BUNDLED AUTHORIZATION REQUESTS
First Claim
1. A computer-implemented method comprising:
- based on a request by an application for access to a first service and for access to a second service, obtaining, at a computer system of an authorization system, from a first server computer that provides the first service, a first scope of access information for the application to access the first service requested by the application, wherein the first scope of access information is determined by the first server computer applying a first policy to one or more attributes associated with an identity of the application provided by the computer system to the first server computer;
based on the request by the application for the first service and the second service, obtaining, at the computer system, from a second server computer that provides the second service, a second scope of access information for the application to access the second service requested by the application, wherein the second scope of access information is determined by the second server computer by applying a second policy to the one or more attributes associated with the identity of the application provided by the computer system to the first server computer; and
sending, by the computer system, to the application, a token that indicates access to the first service and access to the second service, wherein the token indicates the access to the first service based on the first scope of access information obtained from the first server computer, and wherein the token indicates the access to the second service based on the second scope of access information obtained from the second server computer.
1 Assignment
0 Petitions
Accused Products
Abstract
A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.
15 Citations
20 Claims
-
1. A computer-implemented method comprising:
-
based on a request by an application for access to a first service and for access to a second service, obtaining, at a computer system of an authorization system, from a first server computer that provides the first service, a first scope of access information for the application to access the first service requested by the application, wherein the first scope of access information is determined by the first server computer applying a first policy to one or more attributes associated with an identity of the application provided by the computer system to the first server computer; based on the request by the application for the first service and the second service, obtaining, at the computer system, from a second server computer that provides the second service, a second scope of access information for the application to access the second service requested by the application, wherein the second scope of access information is determined by the second server computer by applying a second policy to the one or more attributes associated with the identity of the application provided by the computer system to the first server computer; and sending, by the computer system, to the application, a token that indicates access to the first service and access to the second service, wherein the token indicates the access to the first service based on the first scope of access information obtained from the first server computer, and wherein the token indicates the access to the second service based on the second scope of access information obtained from the second server computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system comprising:
-
one or more processors; and a memory accessible to the one or more processors, the memory storing one or more instructions which, upon execution by the one or more processors, causes the one or more processors to; based on a request by an application for access to a first service and for access to a second service, obtain, by an authorization system, from a first server computer that provides the first service, a first scope of access information for the application to access the first service requested by the application, wherein the first scope of access information is determined by the first server computer applying a first policy to one or more attributes associated with an identity of the application provided to the first server computer; based on the request by the application for the first service and the second service, obtain, by the authorization system, from a second server computer that provides the second service, a second scope of access information for the application to access the second service requested by the application, wherein the second scope of access information is determined by the second server computer by applying a second policy to the one or more attributes associated with the identity of the application provided to the first server computer; and send, by the authorization system, to the application, a token that indicates access to the first service and access to the second service, wherein the token indicates the access to the first service based on the first scope of access information obtained from the first server computer, and wherein the token indicates the access to the second service based on the second scope of access information obtained from the second server computer. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A non-transitory computer-readable storage medium comprising one or more instructions which, upon execution by one or more processors, causes the one or more processors to:
-
based on a request by an application for access to a first service and for access to a second service, obtain, at a computer system of an authorization system, from a first server computer that provides the first service, a first scope of access information for the application to access the first service requested by the application, wherein the first scope of access information is determined by the first server computer applying a first policy to one or more attributes associated with an identity of the application provided by the computer system to the first server computer; based on the request by the application for the first service and the second service, obtain, at the computer system, from a second server computer that provides the second service, a second scope of access information for the application to access the second service requested by the application, wherein the second scope of access information is determined by the second server computer by applying a second policy to the one or more attributes associated with the identity of the application provided by the computer system to the first server computer; and send, by the computer system, to the application, a token that indicates access to the first service and access to the second service, wherein the token indicates the access to the first service based on the first scope of access information obtained from the first server computer, and wherein the token indicates the access to the second service based on the second scope of access information obtained from the second server computer. - View Dependent Claims (18, 19, 20)
-
Specification