IDENTITY CLOUD SERVICE AUTHORIZATION MODEL WITH DYNAMIC ROLES AND SCOPES
First Claim
1. A method of authorizing access to a resource associated with a tenancy in an identity management system that comprises a plurality of tenancies, the method comprising:
- receiving an access token request for an access token that corresponds to the resource, wherein the request comprises user information and application information, the user information comprising roles of a user and the application information comprising roles of the application;
determining dynamic roles for the user and dynamic roles for the application;
evaluating the access token request by computing static scopes for the access token comprising determining a first intersection between the user information and the application information;
evaluating the access token request by computing dynamic roles and corresponding dynamic scopes for the access token comprising a second intersection between the dynamic roles of the user and the dynamic roles of the application; and
providing the access token that comprises the computed static scopes, wherein the scopes are based at least on roles of the user and the roles of the application, and further comprising the computed dynamic roles and corresponding dynamic scopes.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for authorizing access to a resource associated with a tenancy in an identity management system that includes a plurality of tenancies receives an access token request for an access token that corresponds to the resource, the request including user information and application information, the user information including roles of a user and the application information including roles of the application. The system evaluates the access token request by computing dynamic roles and corresponding dynamic scopes for the access token including a second intersection between the dynamic roles of the user and the dynamic roles of the application. The system then provides the access token that includes the computed static scopes, where the scopes are based at least on the roles of the user and the roles of the application, and further including the computed dynamic roles and corresponding dynamic scopes.
-
Citations
20 Claims
-
1. A method of authorizing access to a resource associated with a tenancy in an identity management system that comprises a plurality of tenancies, the method comprising:
-
receiving an access token request for an access token that corresponds to the resource, wherein the request comprises user information and application information, the user information comprising roles of a user and the application information comprising roles of the application; determining dynamic roles for the user and dynamic roles for the application; evaluating the access token request by computing static scopes for the access token comprising determining a first intersection between the user information and the application information; evaluating the access token request by computing dynamic roles and corresponding dynamic scopes for the access token comprising a second intersection between the dynamic roles of the user and the dynamic roles of the application; and providing the access token that comprises the computed static scopes, wherein the scopes are based at least on roles of the user and the roles of the application, and further comprising the computed dynamic roles and corresponding dynamic scopes. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer readable medium having instructions stored thereon that, when executed by a processor, authorizes access to a resource associated with a tenancy in an identity management system that comprises a plurality of tenancies, the authorizes access comprising:
-
receiving an access token request for an access token that corresponds to the resource, wherein the request comprises user information and application information, the user information comprising roles of a user and the application information comprising roles of the application; determining dynamic roles for the user and dynamic roles for the application; evaluating the access token request by computing static scopes for the access token comprising determining a first intersection between the user information and the application information; evaluating the access token request by computing dynamic roles and corresponding dynamic scopes for the access token comprising a second intersection between the dynamic roles of the user and the dynamic roles of the application; and providing the access token that comprises the computed static scopes, wherein the scopes are based at least on roles of the user and the roles of the application, and further comprising the computed dynamic roles and corresponding dynamic scopes. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A cloud based system for authorizing access to a resource associated with a tenancy in an identity management system that comprises a plurality of tenancies, the system comprising:
-
a processor that implements a microservice, a microservice functionality comprising; receiving an access token request for an access token that corresponds to the resource, wherein the request comprises user information and application information, the user information comprising roles of a user and the application information comprising roles of the application; determining dynamic roles for the user and dynamic roles for the application; evaluating the access token request by computing static scopes for the access token comprising determining a first intersection between the user information and the application information; evaluating the access token request by computing dynamic roles and corresponding dynamic scopes for the access token comprising a second intersection between the dynamic roles of the user and the dynamic roles of the application; and providing the access token that comprises the computed static scopes, wherein the scopes are based at least on roles of the user and the roles of the application, and further comprising the computed dynamic roles and corresponding dynamic scopes. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification