AUTHORIZATION SERVER AND CLIENT APPARATUS, SERVER COOPERATIVE SYSTEM, AND TOKEN MANAGEMENT METHOD

US 20140230020A1
Filed: 05/10/2013
Published: 08/14/2014
Est. Priority Date: 05/25/2012
Status: Active Grant

First Claim

Patent Images

1. An authorization server, which authorizes an access request from a client apparatus to a resource server based on valid authorization information received from the client apparatus in association with the request, the server comprising:

issuance means for issuing authorization information used to access the resource server and update authorization information used to re-issue new authorization information without any authentication information in accordance with an issuance request received from the client apparatus together with authentication information;

re-issuance means for re-issuing new update authorization information and new authorization information in accordance with a refresh processing request received together with update authorization information, and storing the update authorization information issued by the issuance means so as to re-issue new update authorization information and authorization information as initial update authorization information in association with the re-issued authorization information and update authorization information; and

invalidation means for invalidating, in accordance with an invalidation request received together with update authorization information, update authorization information with which the received update authorization information is associated as initial update authorization information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is a method of generating a token required to transfer an access authority to a cooperating system to a cooperation asking system. In this method, a refresh token is issued to update a token without confirmation to a user after a valid period of a token has expired. When information which is required to update a token is leaked, an unintended system updates a token, and the cooperating system is illicitly used. For this reason, a unit for invalidating the leaked refresh token is required. An access management service stores a refresh token issued at the time of first authorization processing linked to tokens re-issued when a series of token is issued using refresh tokens. Then, upon designation of the refresh token issued first, all refresh tokens linked to the refresh token issued first are invalidated.

61 Citations

View as Search Results

10 Claims

1. An authorization server, which authorizes an access request from a client apparatus to a resource server based on valid authorization information received from the client apparatus in association with the request, the server comprising:
- issuance means for issuing authorization information used to access the resource server and update authorization information used to re-issue new authorization information without any authentication information in accordance with an issuance request received from the client apparatus together with authentication information;
  
  re-issuance means for re-issuing new update authorization information and new authorization information in accordance with a refresh processing request received together with update authorization information, and storing the update authorization information issued by the issuance means so as to re-issue new update authorization information and authorization information as initial update authorization information in association with the re-issued authorization information and update authorization information; and
  
  invalidation means for invalidating, in accordance with an invalidation request received together with update authorization information, update authorization information with which the received update authorization information is associated as initial update authorization information.
- View Dependent Claims (2, 3, 4)
- - 2. The server according to claim 1, wherein the invalidation means further invalidates the received update authorization information.
  - 3. The server according to claim 1, wherein the invalidation means invalidates authorization information with which the received update authorization information is associated as initial update authorization information in addition to update authorization information with which the received update authorization information is associated as initial update authorization information.
  - 4. The server according to claim 1, wherein when the re-issuance means re-issues new authorization information, the re-issuance means invalidates update authorization information received together with a refresh processing request.

5. A client apparatus which transmits an access request to a resource server together with authorization information issued by an authorization server to request a service by the resource server, the apparatus comprising:
- means for storing the authorization information issued by the authorization server, update authorization information used to re-issue new authorization information without any authentication information, and initial update authorization information issued first by the authorization server so as to re-issue the authorization information in association with each other; and
  
  invalidation request means for transmitting an invalidation request together with the stored initial update authorization information to the authorization server to request the authorization server to invalidate update authorization information associated with the initial update authorization information.
- View Dependent Claims (6)
- - 6. The apparatus according to claim 5, further comprising means for, when a response indicating that the authorization information is invalid is received in response to the access request, transmitting a refresh processing request to the authorization server together with update authorization information associated with the authorization information corresponding to the response indicating that the authorization information is invalid,wherein when a response indicating that the update authorization information is invalid is received in response to the refresh processing request, the invalidation request means requests to invalidate update authorization information.

7. A server cooperative system including an authorization server, which authorizes an access request from a client apparatus to a resource server based on valid authorization information received from the client apparatus in association with the request, a client apparatus, which transmits an access request to a resource server together with authorization information issued by the authorization server to request a service by the resource server, and the resource server, which provides a service to the client apparatus,the authorization server comprising:
- issuance means for issuing authorization information used to access the resource server and update authorization information used to re-issue new authorization information without any authentication information in accordance with an issuance request received from the client apparatus together with authentication information;
  
  re-issuance means for re-issuing new update authorization information and new authorization information in accordance with a refresh processing request received together with update authorization information, and storing the update authorization information issued by the issuance means so as to re-issue new update authorization information and authorization information as initial update authorization information in association with the re-issued authorization information and update authorization information; and
  
  invalidation means for invalidating, in accordance with an invalidation request received together with update authorization information, update authorization information with which the received update authorization information is associated as initial update authorization information, andthe client apparatus comprising;
  
  means for storing the authorization information issued by the authorization server, update authorization information used to re-issue new authorization information without any authentication information, and initial update authorization information issued first by the authorization server so as to re-issue the authorization information in association with each other; and
  
  invalidation request means for transmitting an invalidation request together with the stored initial update authorization information to the authorization server to request the authorization server to invalidate update authorization information associated with the initial update authorization information.

8. A program for controlling a computer to function as an authorization server, which authorizes an access request from a client apparatus to a resource server based on valid authorization information received from the client apparatus in association with the request, the program controlling the computer to function as:
- issuance means for issuing authorization information used to access the resource server and update authorization information used to re-issue new authorization information without any authentication information in accordance with an issuance request received from the client apparatus together with authentication information;
  
  re-issuance means for re-issuing new update authorization information and new authorization information in accordance with a refresh processing request received together with update authorization information, and storing the update authorization information issued by the issuance means so as to re-issue new update authorization information and authorization information as initial update authorization information in association with the re-issued authorization information and update authorization information; and
  
  invalidation means for invalidating, in accordance with an invalidation request received together with update authorization information, update authorization information with which the received update authorization information is associated as initial update authorization information.

9. A program for controlling a computer to function as a client apparatus, which transmits an access request to a resource server together with authorization information issued by an authorization server to request a service by the resource server, the program controlling the computer to function as:
- means for storing the authorization information issued by the authorization server, update authorization information used to re-issue new authorization information without any authentication information, and initial update authorization information issued first by the authorization server so as to re-issue the authorization information in association with each other; and
  
  invalidation request means for transmitting an invalidation request together with the stored initial update authorization information to the authorization server to request the authorization server to invalidate update authorization information associated with the initial update authorization information.

10. A token management method in a server cooperative system including an authorization server, which authorizes an access request from a client apparatus to a resource server based on valid authorization information received from the client apparatus in association with the request, a client apparatus, which transmits an access request to a resource server together with authorization information issued by the authorization server to request a service by the resource server, and the resource server, which provides a service to the client apparatus, the method comprising:
- an issuance step of issuing, by the authorization server, authorization information used to access the resource server and update authorization information used to re-issue new authorization information without any authentication information in accordance with an issuance request received from the client apparatus together with authentication information;
  
  a step of storing, by the client apparatus, the authorization information issued by the authorization server, update authorization information used to re-issue new authorization information without any authentication information, and initial update authorization information issued first by the authorization server so as to re-issue the authorization information in association with each other; and
  
  a step of transmitting, when a response indicating that the authorization information is invalid is received in response to the access request, a refresh processing request to the authorization server together with update authorization information associated with the authorization information corresponding to the response indicating that the authorization information is invalid, by the client apparatus;
  
  a re-issuance step of re-issuing, by the authorization server, new update authorization information and new authorization information in accordance with a refresh processing request received together with update authorization information, and storing the update authorization information issued in the issuance step so as to re-issue new update authorization information and authorization information as initial update authorization information in association with the re-issued authorization information and update authorization information;
  
  an invalidation request step of transmitting, by the client apparatus, an invalidation request together with the stored initial update authorization information to the authorization server to request the authorization server to invalidate update authorization information associated with the initial update authorization information; and
  
  an invalidation step of invalidating, in accordance with an invalidation request received together with update authorization information, update authorization information with which the received update authorization information is associated as initial update authorization information by the authorization server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Canon Kabushiki Kaisha (Canon Inc.)
Original Assignee
Canon Kabushiki Kaisha (Canon Inc.)
Inventors
Mogaki, Shunsuke

Granted Patent

US 9,571,494 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2151   Time stamp

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

H04L 67/1001   for accessing one among a p...

H04L 9/0891   Revocation or update of sec...

H04L 9/3213   using tickets or tokens, e....

AUTHORIZATION SERVER AND CLIENT APPARATUS, SERVER COOPERATIVE SYSTEM, AND TOKEN MANAGEMENT METHOD

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

61 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

AUTHORIZATION SERVER AND CLIENT APPARATUS, SERVER COOPERATIVE SYSTEM, AND TOKEN MANAGEMENT METHOD

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links