Self-describing authorization policy for accessing cloud-based resources
First Claim
1. A method for implementing a self-describing authorization policy for resources provided by a cloud service, the method comprising:
- exposing resources provided by the cloud service as one of a plurality of resource meshes, each resource mesh including a plurality of resources that require authenticating credentials associated with a particular client device to access the resources;
providing a principal ticket including a link to a particular resource in a mesh and credentials for authenticating a client device to the particular resource in the mesh associated with the client device to permit the client device to access the resource;
annotating the link to the particular resource with authorization credentials required by at least one other resource in the resource mesh associated with the particular client device to permit the client device to access the other resource, the authorization credentials for the other resource comprising a claim ticket containing at least one assertion providing access to the other resource; and
accessing the particular resource by using the principal ticket included in the link to the particular resource, the link being annotated with at least one claim ticket required by another resource to permit the client device to directly access the other resource when accessing the particular resource.
2 Assignments
0 Petitions
Accused Products
Abstract
A ticketing system adapted for use with a cloud-based services platform is provided by a ticket-based authorization model in which the authorization requirements for traversing one or more meshes of resources associated with a cloud service are annotated in links included in a resource that refer to other resources. The meshes are thus self-describing with respect to the association among the resources (i.e., the links) as well as the authorization required to access resources. Resource access requires a principal ticket which asserts that a caller at a client (e.g., a security principal representing a device or identity associated with a user) is authenticated, plus zero or more claim tickets. The claim tickets make additional assertions about the caller that the cloud service may use to check that the caller is authorized to access the resource.
58 Citations
20 Claims
-
1. A method for implementing a self-describing authorization policy for resources provided by a cloud service, the method comprising:
-
exposing resources provided by the cloud service as one of a plurality of resource meshes, each resource mesh including a plurality of resources that require authenticating credentials associated with a particular client device to access the resources; providing a principal ticket including a link to a particular resource in a mesh and credentials for authenticating a client device to the particular resource in the mesh associated with the client device to permit the client device to access the resource; annotating the link to the particular resource with authorization credentials required by at least one other resource in the resource mesh associated with the particular client device to permit the client device to access the other resource, the authorization credentials for the other resource comprising a claim ticket containing at least one assertion providing access to the other resource; and accessing the particular resource by using the principal ticket included in the link to the particular resource, the link being annotated with at least one claim ticket required by another resource to permit the client device to directly access the other resource when accessing the particular resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-readable medium not comprising a propagated signal and containing instructions which, when implemented by one or more processors disposed in an electronic device, implements a client device for navigating between resources provided by a cloud service as one of a plurality of resource meshes, each resource mesh including a plurality of resources that require authenticating credentials associated with a particular client to access the resources, wherein the instructions provide a runtime for accessing a particular resource in a resource mesh associated with the client device by using an attribute of the particular resource and for checking the attribute to determine if the particular resource requires access to another resource in the mesh, the runtime comprising a ticket manager configured for:
-
checking a ticket cache associated with the ticket manager to determine the availability in the ticket cache of a claim ticket with authorization credentials required for the client device to access the other resource in the resource mesh, if the claim ticket is not available in the cache, fetching the claim ticket from a ticket resource handler provided by the cloud service using an attribute in a link to the particular resource, and storing the fetched claim ticket in the ticket cache, wherein the runtime is configured to obtain from the cloud service a principal ticket usable by the runtime for authenticating the particular client device to access the particular resource, wherein the principal ticket includes a link to the particular resource and the ticket manager annotates the link with the claim ticket required by the other resource. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification