Token scope reduction

US 10,104,084 B2
Filed: 11/16/2015
Issued: 10/16/2018
Est. Priority Date: 07/30/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

requesting, by a client device, an authorization code from an authentication server for a set of authorization scopes, the set of authorization scopes including authorization scopes for a plurality of security domains;

receiving, at the client device, the authorization code from the authentication server;

sending, to the authentication server, a request for an access token, the request including the authorization code;

receiving at the client device the access token, based on the authorization code, from the authentication server, wherein the access token provides access to resource services distributed across a plurality of security domains;

deriving, by the client device, a first subset of authorization scopes of the access token, wherein the first subset is limited to a first security domain of the plurality of security domains;

responsive to providing the first subset and the access token to the authentication server, receiving, at the client device, a first reduced-scope access token, wherein the first reduced-scope access token provides access to at least one resource service in the first security domain;

utilizing, by the client device, the first reduced-scope access token to access the at least one resource service in the first security domain; and

responsive to receiving the first reduced-scope access token, transmitting, by the client device, a request to the authorization server for scopes associated with the first reduced-scope access token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for augmenting the capabilities of the standard OAuth2 authorization framework in such a way as to allow clients to consume the services of multiple resource servers residing in disjoint security domains while requiring only a single one-time user authentication. An access token that provides access to resource services distributed across a plurality of security domains is partitioned into a plurality of reduced-scope access tokens. Each reduced-scope access token is limited to a subset of authorization scopes of the access token, providing access to a resource service in a particular security domain based upon the subset.

47 Citations

View as Search Results

20 Claims

1. A computer-implemented method comprising:
- requesting, by a client device, an authorization code from an authentication server for a set of authorization scopes, the set of authorization scopes including authorization scopes for a plurality of security domains;
  
  receiving, at the client device, the authorization code from the authentication server;
  
  sending, to the authentication server, a request for an access token, the request including the authorization code;
  
  receiving at the client device the access token, based on the authorization code, from the authentication server, wherein the access token provides access to resource services distributed across a plurality of security domains;
  
  deriving, by the client device, a first subset of authorization scopes of the access token, wherein the first subset is limited to a first security domain of the plurality of security domains;
  
  responsive to providing the first subset and the access token to the authentication server, receiving, at the client device, a first reduced-scope access token, wherein the first reduced-scope access token provides access to at least one resource service in the first security domain;
  
  utilizing, by the client device, the first reduced-scope access token to access the at least one resource service in the first security domain; and
  
  responsive to receiving the first reduced-scope access token, transmitting, by the client device, a request to the authorization server for scopes associated with the first reduced-scope access token.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented method of claim 1 comprising:
    - deriving a second subset of authorization scopes of the access token, wherein the second subset is limited to a second security domain of the plurality of security domains;
      
      responsive to providing the second subset and the access token to the authentication server, receiving a second reduced-scope access token, wherein the second reduced-scope access token provides access to at least one resource service in the second security domain; and
      
      utilizing the second reduced-scope access token to access the at least one resource service in the second security domain.
  - 3. The computer-implemented method of claim 1, further comprising:
    - receiving the access token in response to user authentication; and
      
      receiving the first reduced-scope access token without additional user authentication.
  - 4. The computer-implemented method of claim 1, wherein the first reduced-scope access token has a same principal and expiration time as the access token.
  - 5. The computer-implemented method of claim 1, further comprising:
    - discarding, by the client device, the access token when one or more requested reduced-scope access tokens have been received.

6. A computer-implemented method comprising:
- receiving, at an authorization server, a request for an authorization code for a set of authorization scopes, the set of authorization scopes including authorization scopes for a plurality of security domains;
  
  sending, to the client, the authorization code;
  
  receiving, at the authorization server, a request for an access token, the request including the authorization code;
  
  generating, at the authorization server, the access token based on the authorization code, wherein the access token provides access to resource services distributed across a plurality of security domains;
  
  sending the access token to the client;
  
  receiving, at the authorization server, a request from the client for a first reduced-scope access token, wherein an authorization scope of the first reduced-scope access token is limited to a first subset of authorization scopes of the access token;
  
  generating, by the authorization server, the first reduced-scope access token based on the first subset of authorization scopes, wherein the first reduced-scope access token provides access to at least one resource service in a first security domain of the plurality of security domains;
  
  sending, to the client, the first reduced-scope access token to the client; and
  
  receiving, from the client, a request for scopes associated with the first reduced-scope access token.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer-implemented method of claim 6, further comprising:
    - receiving another request from the client for a second reduced-scope access token, wherein the authorization scope of the second reduced-scope access token is limited to a second subset of the authorization scopes of the access token;
      
      generating the second reduced-scope access token based on the second subset of the authorization scopes, wherein the second reduced-scope access token provides access to at least one resource service in a second security domain of the plurality of security domains; and
      
      sending the second reduced-scope access token to the client.
  - 8. The computer-implemented method of claim 6, further comprising:
    - generating the access token in response to user authentication; and
      
      generating the first reduced-scope access token based on the access token without additional user authentication.
  - 9. The computer-implemented method of claim 6, wherein the first reduced-scope access token has a same principal and expiration time as the access token.
  - 10. The computer-implemented method of claim 6, further comprising:
    - receiving from a resource server, a request for the first subset of the authorization scopes for the first reduced-scope access token; and
      
      sending the first subset of the authorization scopes to the resource server.

