AUTHORIZATION SERVER AND CLIENT APPARATUS, SERVER COOPERATIVE SYSTEM, AND TOKEN MANAGEMENT METHOD
First Claim
1. An authorization server, which authorizes an access request from a client apparatus to a resource server based on valid authorization information received from the client apparatus in association with the request, the server comprising:
- issuance means for issuing authorization information used to access the resource server and update authorization information used to re-issue new authorization information without any authentication information in accordance with an issuance request received from the client apparatus together with authentication information;
re-issuance means for re-issuing new update authorization information and new authorization information in accordance with a refresh processing request received together with update authorization information, and storing the update authorization information issued by the issuance means so as to re-issue new update authorization information and authorization information as initial update authorization information in association with the re-issued authorization information and update authorization information; and
invalidation means for invalidating, in accordance with an invalidation request received together with update authorization information, update authorization information with which the received update authorization information is associated as initial update authorization information.
1 Assignment
0 Petitions
Accused Products
Abstract
There is a method of generating a token required to transfer an access authority to a cooperating system to a cooperation asking system. In this method, a refresh token is issued to update a token without confirmation to a user after a valid period of a token has expired. When information which is required to update a token is leaked, an unintended system updates a token, and the cooperating system is illicitly used. For this reason, a unit for invalidating the leaked refresh token is required. An access management service stores a refresh token issued at the time of first authorization processing linked to tokens re-issued when a series of token is issued using refresh tokens. Then, upon designation of the refresh token issued first, all refresh tokens linked to the refresh token issued first are invalidated.
61 Citations
10 Claims
-
1. An authorization server, which authorizes an access request from a client apparatus to a resource server based on valid authorization information received from the client apparatus in association with the request, the server comprising:
-
issuance means for issuing authorization information used to access the resource server and update authorization information used to re-issue new authorization information without any authentication information in accordance with an issuance request received from the client apparatus together with authentication information; re-issuance means for re-issuing new update authorization information and new authorization information in accordance with a refresh processing request received together with update authorization information, and storing the update authorization information issued by the issuance means so as to re-issue new update authorization information and authorization information as initial update authorization information in association with the re-issued authorization information and update authorization information; and invalidation means for invalidating, in accordance with an invalidation request received together with update authorization information, update authorization information with which the received update authorization information is associated as initial update authorization information. - View Dependent Claims (2, 3, 4)
-
-
5. A client apparatus which transmits an access request to a resource server together with authorization information issued by an authorization server to request a service by the resource server, the apparatus comprising:
-
means for storing the authorization information issued by the authorization server, update authorization information used to re-issue new authorization information without any authentication information, and initial update authorization information issued first by the authorization server so as to re-issue the authorization information in association with each other; and invalidation request means for transmitting an invalidation request together with the stored initial update authorization information to the authorization server to request the authorization server to invalidate update authorization information associated with the initial update authorization information. - View Dependent Claims (6)
-
-
7. A server cooperative system including an authorization server, which authorizes an access request from a client apparatus to a resource server based on valid authorization information received from the client apparatus in association with the request, a client apparatus, which transmits an access request to a resource server together with authorization information issued by the authorization server to request a service by the resource server, and the resource server, which provides a service to the client apparatus,
the authorization server comprising: -
issuance means for issuing authorization information used to access the resource server and update authorization information used to re-issue new authorization information without any authentication information in accordance with an issuance request received from the client apparatus together with authentication information; re-issuance means for re-issuing new update authorization information and new authorization information in accordance with a refresh processing request received together with update authorization information, and storing the update authorization information issued by the issuance means so as to re-issue new update authorization information and authorization information as initial update authorization information in association with the re-issued authorization information and update authorization information; and invalidation means for invalidating, in accordance with an invalidation request received together with update authorization information, update authorization information with which the received update authorization information is associated as initial update authorization information, and the client apparatus comprising; means for storing the authorization information issued by the authorization server, update authorization information used to re-issue new authorization information without any authentication information, and initial update authorization information issued first by the authorization server so as to re-issue the authorization information in association with each other; and invalidation request means for transmitting an invalidation request together with the stored initial update authorization information to the authorization server to request the authorization server to invalidate update authorization information associated with the initial update authorization information.
-
-
8. A program for controlling a computer to function as an authorization server, which authorizes an access request from a client apparatus to a resource server based on valid authorization information received from the client apparatus in association with the request, the program controlling the computer to function as:
-
issuance means for issuing authorization information used to access the resource server and update authorization information used to re-issue new authorization information without any authentication information in accordance with an issuance request received from the client apparatus together with authentication information; re-issuance means for re-issuing new update authorization information and new authorization information in accordance with a refresh processing request received together with update authorization information, and storing the update authorization information issued by the issuance means so as to re-issue new update authorization information and authorization information as initial update authorization information in association with the re-issued authorization information and update authorization information; and invalidation means for invalidating, in accordance with an invalidation request received together with update authorization information, update authorization information with which the received update authorization information is associated as initial update authorization information.
-
-
9. A program for controlling a computer to function as a client apparatus, which transmits an access request to a resource server together with authorization information issued by an authorization server to request a service by the resource server, the program controlling the computer to function as:
-
means for storing the authorization information issued by the authorization server, update authorization information used to re-issue new authorization information without any authentication information, and initial update authorization information issued first by the authorization server so as to re-issue the authorization information in association with each other; and invalidation request means for transmitting an invalidation request together with the stored initial update authorization information to the authorization server to request the authorization server to invalidate update authorization information associated with the initial update authorization information.
-
-
10. A token management method in a server cooperative system including an authorization server, which authorizes an access request from a client apparatus to a resource server based on valid authorization information received from the client apparatus in association with the request, a client apparatus, which transmits an access request to a resource server together with authorization information issued by the authorization server to request a service by the resource server, and the resource server, which provides a service to the client apparatus, the method comprising:
-
an issuance step of issuing, by the authorization server, authorization information used to access the resource server and update authorization information used to re-issue new authorization information without any authentication information in accordance with an issuance request received from the client apparatus together with authentication information; a step of storing, by the client apparatus, the authorization information issued by the authorization server, update authorization information used to re-issue new authorization information without any authentication information, and initial update authorization information issued first by the authorization server so as to re-issue the authorization information in association with each other; and a step of transmitting, when a response indicating that the authorization information is invalid is received in response to the access request, a refresh processing request to the authorization server together with update authorization information associated with the authorization information corresponding to the response indicating that the authorization information is invalid, by the client apparatus; a re-issuance step of re-issuing, by the authorization server, new update authorization information and new authorization information in accordance with a refresh processing request received together with update authorization information, and storing the update authorization information issued in the issuance step so as to re-issue new update authorization information and authorization information as initial update authorization information in association with the re-issued authorization information and update authorization information; an invalidation request step of transmitting, by the client apparatus, an invalidation request together with the stored initial update authorization information to the authorization server to request the authorization server to invalidate update authorization information associated with the initial update authorization information; and an invalidation step of invalidating, in accordance with an invalidation request received together with update authorization information, update authorization information with which the received update authorization information is associated as initial update authorization information by the authorization server.
-
Specification