Identity cloud service authorization model

US 10,454,940 B2
Filed: 03/30/2017
Issued: 10/22/2019
Est. Priority Date: 05/11/2016
Status: Active Grant

First Claim

Patent Images

1. A method of authorizing access to a resource, the resource accessible via a multi-tenant cloud based system and the resource is protected from access based at least on a tenancy of an access requesting user or an access requesting application, the method comprising:

receiving an access token request for an access token that corresponds to the resource, wherein the request comprises user information and application information, the user information comprising a role of the user, a corresponding tenant of the user, and an indication of whether the user is an administrator for the application, and the application information comprising a role of the application;

evaluating the access token request by computing scopes for the access token, the computing comprising determining an intersection between the user information and the application information; and

providing the access token that comprises the computed scopes, the scopes based at least on the role of the user, the role of the application, and a corresponding tenancy of the resource, and comprises actions allowed on the resource;

the access token comprising custom token claims indicating whether the user is the administrator for the application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for authorizing access to a resource receives a request for an access token that corresponds to the resource, where the request includes user information and application information. The user information includes a role of the user and the application information includes a role of the application. The system evaluates the request by computing scopes for the access token, including determining an intersection between the user information and the application information. The system then provides the access token that includes the computed scopes, the scopes being based at least on the role of the user and the role of the application.

345 Citations

20 Claims

1. A method of authorizing access to a resource, the resource accessible via a multi-tenant cloud based system and the resource is protected from access based at least on a tenancy of an access requesting user or an access requesting application, the method comprising:
- receiving an access token request for an access token that corresponds to the resource, wherein the request comprises user information and application information, the user information comprising a role of the user, a corresponding tenant of the user, and an indication of whether the user is an administrator for the application, and the application information comprising a role of the application;
  
  evaluating the access token request by computing scopes for the access token, the computing comprising determining an intersection between the user information and the application information; and
  
  providing the access token that comprises the computed scopes, the scopes based at least on the role of the user, the role of the application, and a corresponding tenancy of the resource, and comprises actions allowed on the resource;
  
  the access token comprising custom token claims indicating whether the user is the administrator for the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - receiving the access token with an access authorization request;
      
      evaluating if access to the resource to perform an operation is permitted based on the computed scopes, the resource, and the operation.
  - 3. The method of claim 2, wherein the evaluating if access to the resource to perform the operation is permitted is further based on a payload of the access authorization request or indirect attributes of the resource.
  - 4. The method of claim 1, wherein the custom token claims further comprise a tenancy in which the application is defined and a multi-value attribute that comprises administration roles granted to the application.
  - 5. The method of claim 1, the evaluating the access token request further comprising computing scopes based only the user information without the application information based on an onBehalfOfUser property.
  - 6. The method of claim 1, wherein the scopes comprise OAuth scopes.
  - 7. The method of claim 2, wherein the evaluating if access to the resource to perform the operation is permitted is based on an eXtensible Access Control Markup Language (XACML) based authorization policy.
  - 8. The method of claim 2, wherein the evaluating if access to the resource to perform the operation is permitted is based on a Representational State Transfer (REST) request.

9. A non-transitory computer readable medium having instructions stored thereon that, when executed by a processor, authorizes access to a resource, the resource accessible via a multi-tenant cloud based system and the resource is protected from access based at least on a tenancy of an access requesting user or an access requesting application, the authorizing access comprising:
- receiving an access token request for an access token that corresponds to the resource, wherein the request comprises user information and application information, the user information comprising a role of the user, a corresponding tenant of the user, and an indication of whether the user is an administrator for the application, and the application information comprising a role of the application;
  
  evaluating the access token request by computing scopes for the access token, the computing comprising determining an intersection between the user information and the application information; and
  
  providing the access token that comprises the computed scopes, the scopes based at least on the role of the user, the role of the application, and a corresponding tenancy of the resource, and comprises actions allowed on the resource;
  
  the access token comprising custom token claims indicating whether the user is the administrator for the application.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer readable medium of claim 9, the authorizing access further comprising:
    - receiving the access token with an access authorization request;
      
      evaluating if access to the resource to perform an operation is permitted based on the computed scopes, the resource, and the operation.
  - 11. The computer readable medium of claim 10, wherein the evaluating if access to the resource to perform the operation is permitted is further based on a payload of the access authorization request or indirect attributes of the resource.
  - 12. The computer readable medium of claim 9, wherein the custom token claims further comprise a tenancy in which the application is defined and a multi-value attribute that comprises administration roles granted to the application.
  - 13. The computer readable medium of claim 10, further generating an evaluation decision comprising one or more obligations.
  - 14. The computer readable medium of claim 9, wherein the scopes comprise OAuth scopes.
  - 15. The computer readable medium of claim 10, wherein the evaluating if access to the resource to perform the operation is permitted is based on an eXtensible Access Control Markup Language (XACML) based authorization policy.
  - 16. The computer readable medium of claim 10, wherein the evaluating if access to the resource to perform the operation is permitted is based on a Representational State Transfer (REST) request.

17. A multi-tenant cloud based system for authorizing access to a resource, the resource protected from access based at least on a tenancy of an access requesting user or an access requesting application, the system comprising:
- a processor that implements a microservice, the microservice functionality comprising;
  
  receiving an access token request for an access token that corresponds to the resource, wherein the request comprises user information and application information, the user information comprising a role of the user, a corresponding tenant of the user, and an indication of whether the user is an administrator for the application, and the application information comprising a role of the application;
  
  evaluating the access token request by computing scopes for the access token, the computing comprising determining an intersection between the user information and the application information; and
  
  providing the access token that comprises the computed scopes, the scopes based at least on the role of the user, the role of the application, and a corresponding tenancy of the resource, and comprises actions allowed on the resource;
  
  the access token comprising custom token claims indicating whether the user is the administrator for the application.
- View Dependent Claims (18, 19, 20)
- - 18. A cloud based system of claim 17, the microservice functionality further comprising:
    - receiving the access token with an access authorization request;
      
      evaluating if access to the resource to perform an operation is permitted based on the computed scopes, the resource, and the operation.
  - 19. The cloud based system of claim 18, wherein the evaluating if access to the resource to perform the operation is permitted is further based on a payload of the access authorization request or indirect attributes of the resource.
  - 20. The cloud based system of claim 17, wherein the computed scopes comprise a collection of actions permitted on the resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Shenoy, Swathi Vinayak, Lander, Vadim, Sastry, Hari, Katti, Sreedhar, Vepa, Sirish V.
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Wyszynski, Aubrey H

Application Number

US15/474,341
Publication Number

US 20170331832A1
Time in Patent Office

936 Days
Field of Search

726 4
US Class Current
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/102   Entity profiles

Identity cloud service authorization model

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

345 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Identity cloud service authorization model

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

345 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links