figure 5a. This scenario involves seven network elements, including service requester network function network element NF_C and corresponding NRF_C, service provider network function network element NF_P1 and corresponding NRF_P1, service provider NF_P2, NF_P3 and their corresponding NRF_P2.

S600、该步骤为授权流程开始前需完成的前序步骤。S600. This step is a preliminary step that needs to be completed before the authorization process starts.

授权流程开始前，各网络功能网元NF注册到其对应的网络存储功能网元NRF上，例如本实施例中，服务请求者NF_C注册到NRF_C上，服务提供者NF_P1注册到NRF_P1上，服务提供者NF_P2和NF_P3注册到NRF_P2上。各个网络存储功能NRF之间通过注册的方式保存对方的注册信息，即一个NRF注册到另一个NRF上；Before the authorization process starts, each network function network element NF is registered with its corresponding network storage function network element NRF. For example, in this embodiment, the service requester NF_C is registered on NRF_C, the service provider NF_P1 is registered on NRF_P1, and the service is provided NF_P2 and NF_P3 are registered on NRF_P2. Each network storage function NRF stores each other's registration information through registration, that is, one NRF is registered to another NRF;

可选的NRF_C、NRF_P1和NRF_P2之间也可以通过网络配置保存对方的注册信息，即注册在NRF上所有NF的信息；可选的，NRF_C、NRF_P1和NRF_P2之间也可以通过Nnrf_NFManagement服务中的NFStatusSubscribe和NFStatusNotify两个操作，完成注册信息的获取和更新。NRF_C、NRF_P1和NRF_P2之间注册信息的获取包括但不限于以上方式，本申请不做限制。所述注册信息已在S300描述，此处不再赘述。Optional NRF_C, NRF_P1, and NRF_P2 can also save each other's registration information through network configuration, that is, the information of all NFs registered on NRF; optionally, NRF_C, NRF_P1 and NRF_P2 can also use NFStatusSubscribe in the Nnrf_NFManagement service And NFStatusNotify two operations, complete the acquisition and update of registration information. The acquisition of registration information between NRF_C, NRF_P1 and NRF_P2 includes but is not limited to the above methods, and this application is not limited. The registration information has been described in S300, and will not be repeated here.

注册完成后，服务请求者NF_C向NRF_C发起NF发现流程，NRF_C向NF_C返回能能够提供特定NF服务或属于目标NF类型的一组NF的信息，所述信息可包含的内容详见S300，此处不再赘述。本实施例中所述信息包含NF_P1、NF_P2和NF_P3的实例标识。After registration is completed, the service requester NF_C initiates an NF discovery process to NRF_C, and NRF_C returns to NF_C information that can provide a specific NF service or a group of NFs belonging to the target NF type. The content of the information can be found in S300, here No longer. The information in this embodiment includes instance identifiers of NF_P1, NF_P2, and NF_P3.

S601、服务请求者NF_C向所注册的网络存储功能网元NRF_C发送第一令牌请求，网络存储功能网元NRF_C接收第一令牌请求。S601. The service requester NF_C sends a first token request to the registered network storage function network element NRF_C, and the network storage function network element NRF_C receives the first token request.

所述第一令牌请求携带各服务提供者NF_P的标识，例如携带NF_P1的实例标识、NF_P2和/或NF_P3的实例标识。该第一令牌请求还可以携带服务请求者NF_C的标识，服务名称等其他授权和令牌生成所需的参数，此处不做限定。The first token request carries the identifier of each service provider NF_P, for example, carries the instance identifier of NF_P1, the instance identifier of NF_P2 and/or NF_P3. The first token request may also carry the identifier of the service requester NF_C, the service name and other parameters required for authorization and token generation, which are not limited here.

S602、网络存储功能NRF_C确定每个服务提供者NF_P所注册的目标NRF。S602. The network storage function NRF_C determines the target NRF registered by each service provider NF_P.

网络存储功能网元NRF_C接收令牌请求后，根据上述令牌请求中的服务提供者NF_P的标识，通过查询注册信息，确定每个NF_P所注册的目标NRF的标识，例如NRF_C根据NF_P1的实例标识获取NRF_P1的实例标识和/或FQDN，或NRF_P的标识或地址等，本申请不做限制；NRF_C根据NF_P2和/或NF_P3的实例标识获取NRF_P2的实例标识和/或FQDN，或NRF_P的标识或地址等，本申请不做限制。After receiving the token request, the network storage function network element NRF_C determines the identity of the target NRF registered by each NF_P according to the identity of the service provider NF_P in the token request and queries the registration information. For example, NRF_C is based on the instance identity of NF_P1 Obtain the instance ID and/or FQDN of NRF_P1, or the ID or address of NRF_P, etc. This application is not limited; NRF_C obtains the instance ID and/or FQDN of NRF_P2, or the ID or address of NRF_P according to the instance ID of NF_P2 and/or NF_P3 Etc., this application is not restricted.

本实施例中所述目标NRF均为所述NRF_C同一PLMN内的其他NRF，即NRF_P1和NRF_P2；可选的，在其他场景中，所述目标NRF可以为NF_C所注册的NRF_C，此时所述NRF_C根据第一令牌请求中的信息进行授权，授权成功后生成令牌，并对令牌进行完整性保护。In this embodiment, the target NRFs are all other NRFs in the same PLMN of the NRF_C, that is, NRF_P1 and NRF_P2; optionally, in other scenarios, the target NRF may be the NRF_C registered by NF_C. NRF_C performs authorization according to the information in the first token request, generates a token after authorization is successful, and protects the integrity of the token.

S603、NRF_C向NF_P1对应的NRF_P1发送第二令牌请求，相应的NRF_P1接收来自NRF_C的第二令牌请求，所述第二令牌请求中包含NF_P1的实例标识；S603. NRF_C sends a second token request to NRF_P1 corresponding to NF_P1, and the corresponding NRF_P1 receives the second token request from NRF_C, where the second token request includes the instance identifier of NF_P1;

网络存储功能NRF_C获取每个服务提供者NF_P对应的NRF_P的标识后，分别向各个NRF_P发送第二令牌请求，此步骤中NRF_C将令牌请求发送给NRF_P1。After the network storage function NRF_C obtains the identification of the NRF_P corresponding to each service provider NF_P, it sends a second token request to each NRF_P. In this step, NRF_C sends the token request to NRF_P1.

S604、NRF_P1进行授权，生成令牌并进行完整性保护。具体内容同S304，此处不再赘述。S604, NRF_P1 performs authorization, generates a token, and performs integrity protection. The specific content is the same as S304, and will not be repeated here.

S605、所述服务提供者对应的NRF_P1向所述服务请求者对应的NRF_C发送令牌。S605. The NRF_P1 corresponding to the service provider sends a token to the NRF_C corresponding to the service requester.

所述令牌为NRF_P1使用与服务提供者NF_P的共享密钥或者使用其本身的私钥对所述令牌进行完整性保护后的令牌。The token is a token obtained by NRF_P1 using a shared key with the service provider NF_P or using its own private key to protect the integrity of the token.

S606、NRF_C向NRF_P2发送第二令牌请求，相应的NRF_P2接收来自NRF_C的第二令牌请求。所述第二令牌请求包含NF_P2和/或NF_P3的实例标识。S606. NRF_C sends a second token request to NRF_P2, and the corresponding NRF_P2 receives the second token request from NRF_C. The second token request includes the instance identifier of NF_P2 and/or NF_P3.

可选的，针对多个服务提供者网元NF_P注册在同一个NRF_P上的情况，NRF_C可以分别向NRF_P发送多次针对单一服务提供者的令牌请求，此时S606～S608与S303～S305相同。此处不再赘述。Optionally, for the situation where multiple service provider network elements NF_P are registered on the same NRF_P, NRF_C can send multiple token requests for a single service provider to NRF_P. In this case, S606~S608 are the same as S303~S305. . I won't repeat them here.

S607、NRF_P2进行授权，生成令牌并进行完整性保护。S607, NRF_P2 performs authorization, generates a token and performs integrity protection.

NRF_P2获取令牌请求携带的信息结合本地配置的策略或者授权信息等进行授权，授权成功后生成令牌。NRF_P2 obtains the information carried in the token request combined with locally configured policies or authorization information for authorization, and generates a token after authorization is successful.

所述令牌的令牌声明Claim中包含令牌发布者NRF_P2的实例标标识。所述令牌还携带所述服务请求者NF_C的实例标识，所述服务提供者NF_P2和NF_P3的实例标识，所述请求的服务名称以及所述令牌的有效期等信息。The token claim claim of the token includes the token issuer NRF_P2 instance logo. The token also carries information such as the instance identifier of the service requester NF_C, the instance identifiers of the service providers NF_P2 and NF_P3, the requested service name, and the validity period of the token.

此外，NRF_P2使用与服务提供者NF_P2和NF_P3的共享密钥或者使用其本身的私钥对所述令牌进行完整性保护。In addition, NRF_P2 uses a shared key with service providers NF_P2 and NF_P3 or uses its own private key to protect the integrity of the token.

S608、所述服务提供者对应的NRF_P2向所述服务请求者对应的NRF_C发送令牌，相应的NRF_C接收来自NRF_P2的令牌。S608. The NRF_P2 corresponding to the service provider sends a token to the NRF_C corresponding to the service requester, and the corresponding NRF_C receives the token from the NRF_P2.

S603～S605与S606～S608没有严格的执行顺序，可交换顺序来执行。S603~S605 and S606~S608 do not have a strict execution order, and can be executed in an exchange order.

S609、NRF_C接收每个NRF_P发送的令牌并通过令牌响应向服务请求者NF_C发送所有获取到的令牌，例如本实施例中来自NRF_P1和NRF_P2的令牌，相应的，NF_C接收来自NRF_C的令牌。S609. NRF_C receives the token sent by each NRF_P and sends all the acquired tokens to the service requester NF_C through a token response. For example, the tokens from NRF_P1 and NRF_P2 in this embodiment. Correspondingly, NF_C receives the tokens from NRF_C. Token.

可选的，若在其他场景中，所述目标NRF中包含所述NRF_C，NRF_C则向NF_C发送所述NRF_C生成的和/或NRF_C接收到的令牌。Optionally, if in other scenarios, the target NRF includes the NRF_C, the NRF_C sends the token generated by the NRF_C and/or received by the NRF_C to the NF_C.

可选的，NRF_C在发送令牌的同时还将各NF_P的实例标识与其所注册的NRF_P的实例标识的对应关系发送给NF_C，相应的，NF_C接收并保存各NF_P与NRF_P的对应关系。例如本实施例中NF_P1与NRF_P1的对应关系，以及NF_P2和NF_P3与NRF_P2的对应关系等。后续NF_C请求某个NF_P的令牌时，可通过查询保存的对应关系找出与所述NF_P对应的NRF_P的标识，并直接向所述NRF_P发送令牌请求。Optionally, when sending the token, the NRF_C also sends the corresponding relationship between the instance identifier of each NF_P and the instance identifier of the registered NRF_P to the NF_C. Correspondingly, the NF_C receives and saves the corresponding relationship between each NF_P and NRF_P. For example, in this embodiment, the correspondence between NF_P1 and NRF_P1, and the correspondence between NF_P2, NF_P3 and NRF_P2, and so on. When the subsequent NF_C requests a token of a certain NF_P, the identifier of the NRF_P corresponding to the NF_P can be found by querying the saved correspondence relationship, and the token request is sent directly to the NRF_P.

S610～S613以NF_P1为例，描述了服务请求者NF_C向服务提供者NF_P1请求服务的步骤。服务请求者NF_C向本实施例中的NF_P2或NF_P3发起服务请求的步骤与上述步骤相同。S610 to S613 take NF_P1 as an example to describe the steps of the service requester NF_C requesting the service from the service provider NF_P1. The steps for the service requester NF_C to initiate a service request to NF_P2 or NF_P3 in this embodiment are the same as the above steps.

S610、发起服务请求前，服务请求者NF_C根据服务提供者NF_P1的实例标识，查询并找出与其对应的令牌。S610. Before initiating the service request, the service requester NF_C queries and finds the token corresponding to the service provider NF_P1 according to the instance identifier of the service provider NF_P1.

根据S604(同S304)和S607中描述的令牌携带的信息可知，NRF_P生成的令牌携带有服务提供者NF_P1的实例标识。因此，NF_C可以根据服务提供者NF_P1的实例标识，找出携带有该实例标识的令牌。According to the information carried in the token described in S604 (same as S304) and S607, it can be known that the token generated by NRF_P carries the instance identifier of the service provider NF_P1. Therefore, NF_C can find out the token carrying the instance ID according to the instance ID of the service provider NF_P1.

S611、NF_C向NF_P1发送携带对应令牌的服务请求。S611. NF_C sends a service request carrying a corresponding token to NF_P1.

服务请求者NF_C向服务提供者NF_P1发送服务请求，所述服务请求携带所述NF_P1对应的令牌，即带有所述NF_P1的实例标识的令牌。The service requester NF_C sends a service request to the service provider NF_P1, and the service request carries the token corresponding to the NF_P1, that is, the token with the instance identifier of the NF_P1.

S612、服务提供者NF_P1接收携带令牌的服务请求后，使用其对应的网络存储功能网元NRF_P1的公钥或者NF_P1与NRF_P1协商的共享密钥进行完整性校验，校验通过后执行令牌校验。S612. After the service provider NF_P1 receives the service request carrying the token, it uses the public key of its corresponding network storage function network element NRF_P1 or the shared key negotiated between NF_P1 and NRF_P1 to perform integrity verification, and execute the token after the verification is passed. check.

所述令牌校验是指服务请求者NF_P1校验令牌携带的信息是否与NF_P1的相关信息相符，例如令牌中携带的服务提供者的实例标识是否为该NF_P1的实例标识。The token verification means that the service requester NF_P1 verifies whether the information carried in the token is consistent with the related information of NF_P1, for example, whether the instance identifier of the service provider carried in the token is the instance identifier of the NF_P1.

S613、上述令牌校验通过后，服务提供者NF_P1向服务请求者NF_C发送服务响应。相应的，服务请求者NF_C接收来自服务提供者NF_P的服务响应。S613. After the above token verification is passed, the service provider NF_P1 sends a service response to the service requester NF_C. Correspondingly, the service requester NF_C receives the service response from the service provider NF_P.

本实施例中，NRF_C、NRF_P1和NRF_P2之间共享注册信息，NRF_C收到第一令牌请求后，通过查询注册信息，针对各服务提供者NF_P的注册情况，分别向各NF_P所注册的NRF_P发送第二令牌请求，各NRF_P生成针对某一个或某几个NF_P的令牌。发起服务请求时，服务请求者根据服务提供者的标识选择对应的令牌，后续服务提供者对令牌进行校验。以上方法实现了服务请求者针对多个服务提供者的一次令牌请求中产生多个令牌，后续服务请求者在服务请求中携带正确的令牌，避免造成服务提供者的令牌校验失败，从而解决了现有技术中针对同一PLMN内部署多个NRF的场景下，针对某几个服务提供者的令牌请求问题。In this embodiment, the registration information is shared among NRF_C, NRF_P1, and NRF_P2. After receiving the first token request, NRF_C queries the registration information and sends the registration information of each service provider NF_P to the NRF_P registered by each NF_P. In the second token request, each NRF_P generates a token for one or several NF_Ps. When initiating a service request, the service requester selects the corresponding token according to the service provider's identity, and the subsequent service provider verifies the token. The above method realizes that the service requester generates multiple tokens in one token request for multiple service providers, and the subsequent service requester carries the correct token in the service request to avoid the failure of the service provider’s token verification , Thereby solving the problem of token request for certain service providers in the scenario where multiple NRFs are deployed in the same PLMN in the prior art.

参见图7，本申请实施例提供的授权方法之一的另一种可能的流程如下所述。Referring to FIG. 7, another possible process of one of the authorization methods provided in the embodiment of the present application is as follows.

该流程对应服务请求者网络功能网元NF_C注册在网络存储功能NRF_C上，至少两个或以上的特定服务提供者网络功能网元NF_P分别注册在不同NRF_P上的场景，其中所述服务请求者位于服务网络，所述服务提供者位于归属网络，即漫游场景下的授权，场景描述详见图5b。图7中描述的授权流程涉及八个网元，包括位于服务网络cPLMN的服务请求者NF_C及对应的NRF_C，位于归属网络pPLMN的网络存储功能NRF_P0、服务提供者NF_P1及对应的NRF_P1、服务提供者NF_P2、NF_P3及它们所对应的NRF_P2。所述NRF_P0可以是pPLMN内部署的专门负责接收漫游请求的网络存储功能，也可以是pPLMN内任意一个网络存储功能。This process corresponds to the scenario where the service requester network function network element NF_C is registered on the network storage function NRF_C, and at least two or more specific service provider network function network elements NF_P are registered on different NRF_Ps, where the service requester is located Service network, the service provider is located in the home network, that is, authorization in the roaming scenario, the scenario description is shown in Figure 5b. The authorization process described in Figure 7 involves eight network elements, including the service requester NF_C and the corresponding NRF_C in the service network cPLMN, the network storage function NRF_P0 in the home network pPLMN, the service provider NF_P1 and the corresponding NRF_P1, the service provider NF_P2, NF_P3 and their corresponding NRF_P2. The NRF_P0 may be a network storage function deployed in the pPLMN that is specifically responsible for receiving roaming requests, or it may be any network storage function in the pPLMN.

S700、授权流程的前序步骤。S700, the initial steps of the authorization process.

授权流程开始前，各网络功能网元NF注册到其对应的网络存储功能网元NRF上，例如本实施例中，服务请求者NF_C注册到NRF_C上，服务提供者NF_P1注册到NRF_P1上，服务提供者NF_P2和NF_P3注册到NRF_P2上；Before the authorization process starts, each network function network element NF is registered with its corresponding network storage function network element NRF. For example, in this embodiment, the service requester NF_C is registered on NRF_C, the service provider NF_P1 is registered on NRF_P1, and the service is provided NF_P2 and NF_P3 are registered on NRF_P2;

网络存储功能NRF_C和NRF_P0，以及NRF_P0、NRF_P1和NRF_P2之间可以通过网络配置保存对方的注册信息，即注册在NRF上所有NF的信息；The network storage functions NRF_C and NRF_P0, as well as NRF_P0, NRF_P1 and NRF_P2 can save the registration information of each other through the network configuration, that is, the information of all NFs registered on the NRF;

可选的，NRF_C和NRF_P0，以及NRF_P0、NRF_P1和NRF_P2之间通过注册的方式保存对方的注册信息，即一个NRF注册到另一个NRF上；Optionally, NRF_C and NRF_P0, as well as NRF_P0, NRF_P1 and NRF_P2, save the registration information of each other through registration, that is, one NRF is registered to another NRF;

可选的NRF_C和NRF_P0，以及NRF_P0、NRF_P1和NRF_P2之间也可以通过Nnrf_NFManagement服务中的NFStatusSubscribe和NFStatusNotify两个操作，完成注册信息的获取和更新。NRF之间注册信息的获取包括但不限于上述方式，本申请不做限制。Optional NRF_C and NRF_P0, as well as NRF_P0, NRF_P1 and NRF_P2, can also use the two operations of NFStatusSubscribe and NFStatusNotify in the Nnrf_NFManagement service to complete the acquisition and update of registration information. The acquisition of registration information between NRFs includes but is not limited to the above methods, and this application is not limited.

所述注册信息的具体内容已在S300描述，此处不再赘述。The specific content of the registration information has been described in S300, and will not be repeated here.

注册完成后，服务请求者NF_C向NRF_C发起NF发现流程，NRF_C向NF_C返回能够提供特定NF服务或属于目标NF类型的一组NF的信息，所述信息可能包含的内容详见S300，此处不再赘述，本实施例中所述信息包含NF_P1、NF_P2和NF_P3的实例标识。After registration is completed, the service requester NF_C initiates an NF discovery process to NRF_C, and NRF_C returns to NF_C information that can provide specific NF services or a group of NFs belonging to the target NF type. The information that may contain is detailed in S300. To repeat, the information in this embodiment includes instance identifiers of NF_P1, NF_P2, and NF_P3.

S701、服务请求者NF_C向所注册的网络存储功能网元NRF_C发送第一令牌请求，网络存储功能网元NRF_C接收第一令牌请求。S701. The service requester NF_C sends a first token request to the registered network storage function network element NRF_C, and the network storage function network element NRF_C receives the first token request.

所述第一令牌请求携带各服务提供者NF_P的标识，例如携带NF_P1的实例标识、NF_P2和/或NF_P3的实例标识。该令牌请求还携带服务请求者与服务提供者网元所处的公共陆地网络PLMN ID，即本实施例中的服务网络cPLMN的ID和归属网络pPLMN的ID。该令牌请求还可以携带服务请求者NF_C的标识，服务名称等其他授权和令牌生成所需的参数，此处不做限定。The first token request carries the identifier of each service provider NF_P, for example, carries the instance identifier of NF_P1, the instance identifier of NF_P2 and/or NF_P3. The token request also carries the ID of the public land network PLMN where the service requester and the service provider network element are located, that is, the ID of the service network cPLMN and the ID of the home network pPLMN in this embodiment. The token request may also carry the identity of the service requester NF_C, service name and other parameters required for authorization and token generation, which are not limited here.

S702、网络存储功能NRF_C确定服务提供者所在PLMN内部署的网络存储功能NRF_P0。S702. The network storage function NRF_C determines the network storage function NRF_P0 deployed in the PLMN where the service provider is located.

NRF_C根据上述令牌请求中的服务提供者NF_P所属归属网络pPLMN的PLMN ID，通过查询注册信息，获取pPLMN内网络存储功能NRF_P0的标识，所述标识可以是NRF_P0的实例标识和/或FQDN，或NRF_P0的其他标识或者地址等，本申请不做限制。NRF_C obtains the identity of the network storage function NRF_P0 in pPLMN according to the PLMN ID of the home network pPLMN to which the service provider NF_P belongs in the above token request, and obtains the identity of the network storage function NRF_P0 in the pPLMN. The identity can be the instance identity of NRF_P0 and/or FQDN, or Other logos or addresses of NRF_P0 are not restricted in this application.

S703、网络存储功能网元NRF_C将所述第一令牌请求发送给所述NRF_P0，相应的NRF_P0接收来自NRF_C的第一令牌请求。S703. The network storage function network element NRF_C sends the first token request to the NRF_P0, and the corresponding NRF_P0 receives the first token request from the NRF_C.

本实施例中归属网络中的NRF_P0所执行的步骤S704～S710与图7中NRF_C所执行的步骤S602～S608相似，都是根据所接收到的第一令牌请求中携带的服务提供者NF_P的标识，通过查询注册信息，找出每个NF_P所注册的NRF_P，并向每个NRF_P发送令牌请求。The steps S704 to S710 performed by the NRF_P0 in the home network in this embodiment are similar to the steps S602 to S608 performed by the NRF_C in FIG. 7, and they are all based on the service provider NF_P carried in the received first token request. Identification, by querying the registration information, find out the NRF_P registered by each NF_P, and send a token request to each NRF_P.

S704、网络存储功能NRF_P0确定每个服务提供者NF_P所注册的目标NRF。S704. The network storage function NRF_P0 determines the target NRF registered by each service provider NF_P.

网络存储功能NRF_P0根据上述第一令牌请求中的各个服务提供者NF_P的标识，通过查询注册信息，确定每个NF_P所对应的目标NRF的标识，例如本实施例中NRF_P1和NRF_P2的标识。所述标识可以是NRF_P的实例标识和/或FQDN，或NRF_P的其他标识或者地址等，本申请不做限制。The network storage function NRF_P0 determines the identification of the target NRF corresponding to each NF_P according to the identification of each service provider NF_P in the first token request, and determines the identification of the target NRF corresponding to each NF_P, such as the identification of NRF_P1 and NRF_P2 in this embodiment. The identifier may be the instance identifier and/or FQDN of NRF_P, or other identifiers or addresses of NRF_P, etc., which is not limited in this application.

本实施例中所述目标NRF均为所述NRF_P0同一归属网络内的其他NRF，即NRF_P1和NRF_P2；可选的，在其他场景中，所述目标NRF可以为所述NRF_P0，此时所述NRF_P0根据第一令牌请求中的信息进行授权，授权成功后生成令牌，并对令牌进行完整性保护。In this embodiment, the target NRFs are all other NRFs in the same home network of the NRF_P0, that is, NRF_P1 and NRF_P2; optionally, in other scenarios, the target NRF may be the NRF_P0, and in this case, the NRF_P0 Authorization is performed according to the information in the first token request, the token is generated after the authorization is successful, and the integrity of the token is protected.

S705、网络存储功能NRF_P0向NF_P1对应的NRF_P1发送第二令牌请求，相应的NRF_P1接收来自NRF_P0的第二令牌请求，所述第二令牌请求中包含NF_P1的实例标识；S705. The network storage function NRF_P0 sends a second token request to NRF_P1 corresponding to NF_P1, and the corresponding NRF_P1 receives the second token request from NRF_P0, where the second token request includes the instance identifier of NF_P1;

网络存储功能NRF_P0获取每个服务提供者NF_P对应的NRF_P的标识后，分别向各个NRF_P发送第二令牌请求，此步骤中NRF_P0将第二令牌请求发送给NRF_P1。After the network storage function NRF_P0 obtains the identification of the NRF_P corresponding to each service provider NF_P, it sends a second token request to each NRF_P. In this step, NRF_P0 sends the second token request to NRF_P1.

S706、NRF_P1进行授权，生成令牌并进行完整性保护。S706, NRF_P1 performs authorization, generates a token, and performs integrity protection.

该步骤与S604类似，区别在于，除了S304所述内容外，所述令牌还携带服务请求者NF_C所属服务网络cPLMN的PLMN ID和服务提供者NF_P1所属归属网络pPLMN的PLMN ID。This step is similar to S604, except that, in addition to the content of S304, the token also carries the PLMN ID of the service network cPLMN to which the service requester NF_C belongs and the PLMN ID of the home network pPLMN to which the service provider NF_P1 belongs.

S707、所述服务提供者对应的NRF_P1向所述服务请求者对应的NRF_P0发送令牌。S707. The NRF_P1 corresponding to the service provider sends a token to the NRF_P0 corresponding to the service requester.

S708、网络存储功能NRF_P0向NRF_P2发送第二令牌请求，相应的NRF_P2接收来自NRF_P0的第二令牌请求。所述令牌请求包括NF_P2和/或NF_P3的实例标识。S708. The network storage function NRF_P0 sends a second token request to NRF_P2, and the corresponding NRF_P2 receives the second token request from NRF_P0. The token request includes the instance identifier of NF_P2 and/or NF_P3.

