IDENTITY CLOUD SERVICE AUTHORIZATION MODEL WITH DYNAMIC ROLES AND SCOPES

US 20170329957A1
Filed: 05/09/2017
Published: 11/16/2017
Est. Priority Date: 05/11/2016
Status: Active Grant

First Claim

Patent Images

1. A method of authorizing access to a resource associated with a tenancy in an identity management system that comprises a plurality of tenancies, the method comprising:

receiving an access token request for an access token that corresponds to the resource, wherein the request comprises user information and application information, the user information comprising roles of a user and the application information comprising roles of the application;

determining dynamic roles for the user and dynamic roles for the application;

evaluating the access token request by computing static scopes for the access token comprising determining a first intersection between the user information and the application information;

evaluating the access token request by computing dynamic roles and corresponding dynamic scopes for the access token comprising a second intersection between the dynamic roles of the user and the dynamic roles of the application; and

providing the access token that comprises the computed static scopes, wherein the scopes are based at least on roles of the user and the roles of the application, and further comprising the computed dynamic roles and corresponding dynamic scopes.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for authorizing access to a resource associated with a tenancy in an identity management system that includes a plurality of tenancies receives an access token request for an access token that corresponds to the resource, the request including user information and application information, the user information including roles of a user and the application information including roles of the application. The system evaluates the access token request by computing dynamic roles and corresponding dynamic scopes for the access token including a second intersection between the dynamic roles of the user and the dynamic roles of the application. The system then provides the access token that includes the computed static scopes, where the scopes are based at least on the roles of the user and the roles of the application, and further including the computed dynamic roles and corresponding dynamic scopes.

Citations

20 Claims

1. A method of authorizing access to a resource associated with a tenancy in an identity management system that comprises a plurality of tenancies, the method comprising:
- receiving an access token request for an access token that corresponds to the resource, wherein the request comprises user information and application information, the user information comprising roles of a user and the application information comprising roles of the application;
  
  determining dynamic roles for the user and dynamic roles for the application;
  
  evaluating the access token request by computing static scopes for the access token comprising determining a first intersection between the user information and the application information;
  
  evaluating the access token request by computing dynamic roles and corresponding dynamic scopes for the access token comprising a second intersection between the dynamic roles of the user and the dynamic roles of the application; and
  
  providing the access token that comprises the computed static scopes, wherein the scopes are based at least on roles of the user and the roles of the application, and further comprising the computed dynamic roles and corresponding dynamic scopes.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, the method comprising:
    - receiving the access token with an access authorization request;
      
      determine a first dynamic role policy from the dynamic scopes, the dynamic role policy comprising a condition;
      
      evaluating if access to the resource to perform an operation is permitted based on the computed static scopes, the resource, the operation and an evaluation of the dynamic role policy; and
      
      generating granted allowed scopes and granted dynamic roles and dynamic scopes.
  - 3. The method of claim 2, further comprising, when the dynamic role policy is applicable based on the condition, adding corresponding dynamic scopes to existing static scopes from the access token, and then further evaluating a static policy.
  - 4. The method of claim 1, wherein when an OnBehalfOfUser property is true, the second intersection include the dynamic roles of the application and the dynamic roles of the user when present.
  - 5. The method of claim 1, wherein providing the access token comprises recording a tuple comprising the dynamic roles and the corresponding dynamic scopes.
  - 6. The method of claim 1, wherein the scopes comprise OAuth scopes.
  - 7. The method of claim 2, wherein the evaluating if access to the resource to perform the operation is permitted is based on an eXtensible Access Control Markup Language (XACML) based authorization policy.

