OAuth framework
First Claim
1. A method comprising:
- receiving, at an OAuth authorization server, from a first resource server that is separate from the OAuth authorization server, a first set of metadata indicating a first set of scopes that are recognized by the first resource server;
in response to receiving the first set of metadata, storing, at the OAuth authorization server, mappings between scopes in the first set of scopes and subsets of resources maintained by the first resource server;
storing, at the OAuth authorization server, a mapping between a first access token and a first scope from the first set of scopes;
receiving, at the OAuth authorization server, from the first resource server, a request to validate the first access token;
in response to receiving the request to validate the first access token, the OAuth authorization server validating the first access token based on the mapping between the first access token and the first scope; and
in response to validating the first access token, the OAuth authorization server indicating, to the first resource server, that a client application that presented the first access token to the first resource server is authorized to perform operations relative to a set of resources that are maintained by the first resource server and specified by the first scope;
receiving, at the OAuth authorization server, from a second resource server that is separate from the first resource server, a second set of metadata indicating a second set of scopes that are recognized by the second resource server, the second set of scopes differing from the first set of scopes;
in response to receiving the second set of metadata, storing, at the OAuth authorization server, mappings between scopes in the second set of scopes and subsets of resources maintained by the second resource server;
storing, at the OAuth authorization server, a mapping between a second access token and a second scope from the second set of scopes;
receiving, at the OAuth authorization server, from the second resource server, a request to validate the second access token;
in response to receiving the request to validate the second access token, the OAuth authorization server validating the second access token based on the mapping between the second access token and the second scope; and
in response to validating the second access token, the OAuth authorization server indicating, to the second resource server, that a client application that presented the second access token to the second resource server is authorized to perform operations relative to a set of resources that are maintained by the second resource server and specified by the second scope;
wherein the OAuth authorization server does not manage the set of resources that are maintained by the first resource server.
2 Assignments
0 Petitions
Accused Products
Abstract
A framework, which conforms to the OAuth standard, involves a generic OAuth authorization server that can be used by multiple resource servers in order to ensure that access to resources stored on those resource servers is limited to access to which the resource owner consents. Each resource server registers, with the OAuth authorization server, metadata for that resource server, indicating scopes that are recognized by the resource server. The OAuth authorization server refers to this metadata when requesting consent from a resource owner on behalf of a client application, so that the consent will be of an appropriate scope. The OAuth authorization server refers to this metadata when constructing an access token to provide to the client application for use in accessing the resources on the resource server. The OAuth authorization server uses this metadata to map issued access tokens to the scopes to which those access tokens grant access.
-
Citations
15 Claims
-
1. A method comprising:
-
receiving, at an OAuth authorization server, from a first resource server that is separate from the OAuth authorization server, a first set of metadata indicating a first set of scopes that are recognized by the first resource server; in response to receiving the first set of metadata, storing, at the OAuth authorization server, mappings between scopes in the first set of scopes and subsets of resources maintained by the first resource server; storing, at the OAuth authorization server, a mapping between a first access token and a first scope from the first set of scopes; receiving, at the OAuth authorization server, from the first resource server, a request to validate the first access token; in response to receiving the request to validate the first access token, the OAuth authorization server validating the first access token based on the mapping between the first access token and the first scope; and in response to validating the first access token, the OAuth authorization server indicating, to the first resource server, that a client application that presented the first access token to the first resource server is authorized to perform operations relative to a set of resources that are maintained by the first resource server and specified by the first scope; receiving, at the OAuth authorization server, from a second resource server that is separate from the first resource server, a second set of metadata indicating a second set of scopes that are recognized by the second resource server, the second set of scopes differing from the first set of scopes; in response to receiving the second set of metadata, storing, at the OAuth authorization server, mappings between scopes in the second set of scopes and subsets of resources maintained by the second resource server; storing, at the OAuth authorization server, a mapping between a second access token and a second scope from the second set of scopes; receiving, at the OAuth authorization server, from the second resource server, a request to validate the second access token; in response to receiving the request to validate the second access token, the OAuth authorization server validating the second access token based on the mapping between the second access token and the second scope; and in response to validating the second access token, the OAuth authorization server indicating, to the second resource server, that a client application that presented the second access token to the second resource server is authorized to perform operations relative to a set of resources that are maintained by the second resource server and specified by the second scope; wherein the OAuth authorization server does not manage the set of resources that are maintained by the first resource server. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A non-transitory computer-readable memory comprising instructions which, when executed by one or more processors, cause the one or more processors to perform:
-
receiving, at an OAuth authorization server, from a first resource server that is separate from the OAuth authorization server, a first set of metadata indicating a first set of scopes that are recognized by the first resource server; in response to receiving the first set of metadata, storing, at the OAuth authorization server, mappings between scopes in the first set of scopes and subsets of resources maintained by the first resource server; storing, at the OAuth authorization server, a mapping between a first access token and a first scope from the first set of scopes; receiving, at the OAuth authorization server, from the first resource server, a request to validate the first access token; in response to receiving the request to validate the first access token, the OAuth authorization server validating the first access token based on the mapping between the first access token and the first scope; and in response to validating the first access token, the OAuth authorization server indicating, to the first resource server, that a client application that presented the first access token to the first resource server is authorized to perform operations relative to a set of resources that are maintained by the first resource server and specified by the first scope; receiving, at the OAuth authorization server, from a second resource server that is separate from the first resource server, a second set of metadata indicating a second set of scopes that are recognized by the second resource server, the second set of scopes differing from the first set of scopes; in response to receiving the second set of metadata, storing, at the OAuth authorization server, mappings between scopes in the second set of scopes and subsets of resources maintained by the second resource server; storing, at the OAuth authorization server, a mapping between a second access token and a second scope from the second set of scopes; receiving, at the OAuth authorization server, from the second resource server, a request to validate the second access token;
in response to receiving the request to validate the second access token, the OAuth authorization server validating the second access token based on the mapping between the second access token and the second scope; andin response to validating the second access token, the OAuth authorization server indicating, to the second resource server, that a client application that presented the second access token to the second resource server is authorized to perform operations relative to a set of resources that are maintained by the second resource server and specified by the second scope; wherein the OAuth authorization server does not manage the set of resources that are maintained by the first resource server. - View Dependent Claims (7, 8, 9, 10)
-
-
11. An OAuth authorization server comprising:
-
one or more hardware processors that are configured to receive, from a first resource server that is separate from the OAuth authorization server, a first set of metadata indicating a first set of scopes that are recognized by the first resource server; one or more hardware processors that are configured to store, in response to receiving the first set of metadata, mappings between scopes in the first set of scopes and subsets of resources maintained by the first resource server; one or more hardware processors that are configured to store a mapping between a first access token and a first scope from the first set of scopes; one or more hardware processors that are configured to receive, from the first resource server, a request to validate the first access token; one or more hardware processors that are configured to validate the first access token based on the mapping between the first access token and the first scope in response to receiving the request to validate the first access token; and one or more hardware processors that are configured to indicate, to the first resource server, in response to validating the first access token, that a client application that presented the first access token to the first resource server is authorized to perform operations relative to a set of resources that are maintained by the first resource server and specified by the first scope; one or more hardware processors configured to receive, from a second resource server that is separate from the first resource server, a second set of metadata indicating a second set of scopes that are recognized by the second resource server, the second set of scopes differing from the first set of scopes; one or more hardware processors configured to store, in response to receiving the second set of metadata, mappings between scopes in the second set of scopes and subsets of resources maintained by the second resource server; one or more hardware processors configured to store a mapping between a second access token and a second scope from the second set of scopes; one or more hardware processors configured to receive, from the second resource server, a request to validate the second access token; one or more hardware processors configured to validate the second access token based on the mapping between the second access token and the second scope in response to receiving the request to validate the second access token; and one or more hardware processors configured to indicate, to the second resource server, in response to validating the second access token, that a client application that presented the second access token to the second resource server is authorized to perform operations relative to a set of resources that are maintained by the second resource server and specified by the second scope; wherein the OAuth authorization server does not manage the set of resources that are maintained by the first resource server. - View Dependent Claims (12, 13, 14, 15)
-
Specification