可选的，针对多个服务提供者网元NF_P注册在同一个NRF_P上的情况，NRF_P0可以分别向NRF_P发送多次针对单一服务提供者的令牌请求，此时S708～S710与S405～S407相同。此处不再赘述。Optionally, for the situation where multiple service provider network elements NF_P are registered on the same NRF_P, NRF_P0 can send multiple token requests for a single service provider to NRF_P. In this case, S708~S710 are the same as S405~S407 . I won't repeat them here.

S709、NRF_P2进行授权，生成令牌并对令牌进行完整性保护。S709, NRF_P2 performs authorization, generates a token, and protects the integrity of the token.

该步骤与S607类似，区别在于，除了S304所述内容外，所述令牌还携带服务请求者NF_C所属服务网络cPLMN的PLMN ID和服务提供者NF_P2所属归属网络pPLMN的PLMN ID。This step is similar to S607, except that, in addition to the content of S304, the token also carries the PLMN ID of the service network cPLMN to which the service requester NF_C belongs and the PLMN ID of the home network pPLMN to which the service provider NF_P2 belongs.

S710、所述服务提供者对应的NRF_P2向所述NRF_P0发送令牌，相应的NRF_P0接收来自NRF_P2的令牌。S710. The NRF_P2 corresponding to the service provider sends a token to the NRF_P0, and the corresponding NRF_P0 receives the token from the NRF_P2.

S705～S707与S708～S710没有严格的执行顺序，可交换顺序来执行。S705~S707 and S708~S710 do not have a strict execution order, and can be executed in an exchange order.

S711、NRF_P0接收每个NRF_P发送的令牌后并通过令牌响应向服务网络cPLMN中的NRF_C发送所有获取到的令牌，例如本实施例中来自NRF_P1和NRF_P2的令牌。相应的，NRF_C接收来自NRF_P0的令牌。S711. After receiving the token sent by each NRF_P, the NRF_P0 sends all the acquired tokens to the NRF_C in the service network cPLMN through the token response, such as the tokens from NRF_P1 and NRF_P2 in this embodiment. Correspondingly, NRF_C receives the token from NRF_P0.

可选的，若在其他场景中，所述目标NRF中包含所述NRF_P0，NRF_P0则向NRF_C发送所述NRF_P0生成的和/或NRF_P0接收到的令牌。Optionally, if in other scenarios, the target NRF contains the NRF_P0, the NRF_P0 sends the token generated by the NRF_P0 and/or received by the NRF_P0 to the NRF_C.

S712、所述NRF_C将接收到的令牌发送给所述服务请求者网元NF_C。S712. The NRF_C sends the received token to the service requester network element NF_C.

S713～S716与S610～S613相同，此处不再赘述。S713 to S716 are the same as S610 to S613, and will not be repeated here.

相较于图7中的授权流程，本实施例中位于服务网络cPLMN的服务请求者NF_C注册的NRF_C向位于归属网络pPLMN内的第一网络存储功能NRF_P0转发令牌请求，由NRF_P0确定并向pPLMN内的目标NRF_P分别发送令牌请求，从而解决了现有技术中针对同一PLMN网络内部署多个NRF时漫游场景下，服务请求者NF与特定几个服务提供者NF之间的服务授权问题。Compared with the authorization process in Figure 7, the NRF_C registered by the service requester NF_C located in the service network cPLMN in this embodiment forwards the token request to the first network storage function NRF_P0 located in the home network pPLMN, which is determined by NRF_P0 and sent to pPLMN The target NRF_P within the target NRF_P respectively sends a token request, thereby solving the problem of service authorization between the service requester NF and certain service provider NFs in the roaming scenario when multiple NRFs are deployed in the same PLMN network in the prior art.

图8a和图8b描述了服务请求者NF请求注册在不同NRF上的某一类服务提供者NF的令牌的场景，例如AMF向注册在不同NRF上的SMF请求服务，或AUSF向注册在不同NRF上的UDM请求服务等，此处不作限定。Figures 8a and 8b describe the scenario in which the service requester NF requests the tokens of a certain type of service provider NF registered on different NRFs. For example, AMF requests service from SMFs registered on different NRFs, or AUSF requests the tokens registered on different NRFs. UDM request services on NRF, etc., are not limited here.

图8a示出了服务请求者网元和某一类服务提供者网元位于同一PLMN网络的场景。具体的，服务请求者NF_C注册在NRF_C上；服务提供者一NF_P1注册在NRF_P1上，服务提供者二NF_P2和服务提供者三NF_P3注册在NRF_P2上，其中NF_P1、NF_P2和NF_P3属于同一类型网元；NRF_C、NRF_P1和NRF_P2之间可进行交互。Figure 8a shows a scenario where the service requester network element and a certain type of service provider network element are located in the same PLMN network. Specifically, service requester NF_C is registered on NRF_C; service provider one NF_P1 is registered on NRF_P1, service provider two NF_P2 and service provider three NF_P3 are registered on NRF_P2, where NF_P1, NF_P2 and NF_P3 belong to the same type of network element; NRF_C, NRF_P1 and NRF_P2 can interact with each other.

图8b示出了服务请求者和某一类服务提供者位于不同PLMN网络的场景。例如位于服务网络cPLMN内的AMF向位于归属网络pPLMN内的三个SMF请求服务。NRF_C与归属网络pPLMN内的NRF_P0交互，NRF_P0、NRF_P1和NRF_P2相互交互；各网络功能NF的注册关系同图8a此处不再赘述。Figure 8b shows a scenario where the service requester and a certain type of service provider are located in different PLMN networks. For example, the AMF located in the serving network cPLMN requests service from the three SMFs located in the home network pPLMN. NRF_C interacts with NRF_P0 in the home network pPLMN, and NRF_P0, NRF_P1, and NRF_P2 interact with each other; the registration relationship of each network function NF is the same as that in Fig. 8a, and will not be repeated here.

参见图9，本申请实施例提供的授权方法之二的一种可能的流程如下所述。Referring to FIG. 9, a possible process of the second authorization method provided by the embodiment of the present application is as follows.

该流程描述了服务请求者网络功能网元NF_C注册在网络存储功能NRF_C上，某一类的服务提供者网络功能网元NF_P分别注册在同一PLMN内的不同NRF_P的场景下的授权流程，场景描述详见图8a。该场景涉及六个网元，包括服务请求者网络功能网元NF_C及对应的NRF_C，服务提供者网络功能网元NF_P1及对应的NRF_P1和服务提供者NF_P2及对应的NRF_P2，所述服务提供者NF_P1和NF_P2属于同一类型网元。This process describes the authorization process in the scenario where the service requester network function network element NF_C is registered on the network storage function NRF_C, and a certain type of service provider network function network element NF_P is registered in different NRF_Ps in the same PLMN. Scenario description See Figure 8a for details. This scenario involves six network elements, including service requester network function network element NF_C and corresponding NRF_C, service provider network function network element NF_P1 and corresponding NRF_P1 and service provider NF_P2 and corresponding NRF_P2, said service provider NF_P1 It belongs to the same type of network element as NF_P2.

S900、授权流程的前序步骤。S900. Preliminary steps of the authorization process.

授权流程开始前，各个NF注册到与其对应的NRF上，各NRF之间共享注册信息，具体详见S600。Before the authorization process starts, each NF is registered with its corresponding NRF, and registration information is shared between each NRF. For details, see S600.

注册完成后，服务请求者NF_C通过服务发现步骤，从NRF_C处获取能能够提供特定NF服务或属于目标NF类型的一组NF的信息，所述信息详见S300。After the registration is completed, the service requester NF_C obtains information from the NRF_C that can provide a specific NF service or a group of NFs belonging to the target NF type through the service discovery step. The information is detailed in S300.

可选的上述服务发现步骤可以在令牌请求步骤之后执行，即S912与S913之间。The optional service discovery step described above can be performed after the token request step, that is, between S912 and S913.

可选的当S901～S903步骤执行时，上述服务发现步骤可以不执行。Optionally, when steps S901 to S903 are executed, the above service discovery step may not be executed.

S901、服务请求者NF_C向所注册的网络存储功能网元NRF_C发送NF发现请求，所述请求包含NF_P的类型，相应的NRF_C接收来自NF_C的NF发现请求。S901. The service requester NF_C sends an NF discovery request to the registered network storage function network element NRF_C, where the request includes the type of NF_P, and the corresponding NRF_C receives the NF discovery request from the NF_C.

S902、NRF_C收到NF_C发送的NF发现请求后，查询注册信息，发现符合要求的一个或多个服务提供者NF_P，并通过服务发现响应向NF_C返回各NF_P的实例标识，以及每个NF_P所注册的NRF_P的实例标识；相应的，NF_C接收服务发现响应。S902. After receiving the NF discovery request sent by NF_C, NRF_C queries the registration information, finds one or more service providers NF_P that meet the requirements, and returns to NF_C the instance identification of each NF_P through the service discovery response, as well as the registration of each NF_P The instance ID of the NRF_P; correspondingly, NF_C receives the service discovery response.