11. An apparatus comprising:
- a network interface unit configured to enable communications over a network; and
  
  at least one processor configured to;
  
  request an authorization code from an authentication server for a set of authorization scopes, the set of authorization scopes including authorization scopes for a plurality of security domains;
  
  receive the authorization code from the authentication server;
  
  send, to the authentication server, a request for an access token, the request including the authorization code;
  
  receive the access token, based on the authorization code, from the authentication server, wherein the access token provides access to resource services distributed across a plurality of security domains;
  
  derive a first subset of authorization scopes of the access token, wherein the first subset is limited to a first security domain of the plurality of security domains;
  
  responsive to providing the first subset and the access token to the authentication server, receive a first reduced-scope access token, wherein the first reduced-scope access token provides access to at least one resource service in the first security domain;
  
  utilize the first reduced-scope access token to access the at least one resource service in the first security domain; and
  
  responsive to receiving the first reduced-scope access token, transmit a request to the authorization server for scopes associated with the first reduced-scope access token.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The apparatus of claim 11, wherein the processor is further configured to:
    - derive a second subset of authorization scopes of the access token, wherein the second subset is limited to a second security domain of the plurality of security domains;
      
      responsive to providing the second subset and the access token to the authentication server, receive a second reduced-scope access token, wherein the second reduced-scope access token provides access to at least one resource service in the second security domain; and
      
      utilize the second reduced-scope access token to access the at least one resource service in the second security domain.
  - 13. The apparatus of claim 11, wherein the processor is further configured to:
    - receive the access token in response to user authentication; and
      
      receive the first reduced-scope access token without additional user authentication.
  - 14. The apparatus of claim 11, wherein the first reduced-scope access token has a same principal and expiration time as the access token.
  - 15. The apparatus of claim 11, wherein the processor is further configured to:
    - discard the access token when one or more requested reduced-scope access tokens have been received.

16. An apparatus comprising:
- a network interface unit configured to enable communications over a network; and
  
  at least one processor configured to;
  
  receive, from a client, a request for an authorization code for a set of authorization scopes, the set of authorization scopes including authorization scopes for a plurality of security domains;
  
  send, to the client, the authorization code;
  
  receive, from the client, a request for an access token, the request including the authorization code;
  
  generate the access token based on the authorization code, wherein the access token provides access to resource services distributed across a plurality of security domains;
  
  send the access token to the client;
  
  receive a request from the client for a first reduced-scope access token, wherein an authorization scope of the first reduced-scope access token is limited to a first subset of authorization scopes of the access token;
  
  generate the first reduced-scope access token based on the first subset of authorization scopes, wherein the first reduced-scope access token provides access to at least one resource service in a first security domain of the plurality of security domains;
  
  send the first reduced-scope access token to the client; and
  
  receive a request for scopes associated with the first reduced-scope access token.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus of claim 16, wherein the processor is configured to:
    - receive another request from the client for a second reduced-scope access token, wherein the authorization scope of the second reduced-scope access token is limited to a second subset of the authorization scopes of the access token;
      
      generate the second reduced-scope access token based on the second subset of the authorization scopes, wherein the second reduced-scope access token provides access to at least one resource service in a second security domain of the plurality of security domains; and
      
      send the second reduced-scope access token to the client.
  - 18. The apparatus of claim 16, wherein the processor is configured to:
    - generate the access token in response to user authentication; and
      
      generate the first reduced-scope access token based on the access token without additional user authentication.
  - 19. The apparatus of claim 16, wherein the first reduced-scope access token has a same principal and expiration time as the access token.
  - 20. The apparatus of claim 16, wherein the processor is further configured to:
    - receive from a resource server, a request for the first subset of the authorization scopes for the first reduced-scope access token; and
      
      send the first subset of the authorization scopes to the resource server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Biggs, Andrew, Cooley, Shaun, Miller, Matt, Cui, Hua, Remmel, Ian
Primary Examiner(s)
Waliullah, Mohammed

Application Number

US14/942,195
Publication Number

US 20170034172A1
Time in Patent Office

1,065 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/33   using certificates

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

Token scope reduction

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

47 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Token scope reduction

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links