8. A computer readable medium having instructions stored thereon that, when executed by a processor, authorizes access to a resource associated with a tenancy in an identity management system that comprises a plurality of tenancies, the authorizes access comprising:
- receiving an access token request for an access token that corresponds to the resource, wherein the request comprises user information and application information, the user information comprising roles of a user and the application information comprising roles of the application;
  
  determining dynamic roles for the user and dynamic roles for the application;
  
  evaluating the access token request by computing static scopes for the access token comprising determining a first intersection between the user information and the application information;
  
  evaluating the access token request by computing dynamic roles and corresponding dynamic scopes for the access token comprising a second intersection between the dynamic roles of the user and the dynamic roles of the application; and
  
  providing the access token that comprises the computed static scopes, wherein the scopes are based at least on roles of the user and the roles of the application, and further comprising the computed dynamic roles and corresponding dynamic scopes.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer readable medium of claim 8, the authorizes access further comprising:
    - receiving the access token with an access authorization request;
      
      determine a first dynamic role policy from the dynamic scopes, the dynamic role policy comprising a condition;
      
      evaluating if access to the resource to perform an operation is permitted based on the computed static scopes, the resource, the operation and an evaluation of the dynamic role policy; and
      
      generating granted allowed scopes and granted dynamic roles and dynamic scopes.
  - 10. The computer readable medium of claim 9, the authorizes access further comprising, when the dynamic role policy is applicable based on the condition, adding corresponding dynamic scopes to existing static scopes from the access token, and then further evaluating a static policy.
  - 11. The computer readable medium of claim 8, wherein when an OnBehalfOfUser property is true, the second intersection include the dynamic roles of the application and the dynamic roles of the user when present.
  - 12. The computer readable medium of claim 8, wherein providing the access token comprises recording a tuple comprising the dynamic roles and the corresponding dynamic scopes.
  - 13. The computer readable medium of claim 8, wherein the scopes comprise OAuth scopes.
  - 14. The computer readable medium of claim 9, wherein the evaluating if access to the resource to perform the operation is permitted is based on an eXtensible Access Control Markup Language (XACML) based authorization policy.

15. A cloud based system for authorizing access to a resource associated with a tenancy in an identity management system that comprises a plurality of tenancies, the system comprising:
- a processor that implements a microservice, a microservice functionality comprising;
  
  receiving an access token request for an access token that corresponds to the resource, wherein the request comprises user information and application information, the user information comprising roles of a user and the application information comprising roles of the application;
  
  determining dynamic roles for the user and dynamic roles for the application;
  
  evaluating the access token request by computing static scopes for the access token comprising determining a first intersection between the user information and the application information;
  
  evaluating the access token request by computing dynamic roles and corresponding dynamic scopes for the access token comprising a second intersection between the dynamic roles of the user and the dynamic roles of the application; and
  
  providing the access token that comprises the computed static scopes, wherein the scopes are based at least on roles of the user and the roles of the application, and further comprising the computed dynamic roles and corresponding dynamic scopes.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The cloud based system of claim 15, the microservice functionality further comprising:
    - receiving the access token with an access authorization request;
      
      determine a first dynamic role policy from the dynamic scopes, the dynamic role policy comprising a condition;
      
      evaluating if access to the resource to perform an operation is permitted based on the computed static scopes, the resource, the operation and an evaluation of the dynamic role policy; and
      
      generating granted allowed scopes and granted dynamic roles and dynamic scopes.
  - 17. The cloud based system of claim 16, the microservice functionality further comprising:
    - when the dynamic role policy is applicable based on the condition, adding corresponding dynamic scopes to existing static scopes from the access token, and then further evaluating a static policy.
  - 18. The cloud based system of claim 15, wherein when an OnBehalfOfUser property is true, the second intersection include the dynamic roles of the application and the dynamic roles of the user when present.
  - 19. The cloud based system of claim 15, wherein providing the access token comprises recording a tuple comprising the dynamic roles and the corresponding dynamic scopes.
  - 20. The cloud based system of claim 15, wherein the scopes comprise OAuth scopes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
VEPA, Sirish V., KATTI, Sreedhar, DHADUK, Maheshkumar Shivlal, LANDER, Vadim

Granted Patent

US 10,878,079 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/34   involving the use of extern...

G06F 21/445   by mutual authentication, e...

G06F 21/629   to features or functions of...

IDENTITY CLOUD SERVICE AUTHORIZATION MODEL WITH DYNAMIC ROLES AND SCOPES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTITY CLOUD SERVICE AUTHORIZATION MODEL WITH DYNAMIC ROLES AND SCOPES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links