SERVICE PROFILE-SPECIFIC TOKEN ATTRIBUTES AND RESOURCE SERVER TOKEN ATTRIBUTE OVERRIDING

US 20150089623A1
Filed: 04/30/2014
Published: 03/26/2015
Est. Priority Date: 09/29/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, by an OAuth authorization server, a first service profile that specifies a first value for a particular token attribute;

storing, by the OAuth authorization server, a first mapping between the first service profile and a first identity domain of a plurality of identity domains;

receiving, by the OAuth authorization server, a second service profile that specifies a second value for the particular token attribute;

storing, by the OAuth authorization server, a second mapping between the second service profile and a second identity domain of the plurality of identity domains;

receiving, at the OAuth authorization server, a token request from a client application contained in a particular identity domain of the plurality of identity domains;

in response to receiving the token request, determining, at the OAuth authorization server, based on at least one of the first mapping and the second mapping, that the particular identity domain is mapped to a particular service profile;

in response to determining that the particular identity domain is mapped to the particular service profile, the OAuth authorization server reading, from the particular service profile, a particular value for the particular token attribute;

generating, at the OAuth authorization server, a new token that specifies the particular value for the particular token attribute; and

sending the new token from the OAuth authorization server to the client application;

wherein the second value differs from the first value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

Citations

18 Claims

1. A computer-implemented method comprising:
- receiving, by an OAuth authorization server, a first service profile that specifies a first value for a particular token attribute;
  
  storing, by the OAuth authorization server, a first mapping between the first service profile and a first identity domain of a plurality of identity domains;
  
  receiving, by the OAuth authorization server, a second service profile that specifies a second value for the particular token attribute;
  
  storing, by the OAuth authorization server, a second mapping between the second service profile and a second identity domain of the plurality of identity domains;
  
  receiving, at the OAuth authorization server, a token request from a client application contained in a particular identity domain of the plurality of identity domains;
  
  in response to receiving the token request, determining, at the OAuth authorization server, based on at least one of the first mapping and the second mapping, that the particular identity domain is mapped to a particular service profile;
  
  in response to determining that the particular identity domain is mapped to the particular service profile, the OAuth authorization server reading, from the particular service profile, a particular value for the particular token attribute;
  
  generating, at the OAuth authorization server, a new token that specifies the particular value for the particular token attribute; and
  
  sending the new token from the OAuth authorization server to the client application;
  
  wherein the second value differs from the first value.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, further comprising:
    - receiving, by a particular resource server, a resource server-specific profile that specifies a third value for the particular token attribute;
      
      storing, at the particular resource server, the resource server-specific profile;
      
      receiving, at the OAuth authorization server, a second token request from a second client application contained in the first identity domain;
      
      in response to receiving the second token request, determining, at the OAuth authorization server, based on the first mapping, that the first identity domain is mapped to the first service profile;
      
      in response to determining that the first identity domain is mapped to the first service profile, the OAuth authorization server reading, from the first service profile, the first value for the particular token attribute;
      
      determining, by the OAuth authorization server, that the particular resource server provides a service requested in the second token request;
      
      in response to determining that the particular resource server provides the service, determining, by the OAuth authorization server, whether the resource server-specific profile stored by the particular resource server specifies a value for the particular token attribute;
      
      in response to determining that the resource server-specific profile specifies the third value, generating, at the OAuth authorization server, a particular token that specifies the third value for the particular token attribute; and
      
      sending the particular token from the OAuth authorization server to the second client application.
  - 3. The computer-implemented method of claim 2, wherein the first token specifies, for one or more other token attributes, one or more other values that are specified in the first service profile.
  - 4. The computer-implemented method of claim 1, further comprising:
    - receiving, at the OAuth authorization server, a second token request from a second client application contained in the second identity domain;
      
      in response to receiving the second token request, determining, at the OAuth authorization server, based on the second mapping, that the second identity domain is mapped to the second service profile;
      
      in response to determining that the second identity domain is mapped to the second service profile, the OAuth authorization server reading, from the second service profile, the second value for the particular token attribute;
      
      determining, by the OAuth authorization server, that a particular resource server provides a service requested in the second token request;
      
