Accessing an application through application clients and web browsers

US 10,484,385 B2
Filed: 06/04/2015
Issued: 11/19/2019
Est. Priority Date: 06/04/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

deploying an authorization server to control access of one or more application clients to a plurality of protected applications;

receiving, at a protected application of the plurality of protected applications, a request comprising an access token from an application client of the one or more application clients which is associated with a user, wherein the access token is issued by the authorization server during authorization of the application client for accessing the protected application;

upon determining that the access token is valid at the protected application, retrieving, from the authorization server, grant information comprising intersecting scopes of rights between Open Authorization (OAuth) rights requested to be granted to the application client at the authorization server, rights mapped to a Java role of the user at the authorization server, and rights mapped to the protected application, wherein the intersecting scopes of rights comprises an overlap between corresponding scopes of the rights of the OAuth rights requested to the granted, the rights mapped to the Java role of the user, and the rights mapped to the protected application; and

establishing a direct session between the application client and the protected application based on the intersecting scopes of rights.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A request from an application client is received at a protected application. The request includes an access token. A grant information associated with the received access token is retrieved. The grant information includes a plurality of intersecting scopes of rights granted to the application client. In another aspect, a session is established between the protected application and the application client. Furthermore, at least one scope of rights from the plurality of intersecting scopes of rights is determined to be mapped to at least one Application Programming Interface (API) from a number of APIs provided by the protected application.

Citations

18 Claims

1. A method comprising:
- deploying an authorization server to control access of one or more application clients to a plurality of protected applications;
  
  receiving, at a protected application of the plurality of protected applications, a request comprising an access token from an application client of the one or more application clients which is associated with a user, wherein the access token is issued by the authorization server during authorization of the application client for accessing the protected application;
  
  upon determining that the access token is valid at the protected application, retrieving, from the authorization server, grant information comprising intersecting scopes of rights between Open Authorization (OAuth) rights requested to be granted to the application client at the authorization server, rights mapped to a Java role of the user at the authorization server, and rights mapped to the protected application, wherein the intersecting scopes of rights comprises an overlap between corresponding scopes of the rights of the OAuth rights requested to the granted, the rights mapped to the Java role of the user, and the rights mapped to the protected application; and
  
  establishing a direct session between the application client and the protected application based on the intersecting scopes of rights.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 12)
- - 2. The method of claim 1, further comprising processing a request based on at least one scope of rights delegated to the application client that is mapped to at least one API provided by the protected application and accessible by the application client.
  - 3. The method of claim 1, wherein establishing the session with the application client further comprises:
    - marking the established session with a session author marker to specify the session is based on the intersecting scopes of rights.
  - 4. The method of claim 3 further comprises:
    - disconnecting the application client from the protected application; and
      
      invalidating the established session to reduce a number of established sessions in the protected application upon determining that the established session is marked.
  - 5. The method of claim 1 further comprises:
    - determining the intersecting scopes of rights by further intersecting the intersecting scopes of rights with a third set of scopes of rights mapped to the protected application.
  - 6. The method of claim 5 further comprises:
    - sending a request to the user to approve the determined plurality of intersecting scopes of rights; and
      
      upon approval, adding the plurality of intersecting scopes of rights to the grant information.
  - 7. The method of claim 5 further comprises:
    - sending the access token for authentication with the protected application to the application client; and
      
      associating the access token with the grant information.
  - 12. The method of claim 1, wherein the establishing comprises establishing a communication session between the application client and the protected application based on OAuth protocol.

8. A non-transitory computer readable medium storing instructions, which when executed by at least one processor cause a computer to:
- deploy an authorization server to control access of one or more application clients to a plurality of protected applications;
  
  receive, at a protected application of the plurality of protected applications, a request comprising an access token from an application client of the one or more application clients which is associated with a user, wherein the access token is issued by the authorization server during authorization of the application client for accessing the protected application;
  
  upon determining that the access token is valid at the protected application, retrieve, from the authorization server, grant information comprising intersecting scopes of rights between Open Authorization (OAuth) rights requested to be granted to the application client at the authorization server, rights mapped to a Java role of the user at the authorization server, and rights mapped to the protected application, wherein the intersecting scopes of rights comprises an overlap between corresponding scopes of the rights of the OAuth rights requested to the granted, the rights mapped to the Java role of the user, and the rights mapped to the protected application; and
  
  establish a direct session between the application client and the protected application based on the intersecting scopes of rights.
- View Dependent Claims (9, 10, 11)
- - 9. The computer readable medium of claim 8, wherein the executed instructions further cause the computer to:
    - mark the established session with a session author marker to specify the session is based on the intersecting scopes of rights;
      
      disconnect the application client from the protected application; and
      
      invalidate the established session to reduce a number of established sessions in the protected application upon determining that the established session is marked.
  - 10. The computer readable medium of claim 8, wherein the executed instructions further cause the computer to:
    - determine the intersecting scopes of rights by further intersecting the intersecting scopes of rights and a third set of scopes of rights mapped to the protected application.
  - 11. The computer readable medium of claim 10, wherein the executed instructions further cause the computer to:
    - send a request to the user to approve the intersecting scopes of rights;
      
      upon approval, add the plurality of intersecting scopes of rights to the grant information;
      
      send the access token for authentication with the protected application to the application client; and
      
      associate the access token with the grant information.

13. A computing system comprising:
- a hardware processor configured to deploy an authorization server to control access of one or more application clients to a plurality of protected applications; and
  
  a network communicator configured to receive, via a protected application of the plurality of protected applications, a request comprising an access token from an application client of the one or more application clients which is associated with a Java user, wherein the access token is issued by the authorization server during authorization of the application client for accessing the protected application,wherein the hardware processor is further configured to retrieve grant information comprising intersecting scopes of rights between Open Authorization (OAuth) rights requested to be granted to the application client at the authorization server, and rights mapped to a Java role of the Java user at the authorization server, and rights mapped to the protected application, wherein the intersecting scopes of rights comprises an overlap between corresponding scopes of the rights of the OAuth rights requested to the granted, the rights mapped to the Java role of the user, and the rights mapped to the protected application, andestablish a direct session between the application client and the protected application based on the intersecting scopes of rights.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computing system of claim 13, wherein the hardware processor is further configured to process a request based on at least one scope of rights delegated to the application client that is mapped to at least one API provided by the protection protected application and accessible by the application client.
  - 15. The computing system of claim 13, wherein the hardware processor is further configured to mark the established session with a session author marker to specify the session is based on the plurality of intersecting scopes of rights.
  - 16. The computing system of claim 15, wherein the hardware processor is further configured to disconnect the application client from the protected application, and invalidate the established session to reduce a number of established sessions in the protected application upon determining that the established session is marked.
  - 17. The computing system of claim 13, wherein the hardware processor is further configured to control the network communicator to transmit a request to the user to approve the determined plurality of intersecting scopes of rights, and upon approval, add the plurality of intersecting scopes of rights to the grant information.
  - 18. The computing system of claim 13, wherein the hardware processor is configured to establish a communication session between the application client and the protected application based on OAuth protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Manov, Milen, Minov, Jasen, Raepple, Martin
Primary Examiner(s)
Korsak, Oleg
Assistant Examiner(s)
Mejia, Feliciano S

Application Number

US14/730,235
Publication Number

US 20160359861A1
Time in Patent Office

1,629 Days
Field of Search

709225, 726 4, 726 21
US Class Current
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/62   Protecting access to data v...

G06F 21/629   to features or functions of...

H04L 63/102   Entity profiles

Accessing an application through application clients and web browsers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Accessing an application through application clients and web browsers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links