Device access revocation
First Claim
1. A method performed by a resource device comprising a data processing apparatus, the method comprising:
- after multiple users have each been granted a respective access token allowing access to a resource device, receiving, by the resource device, revocation data indicating that the previously granted access to the resource device should be revoked for one or more of the multiple users, wherein the revocation data indicates (i) a user, role, or permission level for which access is revoked and (ii) an authorization duration or an authorization expiration time for a previous authorization of access to the resource device for the indicated user, role, or permission level;
after receiving the revocation data, receiving, by the resource device, token data derived from a first access token that allows access to the resource device, the first access token being issued to a first user;
determining, by the resource device and based on the token data, that authorization for the first access token is dependent on authorization for one or more second access tokens that provide to access to the resource device, the one or more second access tokens respectively being granted to users different from the first user;
determining, by the resource device, that at least one of the one or more second access tokens corresponds to the user, role, or permission level indicated by the revocation data; and
in response to receiving the token data and before expiration of the previous authorization of access to the resource device for the indicated user, role, or permission level, denying, by the resource device, access to the resource device based on (i) determining that the first access token is dependent on authorization for the one or more second access tokens, and (ii) determining that at least one of the one or more second access tokens corresponds to the user, role, or permission level indicated by the revocation data.
2 Assignments
0 Petitions
Accused Products
Abstract
In some implementations, after one or more users have each been granted a respective access token allowing access to a resource device, revocation data is received by the resource device. The revocation data indicates that the previously granted access to the resource device should be revoked. For example, the revocation data may indicate (i) a user, role, or permission level for which access is revoked and (ii) a duration that access to the resource device was allowed. After receiving the revocation data, the resource device receives token data derived from an access token that allows access to the resource device. The resource device determines that the access token relies on authorization of the user, role, or permission level indicated by the revocation data, and in response, the resource device denies access.
69 Citations
15 Claims
-
1. A method performed by a resource device comprising a data processing apparatus, the method comprising:
-
after multiple users have each been granted a respective access token allowing access to a resource device, receiving, by the resource device, revocation data indicating that the previously granted access to the resource device should be revoked for one or more of the multiple users, wherein the revocation data indicates (i) a user, role, or permission level for which access is revoked and (ii) an authorization duration or an authorization expiration time for a previous authorization of access to the resource device for the indicated user, role, or permission level; after receiving the revocation data, receiving, by the resource device, token data derived from a first access token that allows access to the resource device, the first access token being issued to a first user; determining, by the resource device and based on the token data, that authorization for the first access token is dependent on authorization for one or more second access tokens that provide to access to the resource device, the one or more second access tokens respectively being granted to users different from the first user; determining, by the resource device, that at least one of the one or more second access tokens corresponds to the user, role, or permission level indicated by the revocation data; and in response to receiving the token data and before expiration of the previous authorization of access to the resource device for the indicated user, role, or permission level, denying, by the resource device, access to the resource device based on (i) determining that the first access token is dependent on authorization for the one or more second access tokens, and (ii) determining that at least one of the one or more second access tokens corresponds to the user, role, or permission level indicated by the revocation data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer-readable storage device encoded with computer program instructions that, when executed by one or more computers, cause the one or more computers to perform operations comprising:
-
after multiple users have each been granted a respective access token allowing access to a resource device, receiving, by the resource device, revocation data indicating that the previously granted access to the resource device should be revoked for one or more of the multiple users, wherein the revocation data indicates (i) a user, role, or permission level for which access is revoked and (ii) an authorization duration or an authorization expiration time for a previous authorization of access to the resource device for the indicated user, role, or permission level; after receiving the revocation data, receiving, by the resource device, token data derived from a first access token that allows access to the resource device, the first access token being issued to a first user; determining, by the resource device and based on the token data, that authorization for the first access token is dependent on authorization for one or more second access tokens that provide to access to the resource device, the one or more second access tokens respectively being granted to users different from the first user; determining, by the resource device, that at least one of the one or more second access tokens corresponds to the user, role, or permission level indicated by the revocation data; and in response to receiving the token data and before expiration of the previous authorization of access to the resource device for the indicated user, role, or permission level, denying, by the resource device, access to the resource device based on (i) determining that the first access token is dependent on authorization for the one or more second access tokens, and (ii) determining that at least one of the one or more second access tokens corresponds to the user, role, or permission level indicated by the revocation data. - View Dependent Claims (11)
-
-
12. A system comprising:
-
one or more computers; and a non-transitory computer-readable medium coupled to the one or more computers having instructions stored thereon, which, when executed by the one or more computers, cause the one or more computers to perform operations comprising; after multiple users have each been granted a respective access token allowing access to a resource device, receiving, by the resource device, revocation data indicating that the previously granted access to the resource device should be revoked for one or more of the multiple users, wherein the revocation data indicates (i) a user, role, or permission level for which access is revoked and (ii) an authorization duration or an authorization expiration time for a previous authorization of access to the resource device for the indicated user, role, or permission level; after receiving the revocation data, receiving, by the resource device, token data derived from a first access token that allows access to the resource device, the first access token being issued to a first user; determining, by the resource device and based on the token data, that authorization for the first access token is dependent on authorization for one or more second access tokens that provide to access to the resource device, the one or more second access tokens respectively being granted to users different from the first user; determining, by the resource device, that at least one of the one or more second access tokens corresponds to the user, role, or permission level indicated by the revocation data; and in response to receiving the token data and before expiration of the previous authorization of access to the resource device for the indicated user, role, or permission level, denying, by the resource device, access to the resource device based on (i) determining that the first access token is dependent on authorization for the one or more second access tokens, and (ii) determining that at least one of the one or more second access tokens corresponds to the user, role, or permission level indicated by the revocation data. - View Dependent Claims (13, 14, 15)
-
Specification