BUNDLED AUTHORIZATION REQUESTS

US 20170302655A1
Filed: 06/30/2017
Published: 10/19/2017
Est. Priority Date: 09/20/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

based on a request by an application for access to a first service and for access to a second service, obtaining, at a computer system of an authorization system, from a first server computer that provides the first service, a first scope of access information for the application to access the first service requested by the application, wherein the first scope of access information is determined by the first server computer applying a first policy to one or more attributes associated with an identity of the application provided by the computer system to the first server computer;

based on the request by the application for the first service and the second service, obtaining, at the computer system, from a second server computer that provides the second service, a second scope of access information for the application to access the second service requested by the application, wherein the second scope of access information is determined by the second server computer by applying a second policy to the one or more attributes associated with the identity of the application provided by the computer system to the first server computer; and

sending, by the computer system, to the application, a token that indicates access to the first service and access to the second service, wherein the token indicates the access to the first service based on the first scope of access information obtained from the first server computer, and wherein the token indicates the access to the second service based on the second scope of access information obtained from the second server computer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.

15 Citations

20 Claims

1. A computer-implemented method comprising:
- based on a request by an application for access to a first service and for access to a second service, obtaining, at a computer system of an authorization system, from a first server computer that provides the first service, a first scope of access information for the application to access the first service requested by the application, wherein the first scope of access information is determined by the first server computer applying a first policy to one or more attributes associated with an identity of the application provided by the computer system to the first server computer;
  
  based on the request by the application for the first service and the second service, obtaining, at the computer system, from a second server computer that provides the second service, a second scope of access information for the application to access the second service requested by the application, wherein the second scope of access information is determined by the second server computer by applying a second policy to the one or more attributes associated with the identity of the application provided by the computer system to the first server computer; and
  
  sending, by the computer system, to the application, a token that indicates access to the first service and access to the second service, wherein the token indicates the access to the first service based on the first scope of access information obtained from the first server computer, and wherein the token indicates the access to the second service based on the second scope of access information obtained from the second server computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method of claim 1, further comprising:
    - receiving, at the computer system, the request by the application for access to the first service.
  - 3. The computer-implemented method of claim 1, wherein the first server computer is distinct from the second server computer, and wherein the first service is distinct from the second service.
  - 4. The computer-implemented method of claim 1, wherein the first service is a first type of service and the second service is a second type of service.
  - 5. The computer-implemented method of claim 1, wherein the first scope of access information indicates the application is permitted to access the first service, and wherein the second scope of access information indicates the application is not permitted to access the second service.
  - 6. The computer-implemented method of claim 1, further comprising:
    - determining, by the computer system, from a plurality of server computers, the first server computer that provides access to the first service; and
      
      determining, by the computer system, from a plurality of server computers, the second server computer that provides access to the second service.
  - 7. The computer-implemented method of claim 1, wherein obtaining the first scope of access information from the first server computer includes:
    - providing, by the computer system, the identity of the application to the first server computer, wherein the first server computer determines the first scope of access information using the identity of the application sent to the first server computer; and
      
      receiving, by the computer system, from the first server computer, the first scope of access information determined by the first server computer.
  - 8. The computer-implemented method of claim 1, further comprising:
    - generating, by the computer system, the token;
      
      adding the first scope of access information to the token; and
      
      adding the second scope of access information to the token.
  - 9. The computer-implemented method of claim 1, wherein the token is generated before the first scope of access information is obtained and before the second scope of access information is obtained.
  - 10. The computer-implemented method of claim 1, wherein the request includes an attribute of a user operating the application to access to the first service and to access the second service, and wherein the first policy is further applied to the attribute of the user to determine the first scope of access information.
  - 11. The computer-implemented method of claim 1, further comprising:
    - identifying, in the request, each of the first service and the second service.

12. A system comprising:
- one or more processors; and
  
  a memory accessible to the one or more processors, the memory storing one or more instructions which, upon execution by the one or more processors, causes the one or more processors to;
  
  based on a request by an application for access to a first service and for access to a second service, obtain, by an authorization system, from a first server computer that provides the first service, a first scope of access information for the application to access the first service requested by the application, wherein the first scope of access information is determined by the first server computer applying a first policy to one or more attributes associated with an identity of the application provided to the first server computer;
  
  based on the request by the application for the first service and the second service, obtain, by the authorization system, from a second server computer that provides the second service, a second scope of access information for the application to access the second service requested by the application, wherein the second scope of access information is determined by the second server computer by applying a second policy to the one or more attributes associated with the identity of the application provided to the first server computer; and
  
  send, by the authorization system, to the application, a token that indicates access to the first service and access to the second service, wherein the token indicates the access to the first service based on the first scope of access information obtained from the first server computer, and wherein the token indicates the access to the second service based on the second scope of access information obtained from the second server computer.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The system of claim 12, wherein the one or more instructions which, upon execution by the one or more processors, further causes the one or more processors to:
    - receive the request by the application for access to the first service.
  - 14. The system of claim 12, wherein the first server computer is distinct from the second server computer, and wherein the first service is distinct from the second service.
  - 15. The system of claim 12, wherein the one or more instructions which, upon execution by the one or more processors, further causes the one or more processors to:
    - provide the identity of the application to the first server computer, wherein the first server computer determines the first scope of access information using the identity of the application sent to the first server computer; and
      
      receive from the first server computer, the first scope of access information determined by the first server computer.
  - 16. The system of claim 12, wherein the one or more instructions which, upon execution by the one or more processors, further causes the one or more processors to:
    - generate the token;
      
      add the first scope of access information to the token; and
      
      add the second scope of access information to the token.

17. A non-transitory computer-readable storage medium comprising one or more instructions which, upon execution by one or more processors, causes the one or more processors to:
- based on a request by an application for access to a first service and for access to a second service, obtain, at a computer system of an authorization system, from a first server computer that provides the first service, a first scope of access information for the application to access the first service requested by the application, wherein the first scope of access information is determined by the first server computer applying a first policy to one or more attributes associated with an identity of the application provided by the computer system to the first server computer;
  
  based on the request by the application for the first service and the second service, obtain, at the computer system, from a second server computer that provides the second service, a second scope of access information for the application to access the second service requested by the application, wherein the second scope of access information is determined by the second server computer by applying a second policy to the one or more attributes associated with the identity of the application provided by the computer system to the first server computer; and
  
  send, by the computer system, to the application, a token that indicates access to the first service and access to the second service, wherein the token indicates the access to the first service based on the first scope of access information obtained from the first server computer, and wherein the token indicates the access to the second service based on the second scope of access information obtained from the second server computer.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable storage medium of claim 17, wherein the one or more instructions which, upon execution by the one or more processors, further causes the one or more processors to:
    - provide the identity of the application to the first server computer, wherein the first server computer determines the first scope of access information using the identity of the application sent to the first server computer; and
      
      receive from the first server computer, the first scope of access information determined by the first server computer.
  - 19. The non-transitory computer-readable storage medium of claim 17, wherein the first server computer is distinct from the second server computer, and wherein the first service is distinct from the second service.
  - 20. The non-transitory computer-readable storage medium of claim 17, wherein the one or more instructions which, upon execution by the one or more processors, further causes the one or more processors to:
    - generate the token;
      
      add the first scope of access information to the token; and
      
      add the second scope of access information to the token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Sondhi, Ajay, Chu, Ching-Wen, Evani, Venkata S.

Granted Patent

US 9,860,234 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04W 12/068   using credential vaults, e....

BUNDLED AUTHORIZATION REQUESTS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

15 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

BUNDLED AUTHORIZATION REQUESTS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links