TOKEN SCOPE REDUCTION
First Claim
1. A computer-implemented method comprising:
- receiving at a client device an access token from an authentication server after authenticating the client device, wherein the access token provides access to resource services distributed across a plurality of security domains;
deriving a first subset of authorization scopes of the access token, wherein the first subset is limited to a first security domain of the plurality of security domains;
responsive to providing the first subset and the access token to the authentication server, receiving a first reduced-scope access token, wherein the first reduced-scope access token provides access to at least one resource service in the first security domain; and
utilizing the first reduced-scope access token to access the at least one resource service in the first security domain.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are provided for augmenting the capabilities of the standard OAuth2 authorization framework in such a way as to allow clients to consume the services of multiple resource servers residing in disjoint security domains while requiring only a single one-time user authentication. An access token that provides access to resource services distributed across a plurality of security domains is partitioned into a plurality of reduced-scope access tokens. Each reduced-scope access token is limited to a subset of authorization scopes of the access token, providing access to a resource service in a particular security domain based upon the subset.
61 Citations
20 Claims
-
1. A computer-implemented method comprising:
-
receiving at a client device an access token from an authentication server after authenticating the client device, wherein the access token provides access to resource services distributed across a plurality of security domains; deriving a first subset of authorization scopes of the access token, wherein the first subset is limited to a first security domain of the plurality of security domains; responsive to providing the first subset and the access token to the authentication server, receiving a first reduced-scope access token, wherein the first reduced-scope access token provides access to at least one resource service in the first security domain; and utilizing the first reduced-scope access token to access the at least one resource service in the first security domain. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-implemented method comprising:
-
generating at an authorization server an access token, in response to a request from a client, wherein the access token provides access to resource services distributed across a plurality of security domains; sending the access token to the client; receiving a request from the client for a first reduced-scope access token, wherein an authorization scope of the first reduced-scope access token is limited to a first subset of authorization scopes of the access token; generating the first reduced-scope access token based on the first subset of authorization scopes, wherein the first reduced-scope access token provides access to at least one resource service in a first security domain of the plurality of security domains; and sending the first reduced-scope access token to the client. - View Dependent Claims (7, 8, 9, 10)
-
-
11. An apparatus comprising:
-
a network interface unit configured to enable communications over a network; and at least one processor configured to; receive an access token from an authentication server after authenticating the client device, wherein the access token provides access to resource services distributed across a plurality of security domains; derive a first subset of authorization scopes of the access token, wherein the first subset is limited to a first security domain of the plurality of security domains; responsive to providing the first subset and the access token to the authentication server, receive a first reduced-scope access token, wherein the first reduced-scope access token provides access to at least one resource service in the first security domain; and utilize the first reduced-scope access token to access the at least one resource service in the first security domain. - View Dependent Claims (12, 13, 14, 15)
-
-
16. An apparatus comprising:
-
a network interface unit configured to enable communications over a network; and at least one processor configured to; generate an access token, in response to a request from a client, wherein the access token provides access to resource services distributed across a plurality of security domains; send the access token to the client; receive a request from the client for a first reduced-scope access token, wherein an authorization scope of the first reduced-scope access token is limited to a first subset of authorization scopes of the access token; generate the first reduced-scope access token based on the first subset of authorization scopes, wherein the first reduced-scope access token provides access to at least one resource service in a first security domain of the plurality of security domains; and send the first reduced-scope access token to the client. - View Dependent Claims (17, 18, 19, 20)
-
Specification