Design and Implementation of Baidu ToB Account Permission Platform: Login Services, SSO, OAuth, and GD‑RBAC

Baidu ToB vertical account permission platform (the "Platform") provides a unified account and permission service for multiple ToB product lines. It covers tenant management, account management, single sign‑on (SSO), permission control, account security, and enterprise qualification. Over 10 million enterprise accounts from products such as AiFanFan, AiCaiGou, XunKeBao, and ChuhaiYi have been onboarded.

The document first defines key terminology (customer, tenant, account, main account, sub‑account, user, role, function, resource, RBAC, tenant version, BDRP) to help readers understand the following sections.

2. Account Login Service

2.1 Enterprise Organization and Account Model

The platform supports multiple tenants per customer, each tenant gets a main account with super‑admin privileges and can create sub‑accounts. Accounts can bind third‑party identities (WeChat, phone number, Apple ID, etc.) and be assigned roles with specific functional permissions.

2.2 Configurable and Stable Unified Login Service

The login service must be secure, stable, high‑performance, and configurable to meet SaaS and private‑deployment scenarios. It supports multiple login methods (password, mobile code, QR code, third‑party) and allows each product line to customize the workflow.

The password‑login flow includes page‑level encryption, time‑limited page validity, multi‑factor checks (unusual location, device, phone verification), and temporary verification tokens that are exchanged for real login tokens on the front end.

2.2.1 Configurable Extension Capability

The login process is decomposed into atomic events (E) and configurations (C). Different product lines can assemble these events in custom order, enabling configurable login flows.

2.2.2 Single Sign‑On (SSO)

SSO allows a user to log in once and access multiple trusted systems. The platform uses a CAS‑based protocol with three ticket types: Stoken (temporary service token), Ptoken (stored in the authentication center and retrieved via cookie or header), and Rtoken (business‑specific token). The flow includes generation of Stoken on login, storage of user and security information, and exchange for stable tokens per system.

2.2.3 Login Security Guarantees

Security is enforced through multi‑stage session control (login‑phase session, temporary session, stable login session), encryption of sensitive data (symmetric and asymmetric algorithms), strict cookie attributes (Secure, HttpOnly, short expiry), request validation (origin whitelist, 302 redirect control), rate limiting, and captchas (image, slide, SMS).

2.3 OAuth Capability

The platform supports OAuth 2.0 authorization_code flow, enabling third‑party applications to obtain an access_token after user consent, thus allowing seamless cross‑system access.

3. Permission Service

The permission service provides both functional and data access control for multiple product lines.

3.1 Problems and Solutions

Complex permission logic leads to high development and maintenance costs. The solution is a high‑performance, extensible authorization service.

3.2 Functional Authorization

Three integration methods are offered: gateway SDK, standalone SDK, or direct RPC. The core model is an enhanced RBAC called GD‑RBAC, which adds user groups and dimension‑based role assignments.

3.2.2 GD‑RBAC

GD‑RBAC introduces user groups and dimensions, allowing the same user to have different roles in different business contexts (e.g., different lead pools).

3.2.3 Rights‑Package Model

Rights packages define collections of permissions that can be attached to tenants, solving version‑difference and feature‑add‑on problems.

3.3 Flexible Data Authorization

Data permissions are expressed via dimensions (e.g., organization, position) stored as a left‑right value tree, enabling efficient hierarchical queries. Custom key‑value attributes complement the generic dimensions.

3.4 High‑Performance, High‑Availability Authorization Service

The service is deployed across three data centers (Suzhou, Beijing, Guangzhou) with Istio for load balancing, circuit breaking, and service discovery. It uses a three‑level cache: in‑memory (5‑minute TTL), Redis, and DB fallback.

4. Conclusion

The platform delivers a configurable, secure, and scalable account‑login and permission solution for Baidu’s ToB verticals. Future work will continue to enrich account and permission capabilities, improve stability, and provide a one‑stop solution for enterprise customers.