TOKEN SCOPE REDUCTION

US 20170034172A1
Filed: 11/16/2015
Published: 02/02/2017
Est. Priority Date: 07/30/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving at a client device an access token from an authentication server after authenticating the client device, wherein the access token provides access to resource services distributed across a plurality of security domains;

deriving a first subset of authorization scopes of the access token, wherein the first subset is limited to a first security domain of the plurality of security domains;

responsive to providing the first subset and the access token to the authentication server, receiving a first reduced-scope access token, wherein the first reduced-scope access token provides access to at least one resource service in the first security domain; and

utilizing the first reduced-scope access token to access the at least one resource service in the first security domain.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for augmenting the capabilities of the standard OAuth2 authorization framework in such a way as to allow clients to consume the services of multiple resource servers residing in disjoint security domains while requiring only a single one-time user authentication. An access token that provides access to resource services distributed across a plurality of security domains is partitioned into a plurality of reduced-scope access tokens. Each reduced-scope access token is limited to a subset of authorization scopes of the access token, providing access to a resource service in a particular security domain based upon the subset.

61 Citations

View as Search Results

20 Claims

1. A computer-implemented method comprising:
- receiving at a client device an access token from an authentication server after authenticating the client device, wherein the access token provides access to resource services distributed across a plurality of security domains;
  
  deriving a first subset of authorization scopes of the access token, wherein the first subset is limited to a first security domain of the plurality of security domains;
  
  responsive to providing the first subset and the access token to the authentication server, receiving a first reduced-scope access token, wherein the first reduced-scope access token provides access to at least one resource service in the first security domain; and
  
  utilizing the first reduced-scope access token to access the at least one resource service in the first security domain.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-implemented method of claim 1 comprising:
    - deriving a second subset of authorization scopes of the access token, wherein the second subset is limited to a second security domain of the plurality of security domains;
      
      responsive to providing the second subset and the access token to the authentication server, receiving a second reduced-scope access token, wherein the second reduced-scope access token provides access to at least one resource service in the second security domain; and
      
      utilizing the second reduced-scope access token to access the at least one resource service in the second security domain.
  - 3. The computer-implemented method of claim 1, wherein:
    - receiving the access token in response to user authentication; and
      
      receiving the first reduced-scope access token without additional user authentication.
  - 4. The computer-implemented method of claim 1, wherein the first reduced-scope access token has a same principal and expiration time as the access token.
  - 5. The computer-implemented method of claim 1, further comprising:
    - discarding, by the client device, the access token when one or more requested reduced-scope access tokens have been received.

6. A computer-implemented method comprising:
- generating at an authorization server an access token, in response to a request from a client, wherein the access token provides access to resource services distributed across a plurality of security domains;
  
  sending the access token to the client;
  
  receiving a request from the client for a first reduced-scope access token, wherein an authorization scope of the first reduced-scope access token is limited to a first subset of authorization scopes of the access token;
  
  generating the first reduced-scope access token based on the first subset of authorization scopes, wherein the first reduced-scope access token provides access to at least one resource service in a first security domain of the plurality of security domains; and
  
  sending the first reduced-scope access token to the client.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer-implemented method of claim 6, further comprising:
    - receiving another request from the client for a second reduced-scope access token, wherein the authorization scope of the second reduced-scope access token is limited to a second subset of the authorization scopes of the access token;
      
      generating the second reduced-scope access token based on the second subset of the authorization scopes, wherein the second reduced-scope access token provides access to at least one resource service in a second security domain of the plurality of security domains; and
      
      sending the second reduced-scope access token to the client.
  - 8. The computer-implemented method of claim 6, further comprising:
    - generating the access token in response to user authentication; and
      
      generating the first reduced-scope access token based on the access token without additional user authentication.
  - 9. The computer-implemented method of claim 6, wherein the first reduced-scope access token has a same principal and expiration time as the access token.
  - 10. The computer-implemented method of claim 6, further comprising:
    - receiving from a resource server, a request for the first subset of the authorization scopes for the first reduced-scope access token; and
      
      sending the first subset of the authorization scopes to the resource server.

11. An apparatus comprising:
- a network interface unit configured to enable communications over a network; and
  
  at least one processor configured to;
  
  receive an access token from an authentication server after authenticating the client device, wherein the access token provides access to resource services distributed across a plurality of security domains;
  
  derive a first subset of authorization scopes of the access token, wherein the first subset is limited to a first security domain of the plurality of security domains;
  
  responsive to providing the first subset and the access token to the authentication server, receive a first reduced-scope access token, wherein the first reduced-scope access token provides access to at least one resource service in the first security domain; and
  
  utilize the first reduced-scope access token to access the at least one resource service in the first security domain.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The apparatus of claim 11, wherein the processor is further configured to:
    - derive a second subset of authorization scopes of the access token, wherein the second subset is limited to a second security domain of the plurality of security domains;
      
      responsive to providing the second subset and the access token to the authentication server, receive a second reduced-scope access token, wherein the second reduced-scope access token provides access to at least one resource service in the second security domain; and
      
      utilize the second reduced-scope access token to access the at least one resource service in the second security domain.
  - 13. The apparatus of claim 11, wherein the processor is further configured to:
    - receive the access token in response to user authentication; and
      
      receive the first reduced-scope access token without additional user authentication.
  - 14. The apparatus of claim 11, wherein the first reduced-scope access token has a same principal and expiration time as the access token.
  - 15. The apparatus of claim 11, wherein the processor is further configured to:
    - discard the access token when one or more requested reduced-scope access tokens have been received.

16. An apparatus comprising:
- a network interface unit configured to enable communications over a network; and
  
  at least one processor configured to;
  
  generate an access token, in response to a request from a client, wherein the access token provides access to resource services distributed across a plurality of security domains;
  
  send the access token to the client;
  
  receive a request from the client for a first reduced-scope access token, wherein an authorization scope of the first reduced-scope access token is limited to a first subset of authorization scopes of the access token;
  
  generate the first reduced-scope access token based on the first subset of authorization scopes, wherein the first reduced-scope access token provides access to at least one resource service in a first security domain of the plurality of security domains; and
  
  send the first reduced-scope access token to the client.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The apparatus of claim 16, wherein the processor is configured to:
    - receive another request from the client for a second reduced-scope access token, wherein the authorization scope of the second reduced-scope access token is limited to a second subset of the authorization scopes of the access token;
      
      generate the second reduced-scope access token based on the second subset of the authorization scopes, wherein the second reduced-scope access token provides access to at least one resource service in a second security domain of the plurality of security domains; and
      
      send the second reduced-scope access token to the client.
  - 18. The apparatus of claim 16, wherein the processor is configured to:
    - generate the access token in response to user authentication; and
      
      generate the first reduced-scope access token based on the access token without additional user authentication.
  - 19. The apparatus of claim 16, wherein the first reduced-scope access token has a same principal and expiration time as the access token.
  - 20. The apparatus of claim 16, wherein the processor is further configured to:
    - receive from a resource server, a request for the first subset of the authorization scopes for the first reduced-scope access token; and
      
      send the first subset of the authorization scopes to the resource server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Biggs, Andrew, Miller, Matt, Remmel, Ian, Cooley, Shaun, Cui, Hua

Granted Patent

US 10,104,084 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/33   using certificates

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

TOKEN SCOPE REDUCTION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

61 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

TOKEN SCOPE REDUCTION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links