IDENTITY CLOUD SERVICE AUTHORIZATION MODEL

US 20170331832A1
Filed: 03/30/2017
Published: 11/16/2017
Est. Priority Date: 05/11/2016
Status: Active Grant

First Claim

Patent Images

1. A method of authorizing access to a resource, the method comprising:

receiving an access token request for an access token that corresponds to the resource, wherein the request comprises user information and application information, the user information comprising a role of the user and the application information comprising a role of the application;

evaluating the access token request by computing scopes for the access token, the computing comprising determining an intersection between the user information and the application information; and

providing the access token that comprises the computed scopes, the scopes based at least on the role of the user and the role of the application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for authorizing access to a resource receives a request for an access token that corresponds to the resource, where the request includes user information and application information. The user information includes a role of the user and the application information includes a role of the application. The system evaluates the request by computing scopes for the access token, including determining an intersection between the user information and the application information. The system then provides the access token that includes the computed scopes, the scopes being based at least on the role of the user and the role of the application.

Citations

20 Claims

1. A method of authorizing access to a resource, the method comprising:
- receiving an access token request for an access token that corresponds to the resource, wherein the request comprises user information and application information, the user information comprising a role of the user and the application information comprising a role of the application;
  
  evaluating the access token request by computing scopes for the access token, the computing comprising determining an intersection between the user information and the application information; and
  
  providing the access token that comprises the computed scopes, the scopes based at least on the role of the user and the role of the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - receiving the access token with an access authorization request;
      
      evaluating if access to the resource to perform an operation is permitted based on the computed scopes, the resource, and the operation.
  - 3. The method of claim 2, wherein the evaluating if access to the resource to perform the operation is permitted is further based on a payload of the access authorization request or indirect attributes of the resource.
  - 4. The method of claim 1, wherein the computed scopes comprise a collection of actions permitted on the resource.
  - 5. The method of claim 1, the evaluating the access token request further comprising computing scopes based only the user information without the application information based on an onBehalfOfUser property.
  - 6. The method of claim 1, wherein the scopes comprise OAuth scopes.
  - 7. The method of claim 2, wherein the evaluating if access to the resource to perform the operation is permitted is based on an eXtensible Access Control Markup Language (XACML) based authorization policy.
  - 8. The method of claim 2, wherein the evaluating if access to the resource to perform the operation is permitted is based on a Representational State Transfer (REST) request.

9. A computer readable medium having instructions stored thereon that, when executed by a processor, authorizes access to a resource, the authorizing access comprising:
- receiving an access token request for an access token that corresponds to the resource, wherein the request comprises user information and application information, the user information comprising a role of the user and the application information comprising a role of the application;
  
  evaluating the access token request by computing scopes for the access token, the computing comprising determining an intersection between the user information and the application information; and
  
  providing the access token that comprises the computed scopes, the scopes based at least on the role of the user and the role of the application.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer readable medium of claim 9, the authorizing access further comprising:
    - receiving the access token with an access authorization request;
      
      evaluating if access to the resource to perform an operation is permitted based on the computed scopes, the resource, and the operation.
  - 11. The computer readable medium of claim 10, wherein the evaluating if access to the resource to perform the operation is permitted is further based on a payload of the access authorization request or indirect attributes of the resource.
  - 12. The computer readable medium of claim 9, wherein the computed scopes comprise a collection of actions permitted on the resource.
  - 13. The computer readable medium of claim 10, further generating an evaluation decision comprising one or more obligations.
  - 14. The computer readable medium of claim 9, wherein the scopes comprise OAuth scopes.
  - 15. The computer readable medium of claim 10, wherein the evaluating if access to the resource to perform the operation is permitted is based on an eXtensible Access Control Markup Language (XACML) based authorization policy.
  - 16. The computer readable medium of claim 10, wherein the evaluating if access to the resource to perform the operation is permitted is based on a Representational State Transfer (REST) request.

17. A cloud based system for authorizing access to a resource, the system comprising:
- a processor that implements a microservice, the microservice functionality comprising;
  
  receiving an access token request for an access token that corresponds to the resource, wherein the request comprises user information and application information, the user information comprising a role of the user and the application information comprising a role of the application;
  
  evaluating the access token request by computing scopes for the access token, the computing comprising determining an intersection between the user information and the application information; and
  
  providing the access token that comprises the computed scopes, the scopes based at least on the role of the user and the role of the application.
- View Dependent Claims (18, 19, 20)
- - 18. A cloud based system of claim 17, the microservice functionality further comprising:
    - receiving the access token with an access authorization request;
      
      evaluating if access to the resource to perform an operation is permitted based on the computed scopes, the resource, and the operation.
  - 19. The cloud based system of claim 18, wherein the evaluating if access to the resource to perform the operation is permitted is further based on a payload of the access authorization request or indirect attributes of the resource.
  - 20. The cloud based system of claim 17, wherein the computed scopes comprise a collection of actions permitted on the resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
LANDER, VADIM, SASTRY, Hari, KATTI, Sreedhar, VEPA, Sirish V., SHENOY, Swathi Vinayak

Granted Patent

US 10,454,940 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/102   Entity profiles

IDENTITY CLOUD SERVICE AUTHORIZATION MODEL

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTITY CLOUD SERVICE AUTHORIZATION MODEL

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links