Token scope reduction
First Claim
Patent Images
1. A computer-implemented method comprising:
- requesting, by a client device, an authorization code from an authentication server for a set of authorization scopes, the set of authorization scopes including authorization scopes for a plurality of security domains;
receiving, at the client device, the authorization code from the authentication server;
sending, to the authentication server, a request for an access token, the request including the authorization code;
receiving at the client device the access token, based on the authorization code, from the authentication server, wherein the access token provides access to resource services distributed across a plurality of security domains;
deriving, by the client device, a first subset of authorization scopes of the access token, wherein the first subset is limited to a first security domain of the plurality of security domains;
responsive to providing the first subset and the access token to the authentication server, receiving, at the client device, a first reduced-scope access token, wherein the first reduced-scope access token provides access to at least one resource service in the first security domain;
utilizing, by the client device, the first reduced-scope access token to access the at least one resource service in the first security domain; and
responsive to receiving the first reduced-scope access token, transmitting, by the client device, a request to the authorization server for scopes associated with the first reduced-scope access token.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are provided for augmenting the capabilities of the standard OAuth2 authorization framework in such a way as to allow clients to consume the services of multiple resource servers residing in disjoint security domains while requiring only a single one-time user authentication. An access token that provides access to resource services distributed across a plurality of security domains is partitioned into a plurality of reduced-scope access tokens. Each reduced-scope access token is limited to a subset of authorization scopes of the access token, providing access to a resource service in a particular security domain based upon the subset.
47 Citations
20 Claims
-
1. A computer-implemented method comprising:
-
requesting, by a client device, an authorization code from an authentication server for a set of authorization scopes, the set of authorization scopes including authorization scopes for a plurality of security domains; receiving, at the client device, the authorization code from the authentication server; sending, to the authentication server, a request for an access token, the request including the authorization code; receiving at the client device the access token, based on the authorization code, from the authentication server, wherein the access token provides access to resource services distributed across a plurality of security domains; deriving, by the client device, a first subset of authorization scopes of the access token, wherein the first subset is limited to a first security domain of the plurality of security domains; responsive to providing the first subset and the access token to the authentication server, receiving, at the client device, a first reduced-scope access token, wherein the first reduced-scope access token provides access to at least one resource service in the first security domain; utilizing, by the client device, the first reduced-scope access token to access the at least one resource service in the first security domain; and responsive to receiving the first reduced-scope access token, transmitting, by the client device, a request to the authorization server for scopes associated with the first reduced-scope access token. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-implemented method comprising:
-
receiving, at an authorization server, a request for an authorization code for a set of authorization scopes, the set of authorization scopes including authorization scopes for a plurality of security domains; sending, to the client, the authorization code; receiving, at the authorization server, a request for an access token, the request including the authorization code; generating, at the authorization server, the access token based on the authorization code, wherein the access token provides access to resource services distributed across a plurality of security domains; sending the access token to the client; receiving, at the authorization server, a request from the client for a first reduced-scope access token, wherein an authorization scope of the first reduced-scope access token is limited to a first subset of authorization scopes of the access token; generating, by the authorization server, the first reduced-scope access token based on the first subset of authorization scopes, wherein the first reduced-scope access token provides access to at least one resource service in a first security domain of the plurality of security domains; sending, to the client, the first reduced-scope access token to the client; and receiving, from the client, a request for scopes associated with the first reduced-scope access token. - View Dependent Claims (7, 8, 9, 10)
-
-
11. An apparatus comprising:
-
a network interface unit configured to enable communications over a network; and at least one processor configured to; request an authorization code from an authentication server for a set of authorization scopes, the set of authorization scopes including authorization scopes for a plurality of security domains; receive the authorization code from the authentication server; send, to the authentication server, a request for an access token, the request including the authorization code; receive the access token, based on the authorization code, from the authentication server, wherein the access token provides access to resource services distributed across a plurality of security domains; derive a first subset of authorization scopes of the access token, wherein the first subset is limited to a first security domain of the plurality of security domains; responsive to providing the first subset and the access token to the authentication server, receive a first reduced-scope access token, wherein the first reduced-scope access token provides access to at least one resource service in the first security domain; utilize the first reduced-scope access token to access the at least one resource service in the first security domain; and responsive to receiving the first reduced-scope access token, transmit a request to the authorization server for scopes associated with the first reduced-scope access token. - View Dependent Claims (12, 13, 14, 15)
-
-
16. An apparatus comprising:
-
a network interface unit configured to enable communications over a network; and at least one processor configured to; receive, from a client, a request for an authorization code for a set of authorization scopes, the set of authorization scopes including authorization scopes for a plurality of security domains; send, to the client, the authorization code; receive, from the client, a request for an access token, the request including the authorization code; generate the access token based on the authorization code, wherein the access token provides access to resource services distributed across a plurality of security domains; send the access token to the client; receive a request from the client for a first reduced-scope access token, wherein an authorization scope of the first reduced-scope access token is limited to a first subset of authorization scopes of the access token; generate the first reduced-scope access token based on the first subset of authorization scopes, wherein the first reduced-scope access token provides access to at least one resource service in a first security domain of the plurality of security domains; send the first reduced-scope access token to the client; and receive a request for scopes associated with the first reduced-scope access token. - View Dependent Claims (17, 18, 19, 20)
-
Specification