System for delegation of authority, access management service system, medium, and method for controlling the system for delegation of authority
First Claim
Patent Images
1. A system for delegation of authority, comprising:
- a first service system configured to provide a first online service;
a second service system configured to provide a second online service and configured to communicate with the first service system;
an access management service system configured to manage authentication information and approval tokens that are required to use a plurality of service systems including the second service system; and
wherein the system for delegation of authority is configured to receive information from a client configured to be operated by a user who has registered authentication information required to use online services that are provided by the first service system and the second service system,wherein the first service system includes a first redirect instruction unit configured to transmit scope information to the client to identify the second online service, if it is necessary to use the second online service provided by the second service system in a process of responding to a processing request from the client operated by the user, and configured to transmit a message causing the client to access the access management service system,wherein the access management service system includes an approval screen transmission unit configured to confirm whether the user has an authority to use the second online service and, if it is confirmed that the user has the authority, configured to transmit an approval screen to the client to enable the user to confirm whether to approve that the first service system uses the second online service;
the access management service system further includes a management unit configured to issue a code required to issue an approval token if it is confirmed that the user has approved via the approval screen, and manage the issued code in such a way as to be linked with the scope information acquired when accessed by the client;
the access management service system further includes a second redirect instruction unit configured to transmit the code to the client causing the client to access the first service system;
the first service system further includes a transmission unit configured to transmit authentication information that is unique to the first service system and the code acquired when accessed by the client to the access management service system;
the access management service system further includes a confirmation unit configured to identify an online service that the first service system wants to use based on the scope information linked with the received code, and confirm whether the identified online service is included in online services that can be used by the first service system based on the received authentication information that is unique to the first service system; and
the access management service system further includes an issuance unit configured to issue an approval token if it is confirmed that the identified online service is included in the online services that can be used by the first service system,wherein the first service system can use the second online service with the issued approval token,wherein the first service system is configured to transmit another scope information to identify whether the user has an authority to approve that the first service system uses the second online service in addition to the scope information required to identify the second online service that the first service system wants to use, which has been transmitted to the client from the first service system, andwhen the access management service system confirms whether the user operating the currently accessing client has the authority to use the second online service, the access management service system is configured to confirm an authority to use an online service linked with the received another scope information and confirm the authority to use the online service allocated to the user, which can be identified based on the authentication information having been input by the user, andif it is confirmed that the authority to use the online service linked with the received another scope information is allocated to the user, the access management service system is configured to determine that the user operating the currently accessing client has the authority to use the second online service.
1 Assignment
0 Petitions
Accused Products
Abstract
In sequential processing including issuance of an approval token from a user to a cooperation source service via an access management service, a system for delegation of authority confirms whether each of the user and the cooperation source service has a sufficient authority to execute a service of a cooperation destination before issuing the approval token.
6 Citations
9 Claims
-
1. A system for delegation of authority, comprising:
- a first service system configured to provide a first online service;
a second service system configured to provide a second online service and configured to communicate with the first service system; an access management service system configured to manage authentication information and approval tokens that are required to use a plurality of service systems including the second service system; and wherein the system for delegation of authority is configured to receive information from a client configured to be operated by a user who has registered authentication information required to use online services that are provided by the first service system and the second service system, wherein the first service system includes a first redirect instruction unit configured to transmit scope information to the client to identify the second online service, if it is necessary to use the second online service provided by the second service system in a process of responding to a processing request from the client operated by the user, and configured to transmit a message causing the client to access the access management service system, wherein the access management service system includes an approval screen transmission unit configured to confirm whether the user has an authority to use the second online service and, if it is confirmed that the user has the authority, configured to transmit an approval screen to the client to enable the user to confirm whether to approve that the first service system uses the second online service; the access management service system further includes a management unit configured to issue a code required to issue an approval token if it is confirmed that the user has approved via the approval screen, and manage the issued code in such a way as to be linked with the scope information acquired when accessed by the client; the access management service system further includes a second redirect instruction unit configured to transmit the code to the client causing the client to access the first service system; the first service system further includes a transmission unit configured to transmit authentication information that is unique to the first service system and the code acquired when accessed by the client to the access management service system; the access management service system further includes a confirmation unit configured to identify an online service that the first service system wants to use based on the scope information linked with the received code, and confirm whether the identified online service is included in online services that can be used by the first service system based on the received authentication information that is unique to the first service system; and the access management service system further includes an issuance unit configured to issue an approval token if it is confirmed that the identified online service is included in the online services that can be used by the first service system, wherein the first service system can use the second online service with the issued approval token, wherein the first service system is configured to transmit another scope information to identify whether the user has an authority to approve that the first service system uses the second online service in addition to the scope information required to identify the second online service that the first service system wants to use, which has been transmitted to the client from the first service system, and when the access management service system confirms whether the user operating the currently accessing client has the authority to use the second online service, the access management service system is configured to confirm an authority to use an online service linked with the received another scope information and confirm the authority to use the online service allocated to the user, which can be identified based on the authentication information having been input by the user, and if it is confirmed that the authority to use the online service linked with the received another scope information is allocated to the user, the access management service system is configured to determine that the user operating the currently accessing client has the authority to use the second online service. - View Dependent Claims (2, 3)
- a first service system configured to provide a first online service;
-
4. An access management service system for a system for delegation of authority, wherein the system for delegation of authority comprises:
-
a first service system configured to provide a first online service; a second service system configured to provide a second online service and configured to communicate with the first service system; an access management service system configured to manage authentication information that is required to use the second service system; and wherein the system for delegation of authority is configured to receive information from a client configured to be operated by a user who has registered authentication information required to use an online service that can be provided by the second service system, the access management service system comprising; a confirmation unit configured to receive the authentication information of the user and confirm whether the user can use the second online service based on the received authentication information of the user, and further configured to receive authentication information that is unique to the first service system and confirm whether the first service system can use the second online service based on the received authentication information that is unique to the first service system; and an issuance unit configured to issue an approval token if it is confirmed that the user can use the second online service and if it is confirmed that the first service system can use the second online service, wherein the first service system uses the issued approval token to use the second online service if it is necessary to use the second online service provided by the second service system in a process of responding to a processing request from the client operated by the user, wherein the first service system is configured to transmit another scope information to identify whether the user has an authority to approve that the first service system uses the second online service in addition to a scope information required to identify the second online service that the first service system wants to use, which has been transmitted to the client from the first service system, and when the access management service system confirms whether the user operating the currently accessing client has the authority to use the second online service, the access management service system is configured to confirm an authority to use an online service linked with the received another scope information and confirm the authority to use the online service allocated to the user, which can be identified based on the authentication information having been input by the user, and if it is confirmed that the authority to use the online service linked with the received another scope information is allocated to the user, the access management service system is configured to determine that the user operating the currently accessing client has the authority to use the second online service.