S903、NF_C收到服务发现响应后，保存每个NF_P的实例标识与其所注册的NRF_P的实例标识的对应关系。S903. After receiving the service discovery response, the NF_C saves the corresponding relationship between the instance ID of each NF_P and the instance ID of the registered NRF_P.

以上步骤S901～S903为可选步骤，可在S900与S904之间执行，也可以在S912和S913之间执行。若步骤S901～S903执行，则以下S913～S915应被跳过。The above steps S901 to S903 are optional steps, which can be executed between S900 and S904, or between S912 and S913. If steps S901 to S903 are executed, the following S913 to S915 should be skipped.

S904、服务请求者NF_C向所注册的网络存储功能网元NRF_C发送第一令牌请求，相应的，网络存储功能网元NRF_C接收第一令牌请求。S904. The service requester NF_C sends a first token request to the registered network storage function network element NRF_C, and correspondingly, the network storage function network element NRF_C receives the first token request.

所述第一令牌请求携带服务请求者的标识，即NF_C的标识，包括NF_C的实例标识和类型；所述第一令牌请求还携带服务提供者NF_P的标识，所述标识包含NF_P的类型；所述第一令牌请求中还可以携带其他授权和令牌生成所需的参数，例如所请求的服务名称。The first token request carries the identity of the service requester, that is, the identity of NF_C, including the instance identity and type of NF_C; the first token request also carries the identity of the service provider NF_P, and the identity includes the type of NF_P The first token request may also carry other parameters required for authorization and token generation, such as the requested service name.

S905、网络存储功能NRF_C根据上述第一令牌请求中的服务提供者网络功能网元NF_P的类型，通过查询注册信息，确定该类型NF_P所对应的所有目标NRF的标识，例如本实施例中NRF_P1和NRF_P2的实例标识和/或FQDN，或者NRF_P的标识或地址等，本申请不做限制；S905. The network storage function NRF_C determines the identities of all target NRFs corresponding to the type of NF_P according to the type of the service provider network function network element NF_P in the first token request, by querying the registration information, for example, NRF_P1 in this embodiment And the instance ID and/or FQDN of NRF_P2, or the ID or address of NRF_P, etc., this application is not limited;

S906、NRF_C向NRF_P1发送第二令牌请求，相应的，NRF_P1接收来自NRF_C的第二令牌请求。S906. NRF_C sends a second token request to NRF_P1, and correspondingly, NRF_P1 receives the second token request from NRF_C.

所述令牌请求包含NF_P1的类型，和/或NF_P1的实例标识，和/或NF_P1和NF_P2的实例标识。The token request includes the type of NF_P1, and/or the instance ID of NF_P1, and/or the instance ID of NF_P1 and NF_P2.

S907、NRF_P1进行授权，生成令牌并进行完整性保护。S907, NRF_P1 performs authorization, generates a token, and performs integrity protection.

服务提供者网络功能网元NF_P1对应的NRF_P1接收到第二令牌请求后，获取令牌请求中的信息结合本地配置的策略或者授权信息等进行授权，NRF_P1授权成功后生成令牌。此外，NRF_P1使用与服务提供者NF_P1的共享密钥或者使用其本身的私钥对令牌进行完整性保护。After receiving the second token request, the NRF_P1 corresponding to the service provider network function network element NF_P1 obtains the information in the token request combined with locally configured policies or authorization information for authorization, and NRF_P1 generates a token after successful authorization. In addition, NRF_P1 uses the shared key with the service provider NF_P1 or uses its own private key to protect the integrity of the token.

所述NRF_P1生成的令牌的令牌声明Claim中携带令牌发布者的标识，即NRF_P1的实例标识。所述令牌还携带所述服务提供者NF_P1的类型，所述服务请求者NF_C的实例标识，所述请求的服务名称以及所述令牌的有效期等信息。The token claim claim of the token generated by NRF_P1 carries the identity of the token issuer, that is, the instance identity of NRF_P1. The token also carries information such as the type of the service provider NF_P1, the instance identifier of the service requester NF_C, the requested service name, and the validity period of the token.

S908、所述服务提供者对应的NRF_P1向所述服务请求者对应的NRF_C发送令牌，相应的，所述服务请求者对应的NRF_C接收来自NRF_P1的令牌。S908. The NRF_P1 corresponding to the service provider sends a token to the NRF_C corresponding to the service requester, and correspondingly, the NRF_C corresponding to the service requester receives the token from the NRF_P1.

S909～S911将第二令牌请求发送给NRF_P2，NRF_P2进行授权、生成令牌并将所述令牌发送给NRF_C，具体内容同S903～S905。S909-S911 send the second token request to NRF_P2, and NRF_P2 performs authorization, generates a token, and sends the token to NRF_C. The specific content is the same as S903-S905.

S912、同S609。S912, the same as S609.

S913～S919以NF_P1为例，描述了服务请求者NF_C选取相应的令牌向服务提供者NF_P请求服务的步骤。S913~S919 take NF_P1 as an example, and describe the steps in which the service requester NF_C selects the corresponding token to request the service from the service provider NF_P.

S913、服务请求前，NF_C将NF_P1的实例标识发送给NRF_C，相应的所述NRF_C接收来自NF_C的NF_P1实例标识。S913. Before the service request, the NF_C sends the instance identifier of the NF_P1 to the NRF_C, and the corresponding NRF_C receives the NF_P1 instance identifier from the NF_C.

该步骤中用于请求NRF_C查询并返回NRF_P的实例标识的服务请求，可以是现有的Nnrf_NFDiscover_NFDiscover Request，Nnrf_NFManagement_NFProfileRetrieval Request或其他服务请求，也可以是新定义的服务请求，此处不做限制。In this step, the service request used to request NRF_C to query and return the instance identifier of NRF_P can be an existing Nnrf_NFDiscover_NFDiscover Request, Nnrf_NFManagement_NFProfileRetrieval Request or other service requests, or a newly defined service request, which is not limited here.

S914、NRF_C根据所述NF_P1的实例标识，查询注册信息，找出NF_P1所注册的NRF_P1的实例标识。S914. The NRF_C queries the registration information according to the instance ID of the NF_P1, and finds the instance ID of the NRF_P1 registered by the NF_P1.

S915、NRF_C将找出的NF_P1所注册的NRF_P1的实例标识发送给NF_C，相应的，NF_C 接收来自NRF_C的NRF_P1实例标识。S915. NRF_C sends the found instance ID of NRF_P1 registered by NF_P1 to NF_C. Correspondingly, NF_C receives the NRF_P1 instance ID from NRF_C.

该步骤可以是与S910相对应的服务响应，也可以是其或新定义的服务响应，此处不做限制。This step can be a service response corresponding to S910, or it or a newly defined service response, which is not limited here.

S916、NF_C根据NRF_P1的实例标识，查询并找出与其对应的令牌。S916. NF_C queries and finds the token corresponding to it according to the instance identifier of NRF_P1.

根据S907中描述的令牌携带的信息可知，NRF_P生成的令牌携带有服务提供者NRF_P的实例标识。因此，NF_C可以根据服务提供者NRF_P1的实例标识，找出携带有该实例标识的令牌。According to the information carried in the token described in S907, the token generated by the NRF_P carries the instance identifier of the service provider NRF_P. Therefore, the NF_C can find the token carrying the instance ID according to the instance ID of the service provider NRF_P1.

若以上S901～S903不执行，S913～S915执行时，NF_C根据NRF_C返回的NRF_P1的实例标识查询到令牌1；若以上S901～S903执行，S913～S915执行时，NF_C根据NF_P1的实例标识查询自身保存的NF_P的实例标识和NRF_P的实例标识的对应关系，获得NRF_P1的实例标识，并根据所述NRF_P1实例标识查询到令牌1。If the above S901～S903 are not executed, when S913～S915 are executed, NF_C will query token 1 according to the instance ID of NRF_P1 returned by NRF_C; if the above S901～S903 are executed, when S913～S915 are executed, NF_C will query itself according to the instance ID of NF_P1. The corresponding relationship between the saved instance ID of NF_P and the instance ID of NRF_P is obtained, the instance ID of NRF_P1 is obtained, and token 1 is found according to the instance ID of NRF_P1.

S917～S919同S611～S613，此处不再赘述。S917～S919 are the same as S611～S613, so I won’t repeat them here.

