Identity cloud service authorization model
First Claim
1. A method of authorizing access to a resource, the resource accessible via a multi-tenant cloud based system and the resource is protected from access based at least on a tenancy of an access requesting user or an access requesting application, the method comprising:
- receiving an access token request for an access token that corresponds to the resource, wherein the request comprises user information and application information, the user information comprising a role of the user, a corresponding tenant of the user, and an indication of whether the user is an administrator for the application, and the application information comprising a role of the application;
evaluating the access token request by computing scopes for the access token, the computing comprising determining an intersection between the user information and the application information; and
providing the access token that comprises the computed scopes, the scopes based at least on the role of the user, the role of the application, and a corresponding tenancy of the resource, and comprises actions allowed on the resource;
the access token comprising custom token claims indicating whether the user is the administrator for the application.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for authorizing access to a resource receives a request for an access token that corresponds to the resource, where the request includes user information and application information. The user information includes a role of the user and the application information includes a role of the application. The system evaluates the request by computing scopes for the access token, including determining an intersection between the user information and the application information. The system then provides the access token that includes the computed scopes, the scopes being based at least on the role of the user and the role of the application.
345 Citations
20 Claims
-
1. A method of authorizing access to a resource, the resource accessible via a multi-tenant cloud based system and the resource is protected from access based at least on a tenancy of an access requesting user or an access requesting application, the method comprising:
-
receiving an access token request for an access token that corresponds to the resource, wherein the request comprises user information and application information, the user information comprising a role of the user, a corresponding tenant of the user, and an indication of whether the user is an administrator for the application, and the application information comprising a role of the application; evaluating the access token request by computing scopes for the access token, the computing comprising determining an intersection between the user information and the application information; and providing the access token that comprises the computed scopes, the scopes based at least on the role of the user, the role of the application, and a corresponding tenancy of the resource, and comprises actions allowed on the resource; the access token comprising custom token claims indicating whether the user is the administrator for the application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A non-transitory computer readable medium having instructions stored thereon that, when executed by a processor, authorizes access to a resource, the resource accessible via a multi-tenant cloud based system and the resource is protected from access based at least on a tenancy of an access requesting user or an access requesting application, the authorizing access comprising:
-
receiving an access token request for an access token that corresponds to the resource, wherein the request comprises user information and application information, the user information comprising a role of the user, a corresponding tenant of the user, and an indication of whether the user is an administrator for the application, and the application information comprising a role of the application; evaluating the access token request by computing scopes for the access token, the computing comprising determining an intersection between the user information and the application information; and providing the access token that comprises the computed scopes, the scopes based at least on the role of the user, the role of the application, and a corresponding tenancy of the resource, and comprises actions allowed on the resource; the access token comprising custom token claims indicating whether the user is the administrator for the application. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A multi-tenant cloud based system for authorizing access to a resource, the resource protected from access based at least on a tenancy of an access requesting user or an access requesting application, the system comprising:
a processor that implements a microservice, the microservice functionality comprising; receiving an access token request for an access token that corresponds to the resource, wherein the request comprises user information and application information, the user information comprising a role of the user, a corresponding tenant of the user, and an indication of whether the user is an administrator for the application, and the application information comprising a role of the application; evaluating the access token request by computing scopes for the access token, the computing comprising determining an intersection between the user information and the application information; and providing the access token that comprises the computed scopes, the scopes based at least on the role of the user, the role of the application, and a corresponding tenancy of the resource, and comprises actions allowed on the resource; the access token comprising custom token claims indicating whether the user is the administrator for the application. - View Dependent Claims (18, 19, 20)
Specification