      in response to determining that the particular resource server provides the service, determining, by the OAuth authorization server, whether a resource server-specific profile stored by the particular resource server specifies a value for the particular token attribute;
      
      in response to determining that the resource server-specific profile does not specify a value for the particular token attribute, generating, at the OAuth authorization server, a particular token that specifies the second value for the particular token attribute; and
      
      sending the particular token from the OAuth authorization server to the second client application.
  - 5. The computer-implemented method of claim 1, wherein the particular token attribute is a token time-out attribute that represents a duration of time for which a token generated by the OAuth authorization server is to remain valid following generation.
  - 6. The computer-implemented method of claim 1, wherein the first value specifies a first duration of time after which a token will cease to be valid, wherein the second value specifies a second duration of time after which a token will cease to be valid, and wherein the second value is less than the first value.

7. A computer-readable memory comprising instructions which, when executed by one or more processors, cause the one or more processors to perform:
- receiving, by an OAuth authorization server, a first service profile that specifies a first value for a particular token attribute;
  
  storing, by the OAuth authorization server, a first mapping between the first service profile and a first identity domain of a plurality of identity domains;
  
  receiving, by the OAuth authorization server, a second service profile that specifies a second value for the particular token attribute;
  
  storing, by the OAuth authorization server, a second mapping between the second service profile and a second identity domain of the plurality of identity domains;
  
  receiving, at the OAuth authorization server, a token request from a client application contained in a particular identity domain of the plurality of identity domains;
  
  in response to receiving the token request, determining, at the OAuth authorization server, based on at least one of the first mapping and the second mapping, that the particular identity domain is mapped to a particular service profile;
  
  in response to determining that the particular identity domain is mapped to the particular service profile, the OAuth authorization server reading, from the particular service profile, a particular value for the particular token attribute;
  
  generating, at the OAuth authorization server, a new token that specifies the particular value for the particular token attribute; and
  
  sending the new token from the OAuth authorization server to the client application;
  
  wherein the second value differs from the first value.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer-readable memory of claim 7, wherein the instructions, when executed by the one or more processors, cause the one or more processors to perform:
    - receiving, by a particular resource server, a resource server-specific profile that specifies a third value for the particular token attribute;
      
      storing, at the particular resource server, the resource server-specific profile;
      
      receiving, at the OAuth authorization server, a second token request from a second client application contained in the first identity domain;
      
      in response to receiving the second token request, determining, at the OAuth authorization server, based on the first mapping, that the first identity domain is mapped to the first service profile;
      
      in response to determining that the first identity domain is mapped to the first service profile, the OAuth authorization server reading, from the first service profile, the first value for the particular token attribute;
      
      determining, by the OAuth authorization server, that the particular resource server provides a service requested in the second token request;
      
      in response to determining that the particular resource server provides the service, determining, by the OAuth authorization server, whether the resource server-specific profile stored by the particular resource server specifies a value for the particular token attribute;
      
      in response to determining that the resource server-specific profile specifies the third value, generating, at the OAuth authorization server, a particular token that specifies the third value for the particular token attribute; and
      
      sending the particular token from the OAuth authorization server to the second client application.
  - 9. The computer-readable memory of claim 8, wherein the first token specifies, for one or more other token attributes, one or more other values that are specified in the first service profile.
  - 10. The computer-readable memory of claim 7, wherein the instructions, when executed by the one or more processors, cause the one or more processors to perform:
    - receiving, at the OAuth authorization server, a second token request from a second client application contained in the second identity domain;
      
      in response to receiving the second token request, determining, at the OAuth authorization server, based on the second mapping, that the second identity domain is mapped to the second service profile;
      
      in response to determining that the second identity domain is mapped to the second service profile, the OAuth authorization server reading, from the second service profile, the second value for the particular token attribute;
      
      determining, by the OAuth authorization server, that a particular resource server provides a service requested in the second token request;
      
      in response to determining that the particular resource server provides the service, determining, by the OAuth authorization server, whether a resource server-specific profile stored by the particular resource server specifies a value for the particular token attribute;
      
      in response to determining that the resource server-specific profile does not specify a value for the particular token attribute, generating, at the OAuth authorization server, a particular token that specifies the second value for the particular token attribute; and
      
      sending the particular token from the OAuth authorization server to the second client application.
  - 11. The computer-readable memory of claim 7, wherein the particular token attribute is a token time-out attribute that represents a duration of time for which a token generated by the OAuth authorization server is to remain valid following generation.
  - 12. The computer-readable memory of claim 7, wherein the first value specifies a first duration of time after which a token will cease to be valid, wherein the second value specifies a second duration of time after which a token will cease to be valid, and wherein the second value is less than the first value.