本实施例中，服务请求者NF_C请求用于访问某一类服务提供者NF_P的令牌，NRF_C收到令牌请求后，根据NF_P的类型，通过查询注册信息，针对各服务提供者NF_P的注册情况，分别向该类型NF_P所注册的NRF_P发送令牌请求，各NRF_P生成针对该类型NF_P的令牌。发起服务请求时，服务请求者NF_C根据所述NRF_P的标识选择对应的令牌，后续服务提供者对令牌进行校验。以上方法实现了服务请求者针对某一类服务提供者的一次令牌请求中产生多个令牌，后续服务请求者在服务请求中携带正确的令牌，避免造成服务提供者的令牌校验失败，从而解决了现有技术中针对同一PLMN内部署多个NRF的场景下，针对某一类服务提供者的令牌请求问题。In this embodiment, the service requester NF_C requests a token used to access a certain type of service provider NF_P. After receiving the token request, NRF_C queries the registration information according to the type of NF_P, and registers the NF_P for each service provider. In case, a token request is sent to the registered NRF_P of this type of NF_P, and each NRF_P generates a token for this type of NF_P. When initiating a service request, the service requester NF_C selects a corresponding token according to the NRF_P identifier, and the subsequent service provider verifies the token. The above method realizes that the service requester generates multiple tokens in a token request for a certain type of service provider, and the subsequent service requester carries the correct token in the service request to avoid the token verification of the service provider Failure, thereby solving the problem of the token request for a certain type of service provider in the scenario where multiple NRFs are deployed in the same PLMN in the prior art.

参见图10，本申请实施例提供的授权方法之二的另一种可能的流程如下所述。Referring to FIG. 10, another possible process of the second authorization method provided by the embodiment of the present application is as follows.

该流程描述了服务请求者网络功能网元NF_C注册在网络存储功能NRF_C上，某一类的服务提供者网络功能网元NF_P分别注册在不同NRF_P的场景下的授权，其中所述服务请求者NF_C位于服务网络，所述服务提供者NF_P位于归属网络，即漫游场景下的授权，场景描述详见图4-b。该场景涉及七个网元，包括位于服务网络cPLMN的服务请求者NF_C及对应的NRF_C，位于归属网络pPLMN的第一网络存储功能NRF_P0、服务提供者NF_P1及对应的NRF_P1、服务提供者NF_P2及对应的NRF_P2。所述NRF_P0可以是pPLMN内部署的专门负责接收漫游请求的网络存储功能，也可以是pPLMN内任意一个网络存储功能。This process describes the authorization of the service requester network function network element NF_C registered on the network storage function NRF_C, a certain type of service provider network function network element NF_P registered in different NRF_P scenarios, where the service requester NF_C Located in the service network, the service provider NF_P is located in the home network, that is, authorization in the roaming scenario, the scenario description is shown in Figure 4-b. This scenario involves seven network elements, including the service requester NF_C and the corresponding NRF_C in the service network cPLMN, the first network storage function NRF_P0 in the home network pPLMN, the service provider NF_P1 and the corresponding NRF_P1, the service provider NF_P2 and the corresponding NRF_P2. The NRF_P0 may be a network storage function deployed in the pPLMN that is specifically responsible for receiving roaming requests, or it may be any network storage function in the pPLMN.

S1000、授权流程的前序步骤。S1000, the first steps of the authorization process.

授权流程开始前，各个NF注册到与其对应的NRF上，各NRF之间共享注册信息，具体详见S700。Before the authorization process starts, each NF is registered with its corresponding NRF, and registration information is shared between each NRF. For details, see S700.

可选的上述服务发现步骤可以在令牌请求步骤之后执行，即S1015与S1016之间。The optional service discovery step described above can be performed after the token request step, that is, between S1015 and S1016.

可选的当S1001～S1003步骤执行时，上述服务发现步骤可以不执行。Optionally, when steps S1001 to S1003 are executed, the above service discovery step may not be executed.

S1001～S1003同S901～903，此处不再赘述。S1001 to S1003 are the same as S901 to 903, and will not be repeated here.

S1004、服务请求者NF_C向所注册的网络存储功能网元NRF_C发送第一令牌请求，网络存储功能网元NRF_C接收第一令牌请求。S1004. The service requester NF_C sends a first token request to the registered network storage function network element NRF_C, and the network storage function network element NRF_C receives the first token request.

所述第一令牌请求携带服务请求者的标识，即NF_C的标识，包括NF_C的实例标识和类型以及所属网络的PLMN ID，即cPLMN的ID；所述第一令牌请求还携带服务提供者NF_P的标识，所述标识包含NF_P的类型以及所属网络的PLMN ID，即pPLMN的ID。所述第一令牌请求中还可以携带其他授权和令牌生成所需的参数，例如所请求的服务名称。The first token request carries the identity of the service requester, that is, the identity of NF_C, including the instance identity and type of NF_C and the PLMN ID of the network to which it belongs, that is, the ID of the cPLMN; the first token request also carries the service provider The identifier of NF_P, the identifier includes the type of NF_P and the PLMN ID of the network to which it belongs, that is, the ID of pPLMN. The first token request may also carry other parameters required for authorization and token generation, such as the requested service name.

S1005、同S702，此处不再赘述。S1005 is the same as S702, and will not be repeated here.

S1006、同S703，此处不再赘述。S1006 is the same as S703, and will not be repeated here.

S1007、网络存储功能NRF_P0根据第一令牌请求中的服务提供者NF_P的类型，通过查询注册信息，确定该类型NF_P所对应的所有目标NRF的标识，例如本实施例中NRF_P1和NRF_P2的实例标识和/或FQDN，或者NRF_P的标识或地址等，本申请不做限制；S1007. The network storage function NRF_P0 determines the identities of all target NRFs corresponding to the type of NF_P by querying the registration information according to the type of the service provider NF_P in the first token request, such as the instance identities of NRF_P1 and NRF_P2 in this embodiment And/or FQDN, or the identification or address of NRF_P, etc., this application is not restricted;

S1008、上述网络存储功能NRF_P0向该类型服务提供者NF_P所对应的每个NRF_P发送第二令牌请求，所述令牌请求包含NF_P的类型和/或一个或多个NF_P的实例标识。此步骤中NRF_P0将第二令牌请求发送给NRF_P1。S1008. The aforementioned network storage function NRF_P0 sends a second token request to each NRF_P corresponding to the type of service provider NF_P, where the token request includes the type of NF_P and/or one or more NF_P instance identifiers. In this step, NRF_P0 sends the second token request to NRF_P1.

S1009、NRF_P1进行授权，生成令牌并进行完整性保护。S1009, NRF_P1 performs authorization, generates a token and performs integrity protection.

服务提供者网络功能网元NF_P1对应的NRF_P1接收到第二令牌请求后，获取第二令牌请求中的信息结合本地配置的策略或者授权信息等进行授权，NRF_P1授权成功后生成令牌。此外，NRF_P1使用与服务提供者NF_P1的共享密钥或者使用其本身的私钥对令牌进行完整性保护。After receiving the second token request, the NRF_P1 corresponding to the service provider network function network element NF_P1 obtains the information in the second token request and combines it with locally configured policies or authorization information for authorization, and NRF_P1 generates a token after successful authorization. In addition, NRF_P1 uses the shared key with the service provider NF_P1 or uses its own private key to protect the integrity of the token.

所述NRF_P1生成的令牌携带令牌发布者的标识，即NRF_P1的实例标识。所述令牌还携带所述服务请求者NF_C的实例标识及所属公共陆地网络PLMN ID，所述服务提供者NF_P1的类型及所属公共陆地网络PLMN ID，所述请求的服务名称以及所述令牌的有效期等信息。The token generated by NRF_P1 carries the identity of the token issuer, that is, the instance identity of NRF_P1. The token also carries the instance ID of the service requester NF_C and the public land network PLMN ID to which it belongs, the type of the service provider NF_P1 and the public land network PLMN ID to which it belongs, the requested service name and the token Validity period and other information.

S1010、所述服务提供者对应的NRF_P1向所述服务请求者对应的NRF_C发送令牌，相应的，所述服务请求者对应的NRF_C接收来自NRF_P1的令牌。S1010. The NRF_P1 corresponding to the service provider sends a token to the NRF_C corresponding to the service requester, and correspondingly, the NRF_C corresponding to the service requester receives the token from the NRF_P1.

S1011～S1013、NRF_C向NRF_P2发送第二令牌请求，NRF_P2进行授权、生成令牌并将所述令牌返回至NRF_C，具体内容同S1005～S1007S1011～S1013, NRF_C sends a second token request to NRF_P2, NRF_P2 authorizes, generates a token and returns the token to NRF_C, the specific content is the same as S1005～S1007

S1008～S1010与S1011～S1013没有严格的执行顺序，可交换顺序来执行。S1008～S1010 and S1011～S1013 do not have a strict execution order, and they can be executed in an exchange order.

S1014、NRF_P0接收来自每个NRF_P的令牌，并将其发送至NRF_C，相应的NRF_C接收NRF_P0发送的令牌。S1014. NRF_P0 receives the token from each NRF_P and sends it to NRF_C, and the corresponding NRF_C receives the token sent by NRF_P0.

S1015、所述NRF_C将接收到的令牌发送给所述服务请求者网元NF_C。S1015. The NRF_C sends the received token to the service requester network element NF_C.

S1016～S1022以NF_P1为例，描述了服务请求者NF_C选取相应的令牌向服务提供者NF_P请求服务的步骤，具体内容同S913～S919，此处不再赘述。S1016~S1022 take NF_P1 as an example, and describe the steps in which the service requester NF_C selects the corresponding token to request the service from the service provider NF_P. The specific content is the same as S913~S919, and will not be repeated here.

