Configurable adaptive access manager callouts
First Claim
1. A computer-implemented method comprising:
- in response to an authentication request for a user associated with an identity domain, determining, by a computer system of an authorization system, based on a mapping between one or more access managers and one or more of a plurality of identity domains, an access manager that is associated with the identity domain with which the user is associated, wherein the access manager is included in the one or more access managers;
applying a policy associated with the identity domain to the authentication request;
determining, based on applying the policy to the authentication request, whether to request, from the access manager, an additional authentication process for authenticating the user for the authentication request, the additional authentication process being different from a standard authentication process;
upon determining to request the additional authentication process from the access manager, sending, by the computer system, a request to the access manager for information defining the additional authentication process for authenticating the user for the authentication request;
receiving, by the computer system, from the access manager, a response to the request, the response including the information defining the additional authentication process; and
performing, by the computer system, the additional authentication process to authenticate the user for the authentication request based on the information.
1 Assignment
0 Petitions
Accused Products
Abstract
A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.
-
Citations
20 Claims
-
1. A computer-implemented method comprising:
-
in response to an authentication request for a user associated with an identity domain, determining, by a computer system of an authorization system, based on a mapping between one or more access managers and one or more of a plurality of identity domains, an access manager that is associated with the identity domain with which the user is associated, wherein the access manager is included in the one or more access managers; applying a policy associated with the identity domain to the authentication request; determining, based on applying the policy to the authentication request, whether to request, from the access manager, an additional authentication process for authenticating the user for the authentication request, the additional authentication process being different from a standard authentication process; upon determining to request the additional authentication process from the access manager, sending, by the computer system, a request to the access manager for information defining the additional authentication process for authenticating the user for the authentication request; receiving, by the computer system, from the access manager, a response to the request, the response including the information defining the additional authentication process; and performing, by the computer system, the additional authentication process to authenticate the user for the authentication request based on the information. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable memory comprising instructions which, when executed by one or more processors, cause the one or more processors to perform:
-
in response to an authentication request for a user associated with an identity domain, determine, based on a mapping between one or more access managers and one or more of a plurality of identity domains, an access manager that is associated with the identity domain with which the user is associated, wherein the access manager is included in the one or more access managers; apply a policy associated with the identity domain to the authentication request; determine, based on applying the policy to the authentication request, whether to request, from the access manager, an additional authentication process for authenticating the user for the authentication request, the additional authentication process being different from a standard authentication process; upon determining to request the additional authentication process from the access manager, send, by the computer system, a request to the access manager for information defining the additional authentication process for authenticating the user for the authentication request; receive, from the access manager, a response to the request, the response including the information defining the additional authentication process; and perform the additional authentication process to authenticate the user for the authentication request based on the information. - View Dependent Claims (16)
-
-
17. A system comprising:
-
one or more processors; and a memory accessible to the one or more processors, wherein the memory stores one or more instructions which, upon execution by the one or more processors, causes the one or more processors to; in response to an authentication request for a user associated with an identity domain, determine, based on a mapping between one or more access managers and one or more of a plurality of identity domains, an access manager that is associated with the identity domain with which the user is associated, wherein the access manager is included in the one or more access managers; apply a policy associated with the identity domain to the authentication request; determine, based on applying the policy to the authentication request, whether to request, from the access manager, an additional authentication process for authenticating the user for the authentication request, the additional authentication process being different from a standard authentication process; upon determining to request the additional authentication process from the access manager, send, by the computer system, a request to the access manager for information defining the additional authentication process for authenticating the user for the authentication request; receive, from the access manager, a response to the request, the response including the information defining the additional authentication process; and perform the additional authentication process to authenticate the user for the authentication request based on the information. - View Dependent Claims (18, 19, 20)
-
Specification