13. A system comprising:
- a first machine that stores a client application contained in a particular identity domain of the plurality of identity domains; and
  
  a second machine that stores an OAuth authorization server that is configured to;
  
  receive a first service profile that specifies a first value for a particular token attribute;
  
  store a first mapping between the first service profile and a first identity domain of the plurality of identity domains;
  
  receive a second service profile that specifies a second value for the particular token attribute;
  
  store a second mapping between the second service profile and a second identity domain of the plurality of identity domains;
  
  receive a token request from the client application;
  
  determine, in response to receiving the token request, and based on at least one of the first mapping and the second mapping, that the particular identity domain is mapped to a particular service profile;
  
  read, in response to determining that the particular identity domain is mapped to the particular service profile, and from the particular service profile, a particular value for the particular token attribute;
  
  generate a new token that specifies the particular value for the particular token attribute; and
  
  send the new token to the client application;
  
  wherein the second value differs from the first value.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, further comprising:
    - a third machine that stores a particular resource server that is configured to;
      
      receive a resource server-specific profile that specifies a third value for the particular token attribute, andstore the resource server-specific profile; and
      
      a fourth machine that stores a second client application contained in the first identity domain;
      
      wherein the OAuth authorization server is configured to;
      
      receive a second token request from the second client application,determine, in response to receiving the second token request, and based on the first mapping, that the first identity domain is mapped to the first service profile,read, in response to determining that the first identity domain is mapped to the first service profile, and from the first service profile, the first value for the particular token attribute,determine that the particular resource server provides a service requested in the second token request,determine, in response to determining that the particular resource server provides the service, whether the resource server-specific profile stored by the particular resource server specifies a value for the particular token attribute,generate, in response to determining that the resource server-specific profile specifies the third value, a particular token that specifies the third value for the particular token attribute, andsend the particular token to the second client application.
  - 15. The system of claim 14, wherein the first token specifies, for one or more other token attributes, one or more other values that are specified in the first service profile.
  - 16. The system of claim 13, further comprising:
    - a third machine that stores a particular resource server; and
      
      a fourth machine that stores a second client application contained in the second identity domain;
      
      wherein the OAuth authorization server is configured to;
      
      receive a second token request from the second client application,determine, in response to receiving the second token request, and based on the second mapping, that the second identity domain is mapped to the second service profile,read, in response to determining that the second identity domain is mapped to the second service profile, and from the second service profile, the second value for the particular token attribute,determine that a particular resource server provides a service requested in the second token request,determine, in response to determining that the particular resource server provides the service, whether a resource server-specific profile stored by the particular resource server specifies a value for the particular token attribute,generate, in response to determining that the resource server-specific profile does not specify a value for the particular token attribute, a particular token that specifies the second value for the particular token attribute, andsend the particular token to the second client application.
  - 17. The system of claim 13, wherein the particular token attribute is a token time-out attribute that represents a duration of time for which a token generated by the OAuth authorization server is to remain valid following generation.
  - 18. The system of claim 13, wherein the first value specifies a first duration of time after which a token will cease to be valid, wherein the second value specifies a second duration of time after which a token will cease to be valid, and wherein the second value is less than the first value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Sondhi, Ajay, Chu, Ching-Wen, Evani, Venkata S.

Granted Patent

US 9,578,014 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

G06F 2221/2103   Challenge-response

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04W 12/06   Authentication

SERVICE PROFILE-SPECIFIC TOKEN ATTRIBUTES AND RESOURCE SERVER TOKEN ATTRIBUTE OVERRIDING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

SERVICE PROFILE-SPECIFIC TOKEN ATTRIBUTES AND RESOURCE SERVER TOKEN ATTRIBUTE OVERRIDING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links