相较于图9中的授权流程，本实施例中位于服务网络cPLMN的服务请求者NF_C注册的NRF_C向位于归属网络pPLMN内的第一网络存储功能NRF_P0转发令牌请求，由NRF_P0根据服务提供者NF_P的类型确定并向pPLMN内的目标NRF_P分别发送令牌请求。从而解决了现有技术中针对同一PLMN网络内部署多个NRF时漫游场景下，服务请求者NF与某一类型服务提供者NF之间的服务授权问题。Compared with the authorization process in Figure 9, the NRF_C registered by the service requester NF_C located in the service network cPLMN in this embodiment forwards the token request to the first network storage function NRF_P0 located in the home network pPLMN, and NRF_P0 according to the service provider The type of NF_P is determined and a token request is sent to the target NRF_P in pPLMN respectively. This solves the problem of service authorization between the service requester NF and a certain type of service provider NF in the roaming scenario when multiple NRFs are deployed in the same PLMN network in the prior art.

上文详细阐述了本申请实施例的方法，基于上述方法实施例的同一发明构思，本实施例还提供了相关装置和设备。The method in the embodiment of the present application is described in detail above. Based on the same inventive concept of the above method embodiment, the present embodiment also provides related devices and equipment.

参见图11，本申请实施例提供了一种装置1100，该装置包括接收模块1101、处理模块1102以及发送模块1103。Referring to FIG. 11, an embodiment of the present application provides an apparatus 1100, which includes a receiving module 1101, a processing module 1102, and a sending module 1103.

该装置1100可以用于NRF_C，也可以是NRF_C，该装置可以执行上述各个方法实施例中NRF_C所执行的操作。以图7中的授权方法为例，接收模块1101用于接收第一令牌请求；处理模块1102用于确定每个网络功能网元所注册的目标网络存储功能网元NRF；发送模块1103还用于向每个目标NRF发送第二令牌请求；接收模块1101还用于接收所述目标NRF反馈的令牌；发送模块1103还用于向令牌请求者，也就是图7中的NF_C，发送接收模块1101接收的令牌。The device 1100 can be used for NRF_C or NRF_C, and the device can perform the operations performed by the NRF_C in the foregoing method embodiments. Taking the authorization method in Figure 7 as an example, the receiving module 1101 is used to receive the first token request; the processing module 1102 is used to determine the target network storage function network element NRF registered by each network function network element; the sending module 1103 also uses To send a second token request to each target NRF; the receiving module 1101 is also used to receive the token fed back by the target NRF; the sending module 1103 is also used to send to the token requestor, that is, NF_C in FIG. 7 Receive the token received by the module 1101.

该装置1100还可以用于NF_C，也可以是NF_C，该装置可以执行上述各个方法实施例中NF_C所执行的操作。以图3中的授权方法为例，发送模块1103用于向NRF_C发送第一令牌请求；接收模块1101用于接收NRF_C发送的令牌；处理模块1102用于确定服务请求时所携带的令牌；发送模块1103还用于向服务提供者网元发送服务请求；接收模块1101还用于接收服务提供者反馈的服务请求。The device 1100 can also be used for NF_C or NF_C, and the device can perform operations performed by NF_C in the foregoing method embodiments. Taking the authorization method in Figure 3 as an example, the sending module 1103 is used to send the first token request to NRF_C; the receiving module 1101 is used to receive the token sent by NRF_C; the processing module 1102 is used to determine the token carried in the service request The sending module 1103 is also used to send service requests to the service provider network element; the receiving module 1101 is also used to receive service requests fed back by the service provider.

该装置1100还可以用于NF_P，也可以是NF_P，该装置可以执行上述各个方法实施例中NF_P所执行的操作，所述NF_P可以是NF_P1，也可以是NF_P2、NF_P3。以图7中的授权方法为例，接收模块1101用于接收服务请求者的服务请求；处理模块1102用于对服务请求中的令牌进行校验；发送模块1103用于向服务请求者返回服务响应。The device 1100 can also be used for NF_P or NF_P. The device can perform the operations performed by NF_P in the foregoing method embodiments. The NF_P can be NF_P1, or NF_P2, NF_P3. Taking the authorization method in Figure 7 as an example, the receiving module 1101 is used to receive the service request of the service requester; the processing module 1102 is used to verify the token in the service request; the sending module 1103 is used to return the service to the service requester. response.

该装置1100还可以用于NRF_P0，也可以是NRF_P0，该装置可以执行上述各个方法实施例中NRF_P0所执行的操作。以图8中的授权方法为例，接收模块1101用于接收第一令牌请求；处理模块1102用于确定每个网络功能网元所注册的目标网络功能NRF；发送模块1103用于向每个目标NRF发送第二令牌请求。接收模块1101还用于接收所述目标NRF反馈的令牌；发送模块1103还用于向令牌请求者，也就是图8中的NRF_C发送接收模块1101收到的令牌。The device 1100 can also be used for NRF_P0 or NRF_P0, and the device can perform the operations performed by NRF_P0 in the foregoing method embodiments. Taking the authorization method in Figure 8 as an example, the receiving module 1101 is used to receive the first token request; the processing module 1102 is used to determine the target network function NRF registered by each network function network element; the sending module 1103 is used to send each The target NRF sends a second token request. The receiving module 1101 is also used to receive the token fed back by the target NRF; the sending module 1103 is also used to send the token received by the receiving module 1101 to the token requester, that is, the NRF_C in FIG. 8.

该装置1100还可以用于NRF_P，也可以是NRF_P，该装置可以执行上述各个方法实施例中NRF_P所执行的操作，所述NRF_P可以是NRF_P1，也可以是NRF_P2。以图7中的授权方法为例，接收模块1101用于接收第二令牌请求；处理模块1102用于根据接收模块1101接收到的令牌请求中携带的信息，结合本地配置的策略或者授权信息等进行授权并生成令牌；处理模块1102还用于对所生成的令牌进行完整性保护；发送模块1103用于向令牌请求者发送由处理模块1102生成并保护的令牌。The device 1100 can also be used for NRF_P or NRF_P. The device can perform the operations performed by NRF_P in the foregoing method embodiments. The NRF_P can be NRF_P1 or NRF_P2. Taking the authorization method in FIG. 7 as an example, the receiving module 1101 is used to receive the second token request; the processing module 1102 is used to combine the locally configured policy or authorization information according to the information carried in the token request received by the receiving module 1101 The processing module 1102 is also used to perform integrity protection on the generated token; the sending module 1103 is used to send the token generated and protected by the processing module 1102 to the token requester.

参见图12，本申请实施例还提供了一种设备1200，该设备1200包括处理器1201、通信接口1202和存储器1203。Referring to FIG. 12, an embodiment of the present application further provides a device 1200. The device 1200 includes a processor 1201, a communication interface 1202, and a memory 1203.

处理器1201用于执行程序指令，当程序被执行时，使得处理器1202执行上述实施例提供的各个授权方法中NRF_C、NF_C、NF_P、NRF_P或NRF_P0执行的操作。处理器902可以但不限于是中央处理器(Central Processing Unit，CPU)，网络处理器(Network Processor，NP)或者CPU和NP的组合。在处理器1201是CPU的情况下，该CPU可以是单核CPU，也可以是多核CPU。The processor 1201 is used to execute program instructions, and when the program is executed, the processor 1202 executes operations performed by NRF_C, NF_C, NF_P, NRF_P, or NRF_P0 in each authorization method provided in the foregoing embodiment. The processor 902 may be, but is not limited to, a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), or a combination of CPU and NP. When the processor 1201 is a CPU, the CPU may be a single-core CPU or a multi-core CPU.

处理器1201还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(Application-specific Integrated Circuit，ASIC)，可编程逻辑器件(Programmable Logic Device，PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(Complex Programmable Logic Device，CPLD)，现场可编程逻辑门阵列(Field-programmable Gate Array，FPGA)，通用阵列逻辑(Generic Array Logic,GAL)或其任意组合。The processor 1201 may further include a hardware chip. The aforementioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (Programmable Logic Device, PLD), or a combination thereof. The above-mentioned PLD may be a complex programmable logic device (Complex Programmable Logic Device, CPLD), a field programmable logic gate array (Field-Programmable Gate Array, FPGA), a general array logic (Generic Array Logic, GAL) or any combination thereof.

通信接口1202用于在处理器1201的控制下与其他设备进行通信，例如发送数据和/或接收数据，上述图7中的发送模块和接收模块可以通过通信接口1202来实现。The communication interface 1202 is used to communicate with other devices under the control of the processor 1201, such as sending data and/or receiving data. The sending module and the receiving module in FIG. 7 can be implemented through the communication interface 1202.

