SERVICE PROFILE-SPECIFIC TOKEN ATTRIBUTES AND RESOURCE SERVER TOKEN ATTRIBUTE OVERRIDING
First Claim
1. A computer-implemented method comprising:
- receiving, by an OAuth authorization server, a first service profile that specifies a first value for a particular token attribute;
storing, by the OAuth authorization server, a first mapping between the first service profile and a first identity domain of a plurality of identity domains;
receiving, by the OAuth authorization server, a second service profile that specifies a second value for the particular token attribute;
storing, by the OAuth authorization server, a second mapping between the second service profile and a second identity domain of the plurality of identity domains;
receiving, at the OAuth authorization server, a token request from a client application contained in a particular identity domain of the plurality of identity domains;
in response to receiving the token request, determining, at the OAuth authorization server, based on at least one of the first mapping and the second mapping, that the particular identity domain is mapped to a particular service profile;
in response to determining that the particular identity domain is mapped to the particular service profile, the OAuth authorization server reading, from the particular service profile, a particular value for the particular token attribute;
generating, at the OAuth authorization server, a new token that specifies the particular value for the particular token attribute; and
sending the new token from the OAuth authorization server to the client application;
wherein the second value differs from the first value.
1 Assignment
0 Petitions
Accused Products
Abstract
A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.
-
Citations
18 Claims
-
1. A computer-implemented method comprising:
-
receiving, by an OAuth authorization server, a first service profile that specifies a first value for a particular token attribute; storing, by the OAuth authorization server, a first mapping between the first service profile and a first identity domain of a plurality of identity domains; receiving, by the OAuth authorization server, a second service profile that specifies a second value for the particular token attribute; storing, by the OAuth authorization server, a second mapping between the second service profile and a second identity domain of the plurality of identity domains; receiving, at the OAuth authorization server, a token request from a client application contained in a particular identity domain of the plurality of identity domains; in response to receiving the token request, determining, at the OAuth authorization server, based on at least one of the first mapping and the second mapping, that the particular identity domain is mapped to a particular service profile; in response to determining that the particular identity domain is mapped to the particular service profile, the OAuth authorization server reading, from the particular service profile, a particular value for the particular token attribute; generating, at the OAuth authorization server, a new token that specifies the particular value for the particular token attribute; and sending the new token from the OAuth authorization server to the client application; wherein the second value differs from the first value. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-readable memory comprising instructions which, when executed by one or more processors, cause the one or more processors to perform:
-
receiving, by an OAuth authorization server, a first service profile that specifies a first value for a particular token attribute; storing, by the OAuth authorization server, a first mapping between the first service profile and a first identity domain of a plurality of identity domains; receiving, by the OAuth authorization server, a second service profile that specifies a second value for the particular token attribute; storing, by the OAuth authorization server, a second mapping between the second service profile and a second identity domain of the plurality of identity domains; receiving, at the OAuth authorization server, a token request from a client application contained in a particular identity domain of the plurality of identity domains; in response to receiving the token request, determining, at the OAuth authorization server, based on at least one of the first mapping and the second mapping, that the particular identity domain is mapped to a particular service profile; in response to determining that the particular identity domain is mapped to the particular service profile, the OAuth authorization server reading, from the particular service profile, a particular value for the particular token attribute; generating, at the OAuth authorization server, a new token that specifies the particular value for the particular token attribute; and sending the new token from the OAuth authorization server to the client application; wherein the second value differs from the first value. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A system comprising:
-
a first machine that stores a client application contained in a particular identity domain of the plurality of identity domains; and a second machine that stores an OAuth authorization server that is configured to; receive a first service profile that specifies a first value for a particular token attribute; store a first mapping between the first service profile and a first identity domain of the plurality of identity domains; receive a second service profile that specifies a second value for the particular token attribute; store a second mapping between the second service profile and a second identity domain of the plurality of identity domains; receive a token request from the client application; determine, in response to receiving the token request, and based on at least one of the first mapping and the second mapping, that the particular identity domain is mapped to a particular service profile; read, in response to determining that the particular identity domain is mapped to the particular service profile, and from the particular service profile, a particular value for the particular token attribute; generate a new token that specifies the particular value for the particular token attribute; and send the new token to the client application; wherein the second value differs from the first value. - View Dependent Claims (14, 15, 16, 17, 18)
-
Specification