-
-
5. A control method for a system for delegation of authority, the system comprising:
-
a first service system configured to provide a first online service; a second service system configured to provide a second online service and configured to communicate with the first service system; an access management service system configured to manage authentication information and approval token that are required to use a plurality of service systems including the second service system; and wherein the system for delegation of authority is configured to receive information from a client configured to be operated by a user who has registered authentication information required to use online services that can be provided by the first service system and the second service system, wherein a first redirect instruction unit of the first service system transmits scope information to the client to identify the second online service, if it is necessary to use the second online service provided by the second service system in a process of responding to a processing request from the client operated by the user, and transmitting a message causing the client to access the access management service system; an approval screen transmission unit of the access management service system confirms whether the user has an authority to use the second online service and, if it is confirmed that the user has the authority, transmits an approval screen to the client to enable the user to confirm whether to approve that the first service system uses the second online service; a management unit of the access management service system issues a code required to issue an approval token if it is confirmed that the user has approved via the approval screen, and manages the issued code in such a way as to be linked with the scope information acquired when accessed by the client; a second redirect instruction unit of the access management service system transmits the code to the client causing the client to access the first service system; a transmission unit of the first service system transmits authentication information that is unique to the first service system and the code acquired when accessed by the client to the access management service system; a confirmation unit of the access management service system identifies an online service that the first service system wants to use based on the scope information linked with the received code, and confirms whether the identified online service is included in online services that can be used by the first service system based on the received authentication information that is unique to the first service system; and an issuance unit of the access management service system issues an approval token if it is confirmed that the identified online service is included in the online services that can be used by the first service system, wherein the approval token issued by the first service system is usable to use the second online service and to realize a mashup service that causes the first online service and the second online service to cooperate with each other, wherein the first service system is configured to transmit another scope information to identify whether the user has an authority to approve that the first service system uses the second online service in addition to the scope information required to identify the second online service that the first service system wants to use, which has been transmitted to the client from the first service system, and when the access management service system confirms whether the user operating the currently accessing client has the authority to use the second online service, the access management service system is configured to confirm an authority to use an online service linked with the received another scope information and confirm the authority to use the online service allocated to the user, which can be identified based on the authentication information having been input by the user, and if it is confirmed that the authority to use the online service linked with the received another scope information is allocated to the user, the access management service system is configured to determine that the user operating the currently accessing client has the authority to use the second online service.
-
-
6. A non-transitory computer readable medium encoded with instructions for an access management service comprising instructions for:
-
the access management service transmitting a first approval token to a first online service, the first approval token is associated with a particular user and a plurality of particular privileges accorded the particular user with a second online service; the access management service receiving a verification request of the first approval token from the second online service; the access management service verifying that the first approval token is associated with the plurality of particular privileges accorded the particular user with the second online service; and the access management service transmitting a message to the second online service if the access management service positively affirms that the first approval token is associated with the plurality of particular privileges accorded the particular user with the second online service, wherein a first service system is configured to transmit another scope information to identify whether the particular user has an authority to approve that the first service system uses the second online service in addition to a scope information required to identify the second online service that the first service system wants to use, which has been transmitted to the client from the first service system, and when the access management service system confirms whether the user operating the currently accessing client has the authority to use the second online service, the access management service system is configured to confirm an authority to use an online service linked with the received another scope information and confirm the authority to use the online service allocated to the user, which can be identified based on the authentication information having been input by the user, and if it is confirmed that the authority to use the online service linked with the received another scope information is allocated to the user, the access management service system is configured to determine that the user operating the currently accessing client has the authority to use the second online service. - View Dependent Claims (7, 8)
-
-
9. A non-transitory computer readable medium encoded with instructions for an access management service comprising instructions for:
-
the access management service transmitting a first approval token to a first online service, the first approval token is associated with a particular user and a plurality of particular privileges accorded the particular user with a second online service; the access management service receiving a verification request of the first approval token from the second online service; the access management service verifying that the first approval token is associated with the plurality of particular privileges accorded the particular user with the second online service; and the access management service transmitting a message to the second online service if the access management service positively affirms that the first approval token is associated with the plurality of particular privileges accorded the particular user with the second online service, wherein the access management service transmits the first approval token after; the access management service receiving an authentication request from the first service; the access management service transmitting the authentication request to a client of the particular user; the access management service receiving authentication information from the client; the access management service verifying the authentication information against information stored by the access management service about the particular user; the access management service transmitting a request to the client of the particular user for approval of the first service to have access to the plurality of particular privileges accorded the particular user with the second online service; the access management service receiving approval information from the client; wherein the access management service transmits the first approval token to first online service after receiving approval information from the client.
-
Specification