存储器1203用于存储处理器1201所执行的程序。存储器1203可以包括但不限于是随机存储记忆体(Random Access Memory，RAM)、只读存储器(Read-Only Memory，ROM)、可擦除可编程只读存储器(Erasable Programmable Read Only Memory，EPROM)、便携式只读存储器(Compact Disc Read-Only Memory，CD-ROM)、快闪存储器(flash memory)、硬盘(hard disk drive，HDD)或固态硬盘(solid-state drive，SSD)；存储器1203还可以包括上述种类存储器的任意组合。The memory 1203 is used to store programs executed by the processor 1201. The memory 1203 may include, but is not limited to, Random Access Memory (RAM), Read-Only Memory (ROM), Erasable Programmable Read-Only Memory (EPROM), Portable read-only memory (Compact Disc Read-Only Memory, CD-ROM), flash memory (flash memory), hard disk (HDD) or solid-state drive (SSD); memory 1203 may also include Any combination of the above types of memory.

本申请实施例提供了一种计算机可读存储介质，存储有计算机程序，该计算机程序包括用于执行上述实施例提供的方法的指令。The embodiment of the present application provides a computer-readable storage medium that stores a computer program, and the computer program includes instructions for executing the method provided in the foregoing embodiment.

本申请实施例提供了一种包含指令的计算机程序产品，当其在计算机上运行时，使得计算机执行上述实施例提供的方法。The embodiments of the present application provide a computer program product containing instructions, which when run on a computer, cause the computer to execute the method provided in the above-mentioned embodiments.

本领域内的技术人员应明白，本申请的实施例可提供为方法、装置、设备(系统)或计算机程序产品。因此，本申请可采用完全硬件实施例、完全软件实施例或结合软件和硬件方面的实施例的形式。而且，本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present application can be provided as methods, devices, equipment (systems) or computer program products. Therefore, this application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Moreover, this application may adopt the form of a computer program product implemented on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program codes.

本申请是参照根据本申请实施例的方法、装置、设备(系统)和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图中的每一流程。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器，使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。This application is described with reference to flowcharts and/or block diagrams of methods, devices, equipment (systems) and computer program products according to the embodiments of this application. It should be understood that each process in the flowchart can be implemented by computer program instructions. These computer program instructions can be provided to the processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing equipment are generated It is a device that realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中，使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品，该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上，使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理，从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. The instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.

以上所述，仅为本申请的一些具体实施方式，但本申请的保护范围并不局限于此，任何熟悉本技术领域的技术人员在本申请揭露的技术范围内，可对这些实施例做出另外的变更和修改。因此，所附权利要求意欲解释为包括上述实施例以及落入本申请范围的说是有变更和修改。因此，本申请保护范围应以所述权利要求的保护范围为准。The above are only some specific implementations of this application, but the protection scope of this application is not limited to this. Anyone familiar with the technical field can make adjustments to these embodiments within the technical scope disclosed in this application. Additional changes and modifications. Therefore, the appended claims are intended to be interpreted as including the above-mentioned embodiments and changes and modifications that fall within the scope of the present application. Therefore, the protection scope of this application shall be subject to the protection scope of the claims.

Claims

An authorization method in multiple NRF scenarios, which is characterized by:

The first network storage function network element NRF receives a first token request, where the first token request includes the identities of one or more service provider network function network elements NF_P;

The first NRF determines the target NRF registered by each NF_P according to the identification of the one or more NF_Ps;

If the target NRF includes a second network storage function network element NRF, the first NRF sends a second token request to the second NRF, and the second token request includes one or more NF_P identifiers; Wherein, the first NRF and the second NRF are located in the same public land network PLMN;

The first NRF receives the token fed back by the second NRF.

The method according to claim 1, wherein before the first NRF receives the first token request, the method further comprises:

Acquiring, by the first NRF, registration information of network functions stored on other NRFs in the PLMN;

The first NRF determining the target NRF registered by each NF_P according to the identification of the one or more NF_Ps includes:

The first NRF uses the one or more NF_P identifiers to query the registration information saved and/or obtained by the first NRF to determine the target NRF registered by each NF_P.

The method according to claim 1 or 2, wherein the first NRF receiving a first token request includes:

The first NRF receives a first token request sent by a network function network element of a service requester.

The method according to claim 3, wherein after the first NRF receives the token fed back by the second NRF, the method further comprises:

The first NRF sends the token generated by the first NRF and/or the token received by the first NRF to the service requester network function network element.

The method according to claim 1 or 2, wherein the first NRF is located in a home network;

The first NRF receiving the first token request includes:

The first NRF receives the first token request sent by the network storage function of the service network.

The method according to claim 5, wherein after the first NRF receives the token fed back by the second NRF, the method further comprises:

The first NRF sends the token generated by the first NRF and/or the token received by the first NRF to a network storage function network element of the service network.

An authorization method in multiple NRF scenarios, which is characterized by:

The first network storage function network element NRF receives a first token request, where the first token request includes the type of the service provider network function network element NF_P;

The first NRF determines the target network storage function NRF registered by the NF_P belonging to the type;

If the target NRF includes a second network storage function network element NRF, the first NRF sends a second token request to the second NRF; wherein, the first NRF and the second NRF are located in the same public Land network PLMN;

Receiving the token fed back by the second NRF by the first NRF;

The method according to claim 7, characterized in that, before the first NRF receives the first token request, the method further comprises:

The determination by the first NRF to belong to the target NRF registered by the type of NF_P includes:

The first NRF uses the type of the NF_P to query the registration information saved and/or obtained by the first NRF to determine the identity of each target NRF registered by the type of NF_P.

The method according to claim 7 or 8, wherein:

The second token request includes the type of the NF_P registered on the second NRF, and/or one or more identifiers of the NF_P.

The method according to claim 9, wherein the first NRF receiving a first token request comprises:

The method according to claim 10, wherein after the first NRF receives the token fed back by the second NRF, the method further comprises:

The method according to claim 9, wherein the first NRF is located in a home network;

The first NRF receiving the first token request includes:

The method according to claim 12, wherein after the first NRF receives the token fed back by the second NRF, the method further comprises:

An authorization device, characterized in that it comprises:

The receiving module is configured to receive a first token request, where the token request includes one or more instance identifiers of network function network elements NF_P that provide functional services;

A processing module, configured to determine the target NRF registered by each NF_P according to the instance identifier of the one or more NF_P;

The sending module is configured to send a second token request to the second NRF if the target NRF determined by the processing module includes a second network storage function network element NRF, and the second token request includes one or more NF_P identification; wherein, the device and the second NRF are located in the same public land network PLMN;

The receiving module is further configured to receive the token fed back by the second NRF;

The device of claim 14, wherein:

The receiving module is also used to obtain registration information of network functions stored on other NRFs in the PLMN;

The processing module is configured to use the one or more NF_P identifiers to query the registration information saved and/or obtained by the device to determine the target NRF registered by each NF_P.

The device according to claim 14 or 15, wherein the receiving module receives the first token request, comprising:

The receiving module receives the first token request sent by the network function network element of the service requester.

The device of claim 16, wherein:

The sending module is further configured to send the token generated by the device and/or received by the device to the network function network element of the service requester.

The device according to claim 14 or 15, wherein the device is located in a home network;

The receiving module is configured to receive the first token request sent by the network storage function network element of the service network.

The device of claim 18, wherein:

The sending module is further configured to send the token to a network storage function network element of the service network.

An authorization device, characterized in that it comprises:

The receiving module is configured to receive a first token request, where the token request includes the type of the network function network element NF_P that provides the function service;

Processing module, used to determine the target network storage function NRF corresponding to each NF_P belonging to the type;

The sending module is configured to send a second token request to the second NRF if the target NRF determined by the processing module includes a second network storage function network element NRF, where the device and the second NRF are located at The same public land network PLMN;

The device of claim 20, wherein:

The processing module is configured to use the type of the NF_P to query the registration information saved and/or obtained by the device to determine the identification of each target NRF registered by the type of the NF_P.

The device according to claim 20 or 21, wherein:

The second token request sent by the sending module includes the type of the NF_P registered on the second NRF, and/or one or more identifiers of the NF_P.

The apparatus according to claim 22, wherein the receiving module is configured to receive a first token request sent by a network function network element of a service requester.

The device of claim 23, wherein:

The sending module is configured to send the token generated by the device and/or received by the device to the service requester network function network element.

The device according to claim 22, wherein the device is located in a home network;

The receiving module is configured to receive the first token request sent by the network storage function of the service network.

The device of claim 25, wherein:

The sending module is configured to send the token generated by the device and/or received by the device to the network storage function network element of the service network.

A device, characterized in that the device comprises: a storage unit, a communication interface, and a processor coupled with the storage unit and the communication interface; the storage unit is used to store instructions, and the processor is used to execute the instructions , The communication interface is used to communicate with other devices under the control of the processor;

The processor executes the instructions to implement the method according to any one of claims 1 to 6.

The processor executes the instructions to implement the method described in any one of claims 7-13.

A computer-readable storage medium, characterized in that:

The computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the method according to any one of claims 1 to 6 is executed.

A computer-readable storage medium, characterized in that:

The computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the method according to any one of claims 7 to 13 is executed.

A computer program product, characterized in that:

The computer program is executed by a processor to implement the method according to any one of claims 1 to 6.

A computer program product, characterized in that:

The computer program is executed by a processor to implement the method according to any one of claims 7-13.