METHOD FOR MANAGING ACCESS TO PROTECTED RESOURCES AND DELEGATING AUTHORITY IN A COMPUTER NETWORK
First Claim
1. Method carried out at least by a consumer, a service provider and a controller, whereina service provider is at least one of a software application and a web site that is configured to provide access to protected resources;
- anda consumer is at least one of a software application and a web site that is configured to access a service provider on behalf of a user;
the method includingtransmitting, by the consumer to the service provider, a first message representing a request for authorization to access by the consumer on behalf of a first user, here referred to as delegatee, the protected resources of a second user, here referred to as delegator, from the service provider;
transmitting, by the service provider to the controller, a second message representing the request for authorization to access by the consumer on behalf of the delegatee the protected resources of the delegator from the service provider, the second message including a request token, whereina request token is a value used by a service provider to register a requested authorization to access protected resources;
determining, by the controller, whether the requested authorization represented by the second message meets policy settings governing the access to protected resources of the delegator; and
,if it is determined that the requested authorization meets the policy settings,granting, by the service provider, the authorization registered by the request token, andtransmitting, by at least one of the controller and the service provider, to the consumer, a third message including the request token.
1 Assignment
0 Petitions
Accused Products
Abstract
In a method, a consumer (100), being a software application or web site accessing a service provider (200) on behalf of a user, transmits (s10) to a service provider (200), being a software application or web site providing access to protected resources, a request for authorization to access by the consumer (100) on behalf of a delegatee (410) the protected resources of a delegator (420). The service provider (200) transmits (s20) to a controller (300) the request for authorization. A request token is also transmitted, which is a value used by the service provider (200) to register a requested authorization. The controller (300) determines (s30) whether the requested authorization meets policy settings governing the access to the delegator'"'"'s protected resources. If so, the service provider (200) grants the authorization registered by the request token, and a third message including the request token is transmitted (s50) to the consumer (100).
58 Citations
15 Claims
-
1. Method carried out at least by a consumer, a service provider and a controller, wherein
a service provider is at least one of a software application and a web site that is configured to provide access to protected resources; - and
a consumer is at least one of a software application and a web site that is configured to access a service provider on behalf of a user; the method including transmitting, by the consumer to the service provider, a first message representing a request for authorization to access by the consumer on behalf of a first user, here referred to as delegatee, the protected resources of a second user, here referred to as delegator, from the service provider; transmitting, by the service provider to the controller, a second message representing the request for authorization to access by the consumer on behalf of the delegatee the protected resources of the delegator from the service provider, the second message including a request token, wherein a request token is a value used by a service provider to register a requested authorization to access protected resources; determining, by the controller, whether the requested authorization represented by the second message meets policy settings governing the access to protected resources of the delegator; and
,if it is determined that the requested authorization meets the policy settings, granting, by the service provider, the authorization registered by the request token, and transmitting, by at least one of the controller and the service provider, to the consumer, a third message including the request token. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
transmitting, from the service provider to the controller, a message including the request token for which the authorization has been granted.
- and
-
6. Method according to claim 1, wherein the step of transmitting, to the consumer, the third message including the request token is performed from the controller.
-
7. Method according to claim 1, wherein the controller includes
a delegation assistant being executed on behalf of the delegatee, and a delegation assistant being executed on behalf of the delegator wherein a delegation assistant is at least one of a software application and a physical device. -
8. Method according to claim 1, wherein
determining, by the controller, whether the requested authorization represented by the second message meets policy settings governing the access to protected resources of the delegator includes extracting from the second message at least one of information about the consumer from which the requested authorization originates; -
information about the delegatee on behalf of which the consumer requests authorization to access the protected resources of the delegator; information about the protected resources on which one or more operations are requested to be authorized by means of the request token; and information about the one or more operations which are requested to be authorized by means of the request token; and determining whether the extracted information meets the policy settings.
-
-
9. Delegation assistant including
a receiver configured for receiving, from another delegation assistant, a message, here referred to as request message, representing a request for authorization to access by a consumer on behalf of a first user, here referred to as delegatee, the protected resources of a second user, here referred to as delegator, from the service provider, the request message including a request token, wherein a service provider is at least one of a software application and a web site that is configured to provide access to protected resources; -
a consumer is at least one of a software application and a web site that is configured to access a service provider on behalf of a user; and a request token is a value used by a service provider to register a requested authorization to access protected resources; a determiner configured for determining whether the requested authorization represented by the request message meets policy settings governing the access to protected resources of the delegator; and
,a transmitter configured for, if it is determined that the requested authorization meets the policy settings, transmitting, to the service provider, a response message indicating that the requested authorization represented by the request message can be granted. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
Specification